Data Protection Commission defends record after article labelling Republic a ‘corporate crime haven’

Canadian academic criticises Irish data privacy enforcement regime in FT article

The Data Protection Commission (DPC) has defended its record of enforcement of Europe’s data privacy rules after facing stiff criticism in a Financial Times article that labelled the Republic as “one of the EU’s most notorious corporate crime havens”.

In an article published by the UK newspaper on Thursday, academic and author Cory Doctorow argued that Big Tech companies skirt the EU’s General Data Protection Regulation (GDPR) by locating their European headquarters in Ireland.

“Google and Facebook have been unscathed by European privacy law,” the Canadian wrote. “That’s not because they don’t violate the GDPR. It’s because they pretend they are headquartered in Ireland, one of the EU’s most notorious corporate crime havens. And Ireland competes with the EU’s other crime havens – Malta, Luxembourg, Cyprus and, sometimes, the Netherlands – to see which country can offer the most hospitable environment.

“The Irish Data Protection Commission rules on very few cases, and more than two-thirds of its rulings are overturned by the EU courts, even though Ireland is the nominal home to the most privacy-invasive companies on the Continent. So Google and Facebook get to act as though they are immune to privacy law, because they violate the law with an app.”


In response to queries from The Irish Times, a spokesman for the DPC said the EU courts have not overturned any DPC rulings, contrary to what Mr Doctorow said. However, a report from the Irish Council for Civil Liberties last May indicated that some 75 per cent of the DPC’s rulings in EU cases since 2018 had been overruled by its European counterparts in favour of tougher enforcement.

The DPC further defended its record on Thursday, with the spokesman adding that some 85 per cent of enforcement actions under GDPR across the EU, European Economic Area and UK combined last year were taken by the Irish DPC. “Over 66 per cent of the enforcement across the same jurisdictions in 2022 was delivered by the Irish DPC. The highest proportion of cross-border cases in the EU are resolved by the Irish DPC.”

The spokesman said: “The EU courts have not overturned any DPC rulings.” He said close to €3 billion in fines in addition to corrective measures have been imposed by the DPC over the last five years against platforms, dwarfing the enforcement output of other national regulators.

Data Protection Commissioner Helen Dixon is set to leave her role later this year to become Commissioner for Communications Regulation.

Ian Curran

Ian Curran

Ian Curran is a Business reporter with The Irish Times