Top EU data cop cutback threat triggers EU complaint

The Irish Data Protection Commission – the top privacy governor across the EU – will be forced to make cutbacks in systems, technology and external legal advisory services – following the Irish Government’s decision to increase its budget by €1.6m (£1.3m) compared to the €5.9m (£4.9m) it was seeking.

That is the crux of a complaint to the European Commission by privacy expert Daragh O’Brien, managing director of data governance and ethics company Castlebridge, filed in response to the shortfall.

The move comes amid claims made by the German regulator that the Irish DPC is overwhelmed with the task of regulating big tech, needs more resources and should accept outside help.

The DPC’s overall budget of €16.9 (£14m) is dwarfed by the UK Information Commissioner’s Office which has £60m to play with and does not directly rule the tech businesses which have their European HQs in Ireland, including Apple, Amazon, Google, Facebook, eBay, PayPal, LinkedIn, Twitter, Salesforce.com, Intel and Oracle.

O’Brien said: “The impact of this is simple. The DPC will not be in a position to do all the things the office had identified needed to be done to ensure they can execute their functions effectively. This includes the development of a Five Year Regulatory Strategy, internal staff training and development, and the development of supports and tools for data protection officers.”

He added that a proportion of the increase will immediately be consumed simply through covering the cost of pay increments for the current DPC staff, before another person is hired, trained, accommodated, and equipped to do their job.

“The DPC has grown from an Office where everyone was sitting in the one room to an office with staff in multiple locations in Dublin, in addition to their office in Portarlington. They are encumbered by legacy IT systems that are currently managed as part of the Department of Justice IT estate for various historic reasons.

“I have personally experienced the challenges of trying to send client documents to the DPC or share documentation with them only to find “computer says no” due to file size restrictions and the inability to manage basic file sharing capabilites. For email and case management they are using the same basic technology I began my career administering in a telco back in 1997.”

O’Brien insists he is complaining to Brussels because it is their function to oversee how member states are implementing EU law. He added: “Article 52 of GDPR and Article 42 of the Law Enforcement Directive require states to ensure the independence of data protection supervisory authorities.”

Meanwhile, at a meeting of European regulators last week, Germany’s federal data commissioner Ulrich Kelber likened Ireland’s approach to regulating Facebook with the go-slow approach of Germany’s automotive regulator on diesel emissions fraud.

Kelber’s main complaint centres on a lack of rulings from the DPC since GDPR came into force in May 2018.

“None of the cross-border cases under new data protection rules have been addressed,” Kelber told The Irish Times. “This touches largely on cases where the headquarters of the company is in Ireland – but not only. [They] clearly need better financing and more staff.”

The German regulator insisted this was not a personal attack on the Irish Commissioner Helen Dixon, but a criticism of the professional performance of a body “insufficiently equipped for its task”.

Despite this claims, last week the DPC carried out its first raid of Facebook offices in Dublin and put the kibosh on the launch of Facebook Dating in the EU. It also recently launched statutory investigations into Tinder and Google.

All in all, the Irish regulator has over two dozen statutory GDPR inquiries into multinational tech giants; more than half relate to Facebook, eight directly focus on the main site, two for WhatsApp and one into Instagram. It also has three probes into Apple, and one each into LinkedIn, Quantcast, Verizon and Tinder. In total, it more than 65 official investigations under way.

A decision on whether Facebook’s WhatsApp violated GDPR laws is imminent.