As Ireland’s data protection authority was closing in late last year on its first major penalty against Facebook over alleged privacy abuses, the agency — a key global enforcer of data protection rules — reshuffled its top team, replacing a senior official in charge of its most high-profile cases.
Dale Sunderland, a soft-spoken deputy commissioner who was overseeing the agency’s investigations into Facebook, as well as others targeting Apple and Google, moved into a new supervisory role.
In his place three regulators — Anna Morgan, John O’Dwyer and Tony Delaney — took on shared responsibility for these blockbuster cases that have become a bellwether in Europe’s effort to rein in how Big Tech collects, stores and makes money from personal data.
The yearlong restructuring, which culminated last fall, capped a lengthy transformation for the watchdog from bit player to the Western world’s first line of defense against misuses of people’s data. As many Silicon Valley companies have international headquarters in Dublin, the country’s regulator has overarching powers to enforce the European Union’s tough privacy standards.
But the agency’s face-lift also contributed to confusion about its ability to enforce the law, according to more than two dozen current and former Irish data protection officials, other countries’ European privacy regulators, tech company executives, data protection lawyers and privacy campaigners. Many spoke to POLITICO on the condition of anonymity due to their ongoing relationships with Ireland’s Data Protection Commission (DPC).
“When you deal with them, you don’t get the sense that they are there to vindicate data protection rights” — Fred Logue, a privacy lawyer in Dublin
The internal changes were not well communicated outside the DPC, leaving some across the bloc in doubt over who was in charge of high-profile cases, according to officials at other EU agencies. People who had filed complaints with the regulator went months without a response, raising questions about how officials were enforcing the rules. Other European watchdogs began to voice concerns in publicthat the region’s flagship privacy standards were not being enforced.
“Nothing has really changed,” said Fred Logue, a privacy lawyer in Dublin who has filed multiple cases on behalf of clients with Ireland’s privacy watchdog, adding that months would go by without hearing from officials. “When you deal with them, you don’t get the sense that they are there to vindicate data protection rights.”
The agency’s restructuring was the latest headache for the regulator two years after Europe’s landmark privacy overhaul, known as the General Data Protection Regulation, or GDPR, came into force in late May 2018.
Over that time, Helen Dixon, the agency’s head, and her staff of more than 140 regulators have yet to complete any of their investigations into Big Tech. Europe’s new laws allow officials to impose fines of up to 4 percent of a company’s global revenue, or potentially billions of euros, for failures to protect people’s personal information. They’ve become the de facto global standard from Colombia to Japan, an achievement Brussels is eager to promote.
Yet discussions with both advocates and critics of Dublin’s oversight reveal a picture of an agency struggling to come to terms with a powerful new regulatory weapon, with little experience or training about how to wield it. Last year, the agency received more than 7,000 data protection complaints, a record high. It’s working through a backlog of cases as EU agencies are still trying to figure out how best to enforce the rules.
“We’re dealing with a new framework,” Dixon told POLITICO at the agency’s Georgian townhouse headquarters in central Dublin, just a stone’s throw from the country’s parliament, in early March. She rejected claims her agency had been slow to act. “We are now on a pathway where we are going to resolve, one by one, as fast as we can with as many resources as we can, these very entrenched issues.”
Pressure on Ireland
With the two-year anniversary of Europe’s privacy standards coming next Monday, Dixon is under mounting pressure to show that her agency can act.
It will be a make-or-break moment for the privacy regulator — and for Europe’s boasts that it’s the global trendsetter on privacy.
For the agency defenders, its slow pace in taking on cases, putting together bulletproof investigations and figuring out how to enforce Europe’s new data protection laws is a sign that Dixon and her team are taking their beefed-up role seriously. The bloc’s revamped privacy regime, advocates insist, does not give enough detail on how to implement the rules, particularly for policing multinational tech giants, It has been left mostly to the Irish to fill in the gaps.
“It’s ten times more complicated, and regulators aren’t ten times as big,” said Eduardo Ustaran, global co-head of the privacy and cybersecurity practice at Hogan Lovells, a law firm, in London. “Nothing really could have prepared them for the size of GDPR.”
“If a train never gets moving, less locomotives don’t cause further delays” — Max Schrems, an Austrian privacy campaigner
Others disagree. They point to multiple delays in even straightforward cases, including probes into publicly-disclosed misuse of social media data, as a sign that Dublin is not taking its role seriously.
Privacy advocates and some EU regulators grumble that despite Ireland’s backlog of complaints, it is still dragging its feet on investigations that stretch back years, giving companies too much leeway in enforcing the rules and fostering a too close relationship with those it oversees.
“If a train never gets moving…
IAB Europe’s advertising bidding model uses personal data, EU court rules
After clarification from Luxembourg, the Belgian Court of Appeal will now rule on the case…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
