Just hours after warnings that EU member states are putting the future of GDPR at risk by under-investing in enforcement, the Germans have ratcheted up their attack on the Irish regulator, claiming that its lack of action is the real threat.
At the heart of the issue is the “one-stop shop” model which makes Ireland – the European HQ of tech giants from Facebook, Amazon and Google to eBay, LinkedIn and Twitter – the top regulator for GDPR across the EU.
At the last count, the Irish Data Protection Commission had 65 official investigations under way, with over two dozen statutory GDPR inquiries into multinational tech giants. More than half relate to Facebook, eight directly focus on the main site, two for WhatsApp and one into Instagram. It also has three probes into Apple, and one each into LinkedIn, Quantcast, Verizon and Tinder.
However, it has yet to publish a single ruling, although it has promised imminent fines against WhatsApp and Twitter.
Back in February, at a meeting of European regulators, Germany’s federal data commissioner Ulrich Kelber likened Ireland’s approach to regulating Facebook with the go-slow approach of Germany’s automotive regulator on diesel emissions fraud. He added that Ireland’s inaction was “unbearable”, and called for a new EU-wide data authority to replace the “one-stop shop”.
Kelber later told The Irish Times: “None of the cross-border cases under new data protection rules have been addressed. This touches largely on cases where the headquarters of the company is in Ireland – but not only. [They] clearly need better financing and more staff.”
The German regulator insisted this was not a personal attack on the Irish Commissioner Helen Dixon, but a criticism of the professional performance of a body “insufficiently equipped for its task”. Dixon hit back, however, insisting that such criticism was not fair, as the cases are complicated.
But, speaking to Wired magazine, the Hamburg data authority has said: “Law enforcement without fines is toothless. Each company which is violating data protection rights must face heavy financial sanctions by fines. This heavy stick in the background only can create deterring effects against violations of law.
“European [data protection authorities] so far are falling short of a common, uniform approach regarding sanctions. While this hopefully might change in the future, the risk of permanently creating distinct regimes of supervision in different EU countries is imminent.”
“We have to redirect our approach. Especially the legal settings for law enforcement in GDPR must be reconsidered and changed. The lighthouse project of GDPR is on the verge of collapse.”
Brussels urged to act on GDPR failings or risk demise
Top EU data cop cutback threat triggers EU complaint
WhatsApp and Twitter facing first major GDPR rulings
ICO faces legal challenge over failure to tackle adtech
BA and Marriott to escape GDPR mega fines…for now
2019 Review of the Year: Why it’s crunch time for GDPR