New leadership no easy fix for Irish DPC’s GDPR woes

On Feb. 20, the Irish Data Protection Commission (DPC) announced Des Hogan and Dale Sunderland had begun their five-year terms as commissioners. The duo succeeded Helen Dixon, who had been in the role for nearly a decade.

A third commissioner seat at the agency remains to be filled.

Sunderland was previously a deputy commissioner at the Irish DPC, while Hogan’s background is in human rights law.

Ireland’s Minister for Justice, Helen McEntee, said in a press statement the two new commissioners “will support an effective and well-resourced, highly skilled regulator.” The Irish DPC has a budget of 28.1 million euros (U.S. $30.3 million) and 222 staff, according to the ministry.

Such upbeat figures belie a myriad of existing problems, however. The fact two people—soon to be three—have been appointed to replace one vacated post suggests the commissioners know they start with their plates full.

The Irish DPC has not issued a major fine under the EU’s General Data Protection Regulation (GDPR) since a €345 million (then-U.S. $368 million) penalty against TikTok in September, and there are more ongoing inquiries into other Big Tech firms still trudging along, waiting to be finalized years after complaints were raised.

The logjam will only get worse. Some commentators note the GDPR’s “one-stop shop” mechanism—which bounces EU-wide complaints back to the country where the offending company is registered—means the Irish DPC is practically swamped in paperwork, relying on a legal team and budget that pales in comparison to any one of the major technology firms it oversees.

The regulator’s track record of GDPR enforcement is seen as shaky. A report issued in May 2023, around the time of the fifth anniversary of the GDPR, by the Irish Council for Civil Liberties found two-thirds of decisions issued by the Irish DPC were overturned by the European Data Protection Board, the EU’s overarching GDPR regulator.

Ireland’s culture of having a business-friendly, low-corporate-tax environment and traditionally light-touch regulatory regime might be to blame for the lackluster enforcement. On every cross-border Big Tech investigation, the Irish DPC has faced stiff opposition to what other data protection authorities (DPAs) have seen as its relatively soft treatment of alleged GDPR offenders, including Meta, Twitter, and Google.

Concerns have also been raised over the Irish DPC’s perceived weak stance on some issues. In a key ongoing case, the regulator is reviewing Meta’s “pay or consent” subscription plans that seek to charge EU users who do not want to be tracked for online advertising when using Facebook or Instagram. The deliberation has ruffled the feathers of DPAs who believe the right to privacy—free of charge—is enshrined in the GDPR.

More widely, data protection has changed since the GDPR was even conceived, let alone when it came into force. Advances in artificial intelligence (AI) and the amount of data it relies on means all DPAs are likely to face more complaints about corporate use of the technology.

Data regulators might also find themselves tied up in knots checking whether they need to investigate under the GDPR, the EU’s AI Act, national privacy legislation, or all three. This could see the Irish DPC’s budget drained fast.