Ireland's Data Protection Commission (DPC) is overwhelmed with the task of regulating big tech, needs more resources and should accept outside help, according to Germany's federal data commissioner.
At a meeting of European regulators last week, Ulrich Kelber likened Ireland's approach to regulating Facebook with the go-slow approach of Germany's automotive regulator on diesel emissions fraud.
Mr Kelber's main complaint centres on a lack of rulings from Ireland's Data Protection Commissioner since the new data protection rulebook, known as GDPR, came into effect in May 2018.
GDPR gives Ireland’s regulator frontline responsibility for overseeing Dublin-based tech companies. But what was devised as a “one-stop shop” to simplify regulatory oversight had, Mr Kelber suggested, led to regulatory standstill.
“None of the cross-border cases under new data protection rules have been addressed,” Mr Kelber told The Irish Times. “This touches largely on cases where the headquarters of the company is in Ireland – but not only.”
The German regulator insisted his was not a personal attack on Irish colleague Helen Dixon, but a criticism of the professional performance of a body "insufficiently equipped for its task".
“The colleagues clearly need better financing and more staff,” he said.
Last October Ms Dixon said she was disappointed her office, employing 140, had received just an extra €1.6 million in the budget, a third of the additional funding sought, bringing its total funding allocation to €16.9 million.
A DPC spokesman dismissed Mr Kelber’s criticism, saying: “This singling out of the Irish DPC is not new from the federal commissioner. We are just busy with getting on with the job of concluding our investigations.”
The German federal regulator has suggested a streamlined system allowing the transfer of cross-border cases to a European data protection agency if a three-quarters majority of EU member states’ regulators were in favour
The regulator in Hamburg, where Facebook has its German headquarters, has suggested imposing a time limit for national authorities to reach a finding – or have the case revoked by European authorities.
That a few national EU regulators were struggling with the main burden of data protection not only put citizens and their rights at a disadvantage to profits of data-collecting corporations, said Hamburg regulator Johannes Caspar, but it was also creating a growing competitive disadvantage for European companies.
“Acceptance of GDPR will sink or swim based on the fairness of its implementation,” said Prof Caspar, calling for harmonised European investigation rules instead of the current patchwork of national procedures.