Meta, the parent company of Facebook, was recently fined € 17 million for data beaches. The Irish Data Protection Commission (hereinafter: DPC) had started an inquiry on its own initiative, analyzing a series of 12 data breach notifications from the latter half of 2018. The initiative aimed to see whether Meta Platforms Ireland Ltd had complied with the ‘integrity and confidentiality’ principle, the accountability principle, and the requirements regarding the data controller’s responsibility and the security of processing. The DPC concluded that Meta had infringed the principle of accountability and breached its duties as a data controller. Meta had failed to demonstrate having installed appropriate technical and organizational measures to ensure GDPR compliance in the 12 reported cases. This blog post will examine the Irish DPC’s recent cases and offer a brief overview of the criticism it has received.
Among many other Internet giants, Meta has their European headquarters in Ireland due to its low 12.5 % corporate tax rate. Having attracted major technology companies to base their business in Ireland has rendered it a powerful regulator in the data protection field, making the Irish DPC the leading watchdog for privacy in Europe. The abovementioned case is only one of many significant decisions announced by the DPC. In 2021, the DPC issued a fine of € 225 million to WhatsApp for failing to provide relevant information to WhatsApp users and the contacts of users, as well as failing to provide accessible privacy information and failing to comply with the transparency principle. The Irish DPC is also the driving force behind the Max Schrems cases that consecutively invalidated the adequacy decisions allowing transatlantic data transfers. Thus, the DPC may seem like an active enforcer of the GDPR, consistently making headlines.
However, the Irish DPC has long struggled with accusations from privacy activists for not being tough enough on US technology companies. Whistleblower Frances Haugen claimed that Ireland’s economic benefits from hosting tech giants come in the way of regulating their activities and enforcing the GDPR to its full extent. Věra Jourová, the Vice President of the European Commission, threatened that the GDPR might require adjustments should its enforcement not be improved, ostensibly referring to the situation in Ireland. In the last months, this discontent has severely aggravated after a series of documents suggested that the DPC has pushed for social media companies’ interests at the European level. The documents advocate for guidelines allowing social networks to monitor their users’ behaviour to personalize ads without consent. There has been a long-term push for social networking companies to have the ability to invoke a contract with the user, rather than consent, to use their data for advertisement. Other countries’ Data Protection Authorities have criticized this interpretation for undermining the system and spirit of the GDPR. A similar turn of events transpired regarding Facebook when the DPC claimed that Facebook could use data for targeting ads without consent under the pretext of performing a contract.
The Irish DPC claims that it had not lobbied on behalf of the social networks, though it failed to justify its continuous attempts to enable targeted advertising without consent. Still, despite being the minority among European data protection authorities, the Irish DPC can continue to interpret the GDPR to serve the interests of technology giants. Ireland enjoys considerable authority in enforcing the GDPR, but it has failed to find a balance between its commercial interests and the protection of GDPR rights in Europe. In addition, the DPC has faced international criticism for its operations, sparking up conversations about disciplinary procedures for the failure to maintain European privacy rights. Whatever the method, a solution must be found to get the Irish DPC to live up to its role as one of the most significant enforcers of the GDPR.