Will the appointment of more Data Protection Commissioners be enough to silence Ireland’s critics?

If the Department of Justice follows through on the process, will it make a difference to the speed and approach of the Irish regulator?

Sources close to conversations between the DPC and the Department of Justice say that the move, though widely mooted for some time, has taken the Irish regulator by surprise.

It had submitted different proposals aimed at increasing managerial staff numbers in other targeted sections. For instance, it has one deputy commissioner that takes a lead on legal and litigation issues, an increasingly burdensome role.

So it is not clear whether the provision of additional commissioners would directly fast-track processes that are currently struggling with capacity issues within the DPC office or prompt a further reorganisation of the regulatory body.

It is also not yet completely clear how serious the government is in moving on this quickly. It may simply be a way to signal to a chorus of critics that it has heard their concerns.

But on the issue of how quickly to deal with big tech cases, there is a large gap in expectation between the DPC and its fiercest critics.

Earlier this year, before an Oireachtas Committee, the anti-Facebook privacy campaigner Max Schrems used the example of Austria’s six-month rule in dealing with cases.

DPC officials have previously said that this is not possible with large cases.

They point out that when due process and rights of reply are accommodated, such cases can legitimately last two or three years.

To rush cases for the optics of it, they say, is to invite successful appeals as has happened in multiple cases dealt with by the British equivalent of the Irish DPC.

Facebook’s appeal against its €225m Whatsapp fine, for example, partially hinges on its contention that it was not afforded an adequate right of reply during part of the process, even though that case took almost three years.

There is also a gap in what the DPC’s critics think of the Irish regulator’s general approach. A handful of European regulatory officials have grumbled that Ireland’s preference for guidance is not what a policeman’s first instinct should be.

The DPC argued that its approach cuts off potential breaches on major tech launches, that then tie it up for years.

Would the appointment of one or two new commissioners please the harshest critics of the DPC? The Irish Council for Civil Liberties (ICCL) recently called for the appointment of two new commissioners. Max Schrems has called for the same.

Both have been scathing about the Irish regulator, claiming that over 90pc of cases brought before do not get effectively dealt with.

For her part, Ms Dixon has robustly defended the office, telling an Oireachtas Committee this year that much of the criticism aimed at her office by the ICCL and Mr Schrems is “far too simplistic” and “a superficial skimming of the surface”.

Ms Dixon has also rejected claims from other critics that Ireland moves slowly on regulation deliberately, because of the number of jobs that Mark Zuckerberg’s Facebook, and other tech firms, create here.

As for what the government might be thinking in expanding the DPC, details of what the new commissioner(s) might do aren’t yet clear.

Would it be to focus on a particular sector, like tech? Or a particular administrative function, such as litigation? Or would it free up some of the activities currently under-
taken by deputy commissioners?

At present, the DPC is made up of one headline Commissioner (Helen Dixon) and seven deputy commissioners. Four of those seven are focused on regulatory activity, with one each remaining for technology, legal and corporate affairs.

Under law, the government is entitled to appoint up to three full commissioners, splitting Helen Dixon’s responsibility.

Ms Dixon’s current primary role is to make decisions on investigations and inquiries that have been completed by the DPC’s investigators. At present, she is waiting on more of these completed inquiries to land on her desk, including one into Instagram and one into Google’s location tracking.

Whatever happens, it seems unlikely that criticism of the Irish office will disappear overnight. Data protection enforcement is still at a relatively early stage in Europe. With so many huge tech companies based in Ireland, an international focus will continue to rest on the Irish regulatory office.