Ireland’s failure to enforce EU law against Big Tech is slowing down Europe’s GDPR enforcement

The news: Ireland is failing to apply the European Union’s (EU) privacy laws on Big Tech companies: The regulator has left still unresolved 98% of 164 complaints against significant privacy abuses, per Ars Technica. Ireland’s poor record of privacy enforcement is adversely affecting the rest of the EU, which is waiting on it before taking action on other complaints against Big Tech.

  • Johnny Ryan, senior fellow at the Irish Council for Civil Liberties (ICCL), said Ireland was the “worst bottleneck” for enforcement of the EU’s General Data Protection Regulation (GDPR). The ICCL is calling on the European Commission to intervene and warns that GDPR is “silently failing.”
  • Apple, Facebook, Google, Microsoft, and Twitter all have European headquarters in Dublin, making Ireland’s Data Protection Commissioner (DPC) the lead regulator responsible for holding these companies accountable.
  • The Irish DPC has faced criticism by privacy campaigners and countries, including France, Spain, and Italy, for its glacial pace of action on privacy complaints. 

More on this: “GDPR enforcement against Big Tech is paralyzed by Ireland’s failure to deliver draft decisions on cross-border cases,” Ryan added. The Irish regulator’s reticence to police Big Tech is causing a ripple effect, slowing down enforcement in other European countries.

  • The rest of the EU has to wait for Irish draft decisions before they are able to take their own action against the companies.
  • The Irish Parliament published a report in July calling for reform of the Irish DPC, and urging it to start enforcing the GDPR. 
  • Germany reportedly forwarded more than 50 complaints about Facebook’s WhatsApp to the Irish authorities, “none of which had been closed to date,” said Ulrich Kelber, Germany’s chief data protection watchdog.

What’s next? While Irish regulators are being criticized for their failure to address mounting complaints against Big Tech, the bottleneck also reveals weaknesses in overall GDPR enforcement. Namely, responsibility for regulation falls on a handful of countries, some of which may not be equipped or inclined to hold Big Tech companies to the law. 

  • 70% of the total complaints in the EU end up in France, Germany, Ireland, Luxembourg, Netherlands, Spain, and Sweden.

Measures are in place to circumvent Ireland’s inactivity—including initiating GDPR-related investigations under specific circumstances—but these could take time and further prolong the process.