Ireland’s DPC (Data Protection Commissioner) has issued multiple complaints to EU supervisors following a disagreement that was sparked by a years-long investigation into Meta.
The probe into the social media giant, which owns Facebook and Instagram, has been one of the most disputed cases of GDPR (General Data Protection Regulation) enforcement in its half-decade history.
It relates to a series of compliance failures regarding the way Meta obtained users’ personal data, with the most controversial issue being Meta’s claim that it was contractually required to collect personal information so that its partners could perform targeted advertising.
The DPC initially accepted this explanation, but the EDPB (European Data Protection Board) intervened and ordered the DPC to rethink its interpretation of the GDPR. Eventually, the decision was overturned and Meta was given a €390 million fine.
It’s not the first time the DPC’s approach to the GDPR has been questioned. The data protection authority has been frequently criticised for being too lenient on Big Tech, while there have also been complaints that it takes too long to close investigations.
Perhaps not coincidentally, soon after the Meta incident concluded – at least subject to an appeal – the European Commission released a plan that’s intended to ensure that investigations proceed in a timely manner.
Why is the DPC complaining?
Under the GDPR, each country’s data protection authority is responsible for the compliance practices of organisations based in that country or that use it as their European home. Meta, for instance, is a US-based organisation but it has offices in Ireland and has therefore listed the DPC as its lead supervisory authority.
The GDPR gives each data protection body a certain amount of leeway to interpret compliance. Certain the rules are tweaked in different regions (such as the age at which someone is no longer considered a minor), while there are no set parameters for how an investigation should be conducted.
Although this approach promotes flexibility, it also creates inconsistency – something that the GDPR aims to avoid.
If a country such as Ireland is seen to be soft of data protection (not only in its interpretation of the rules but in the lack of urgency to complete investigations), it makes certain countries a more attractive location for non-EU business.
Ireland’s economy has benefited massively from the influx of tech firms, and the concern is that it wants to keep these companies happy, which would undermine the data protection and data privacy rights of its citizens.
However, the DPC has denied any wrongdoing, and its sympathisers will point to the sheer volume of investigations that it has on its plate. Ireland is home to many huge tech companies, including not only Meta but also Google, Amazon and AirBnB to name a few, and their complex practices will inevitably lead to protracted investigations.
Indeed, Commissioner Helen Dixon hit back at accusations that the DPC is a “bottleneck” for investigations, pointing to the number of significant cases that it has closed in recent years.
Five of the ten biggest GDPR fines issued last year came from the DPC, with Dixon saying that those enforcement actions involved “the conclusion of 17 large-scale investigations in Ireland, and in each case, there was a comprehensive investigation, detailed analysis and findings”.
The DPC’s concern over its criticism and potential regulatory overreach spilled over last month, with the data protection authority filing several claims against the EDPB in the CJEU (Court of Justice of the European Union).
Although the details of these claims haven’t been published, legal experts have predicted that they relate to Article 263 of the Treaty on the Functioning of the European Union, which allows the CJEU to examine the legality of the legal acts of bodies, offices or agencies.
Where those claims go from here is yet to be seen, but while disputes between regulators remain murky, the rules for GDPR compliance are unchanged.