The Data Protection Commission (DPC) of Ireland has been the focus of attention among data protection commissions in other European nations due to the fines they have imposed on technology giants. Despite this, the outcome of the cases leaves much to be desired.
This prominence occurs due to the fact that companies such as Google, Meta (Facebook and WhatsApp), TikTok, and Microsoft have their European headquarters in Ireland, which makes the DPC the authority responsible for monitoring, investigating, and punishing their illicit or questionable practices under the GDPR, i.e. those involving the processing of personal data of European citizens.
One fact that draws attention is that 87% of complaints from other nations to the DPC, regarding alleged violations of the GDPR, involve the following companies: Meta, Google, Airbnb, Yahoo!, Twitter, Microsoft, Apple, and Tinder.
Despite the application of large fines, two findings have called into question the effectiveness of the Irish Data Protection Commission:
1. Three-quarters of the Irish data surveillance body's decisions in cases involving the GDPR across the European Union were rejected by European regulators, i.e. 75% of the Data Protection Commission's decisions in cross-border investigations over a period of five years were overturned by the European Data Protection Board (EDPB), which is a considerable and worrying figure.
2. There is an understanding that the DPC tends to use its discretionary powers, supported by Irish law, to choose an amicable resolution to conclude 83% of the cross-border complaints it receives, rather than using enforcement measures that will effectively punish violations of personal data of European citizens.
In view of the above, there is a clear perception that GDPR compliance has not been required to the same extent as in other data protection commissions in European nations, resulting in a clear perception of impunity.
Currently, the DPC is undergoing an in-depth review of its entire governance structure and internal processes with the purpose of making its operations more effective, having recently received reinforcements from the Irish government in its commissioners staff to improve monitoring, investigation, and punishment effectiveness of those who violate the protection of personal data and the privacy provisions provided for in the GDPR.