Irish GDPR investigations 'hampered by ancient tech'

Investigations by the Irish Data Protection Commission, the GDPR overlord for nearly every US tech company operating in the EU, are being hindered by a tech system which is so outdated it is the equivalent of trying to run a payroll system “with an abacus”.

Documents obtained by the Irish Council for Civil Liberties (ICCL) under the Freedom of Information Act, reveal that a major internal IT project to enable the Irish DPC to operate effectively has been delayed for years.

Five years after announcing that it would move to the new IT system, and after having spent at least €615,000 (£540,000) on the project, the Irish DPC continues to use antiquated Lotus Notes technology, first developed over 30 years ago.

One former employee of the regulator told ICCL that using Lotus Notes to organise and handle complicated GDPR complaints and investigations is “like trying to run your payroll system with an abacus”.

According to the ICCL, the IT project has missed deadline after deadline. It is so vast that when ICCL first asked the regulator for information about it, the Irish DPC said that it would take 124 days (“988 hours”) to gather all the information about the project.

ICCL says it is concerned that the staff of the body charged with upholding data rights of all European users of Google, Facebook, and other tech giants, are unable to do so.

ICCL senior fellow Dr Johnny Ryan said: “The GDPR gives Ireland a central role in protecting data rights across the entire EU, monitoring how Google, Facebook, and others use our data. But the DPC is not configured for its digital mission.

“What we have discovered indicates that it cannot run critically important internal technology projects. How can it be expected to monitor what the world’s biggest tech firms do with our data? This raises serious questions not only for the DPC, but for the Irish Government. We have alerted the Irish Government of the strategic economic risk from failing to enforce the GDPR.”

The move is likely to pile even more pressure on the Irish DPC, which has long been criticised by both privacy groups and other EU data protection authorities (DPAs) for a perceived go-slow in tackling GDPR investigations.

At the last count, the Irish DPC had over 60 official investigations under way, with over more than two dozen statutory GDPR inquiries into multinational tech giants. Over half relate to Facebook and its WhatsApp and Instagram subsidiaries. It also has three probes into Apple, and one each into LinkedIn, Quantcast, Verizon and Tinder.

Its recent ruling against Twitter, which saw the tech giant receive a €450,000 (£410,000) fine for data breach failings, caused a rift with a number of EU DPAs who argued that it was not severe enough.

Data protection experts are awaiting a decision on the its latest ruling – against WhatsApp – which, like the Twitter decision, has to be approved by the other EU DPAs as it is a cross-border case.