The Irish Data Protection Commissioner has finally issued its first ruling under GDPR, but anyone hoping for a shot over the bows of Google or Facebook has been left disappointed, with the regulator’s own government the first to be whacked.
The decision – which sees child and family agency Tusla slapped with a €75,000 (£67,000) penalty for three cases where information about children was wrongly disclosed to unauthorised parties – has been disclosed in a Circuit Court filing.
The irony will not be lost on some, however, as the Irish DPC is currently in dispute with the Irish government over its funding.
Late last year, the Taoiseach was slammed for increasing the regulator’s budget by just €1.6m (£1.3m) to €16.9m (£14m), compared to the €5.9m (£4.9m) it was seeking. By comparison the UK’s Information Commissioner’s Office has a budget of £50m.
The funding row has even triggered a complaint to the European Commission by privacy expert Daragh O’Brien, managing director of data governance and ethics company Castlebridge, who claims the regulator will be forced to make cutbacks in systems, technology and external legal advisory services.
However, when it comes to the Tusla ruling, O’Brien is less criticial. He tweeted: “1) Perhaps this was a clear cut case with a quick fact find while others are more complex. 2) Perhaps Tusla put their hands up pretty quickly and accepted fault without disputing fact-find while others are more complex. 3) Perhaps it’s only Monday. The week is young.”
He added: “[The Irish DPC] does need to move things faster, but faster with poor process means disaster. And enforcement decisions are done when they are done… should all cases be backed up waiting for the more complex ones to finish? Would that make a regulator more effective?
“I say: take wins as they come. Celebrate that DPC is starting to act. Recognise that the procedural logjam seems to be moving. At long last. Their case triage is still shite, resourcing (quality and quantity) still need to be improved, and much more. But I’ll applaud action.”
Whether the Germans will be quite so forgiving is another matter. Back in February, at a meeting of European regulators, Germany’s federal data commissioner Ulrich Kelber said that Ireland’s inaction against the tech giants was “unbearable”.
More recently the Hamburg data authority ratcheted up the attack, claiming the “one-stop shop” model which makes Ireland the top regulator for GDPR across the EU is flawed.
At the last count, the regulator had 65 official investigations under way, with over two dozen statutory GDPR inquiries into multinational tech giants. More than half relate to Facebook and its WhatsApp and Instagram subsidiaries. It also has three probes into Apple, and one each into LinkedIn, Quancast, Verizon and Tinder.
Rulings against WhatsApp and Twitter have been “imminent” for months.
Privacy campaigner Max Schrems, who has been battling with the Irish DPC for years to get it to clamp down on Facebook, seems in little doubt as to where the blame lies.
He tweeted: “Just in time for the 2nd anniversary of the #GDPR the @DPCIreland dropped publicly that it *will* issue the first GDPR fine – not against Facebook, WhatsApp, Apple, LinkedIn, Instagram (…), but against the state child care agency. #Enforcewhat?”
Now Germans call for GDPR shake-up to avoid ‘collapse’
Brussels urged to act on GDPR failings or risk demise
Top EU data cop cutback threat triggers EU complaint
WhatsApp and Twitter facing first major GDPR rulings
Irish raid forces Facebook to dump dating app launch
Now Google faces fresh GDPR probe into location data
Swipe out: Irish regulator probes Tinder GDPR breach
Irish data regulator launches inquiry into adtech giant
2019 Review of the Year: Why it’s crunch time for GDPR