The Data Protection Commission is broken. Here is how to fix it

To restore confidence, the Government must ensure a robust and completely independent process to select two new commissioners

This month, a European Parliament delegation will arrive in Ireland to investigate whether the DPC has failed to protect EU citizens from Big Tech’s at times irresponsible data practices
This month, a European Parliament delegation will arrive in Ireland to investigate whether the DPC has failed to protect EU citizens from Big Tech’s at times irresponsible data practices

The EU General Data Protection Regulation (GDPR) came into effect in May 2018. It made Ireland’s Data Protection Commission (DPC) the lead EU supervisory authority for all companies that have their European headquarters here. This quirk of the law made Ireland a central jurisdiction in the global digital economy. It also made us responsible for policing what Google, Facebook, Apple, Microsoft and other Big Tech firms do with the data and intimate secrets of Europe’s half a billion citizens.

From the outset there has been international concern about how the DPC has discharged this responsibility. Criticism has come from the DPC’s counterparts across the European Union, the European Court of Justice and the European Parliament. Last year, the Oireachtas Justice Committee noted its “serious concern” at “the particularly slow progress of some cases being handled by the DPC”, and said it feared that “citizens’ fundamental rights are in peril”.

This month, a European Parliament delegation will arrive in Ireland to investigate whether the DPC has failed to protect EU citizens from Big Tech’s at times irresponsible data practices. At the same time the EU ombudsman, Dr Emily O’Reilly, has deepened her inquiry into whether the European Commission has kept a proper eye on how Ireland has discharged its responsibility as in effect Europe’s primary data protection enforcer.

The Government is now signalling that it wants to address these concerns. Just before the summer break it announced it will appoint two additional data protection commissioners in the next half year. This is welcome. But in isolation it will not be enough.

READ MORE

Excellent candidates alone will not be able to cure the problems of the DPC. This is why the committee recommended last year that the Government launch an independent review of how to strengthen and reform the organisation

To restore confidence in the DPC and in Ireland’s ability to supervise Big Tech, the Government must ensure a robust and completely independent process to select the two new commissioners. It must also attract the right candidates.

At least one incoming commissioner should have a strong record of robust investigation: we need candidates who have experience raiding organisations, efficiently securing and inspecting records, and developing sources that resulted in jail terms. Robust and proactive investigation is the only way to uncover what any large company has been doing behind the scenes.

The other incoming commissioner should have expert knowledge of procedural law. The Oireachtas Justice Committee recommended in April 2021 that appointing a commissioner who understands procedural law would “ensure a high quality in the decision-making by the DPC”. A senior lawyer or retired judge would introduce procedural clarity. Their steady hand should also reduce avoidable legal costs.

There must also be a process to decide which of the three commissioners will be chair. This person will have the deciding vote in the event of a tie when making decisions.

Excellent candidates alone will not be able to cure the problems of the DPC. This is why the the committee recommended last year that the Government launch an independent review of how to strengthen and reform the organisation. The EU commissioner for justice, Didier Reynders, has endorsed this idea. But rather than launch an independent review, the Minister for Justice instead has asked that the DPC review itself. A self-review is totally inadequate when the fundamental data rights of half a billion Europeans, and Ireland’s reputation, hang in the balance.

The review of how to fix the DPC must rely not on the outlook of its current leadership but rather on objective analysis. That analysis must be bottom to top, with candid input from European counterparts. Without this, the two incoming commissioners will not know what they need to fix.

We must steel the DPC to protect the fundamental rights of all Europeans, even in the face of some of the world’s biggest companies

Failing to equip them with the facts would be more than a false economy. It would signal to our European friends that Ireland remains unequal to the task of protecting their welfare and rights in the digital age.

In the last 12 months, we have lost the opportunity to be Europe’s primary regulator of both the artificial intelligence and the online content industries. The EU AI Act and the EU Digital Services Act were altered to avoid placing chief responsibility on Ireland in the manner that was done under the GDPR. We will never know the real economic cost of this loss, but it is likely to have been significant.

But all is not lost. Over the next 12 months the Government should commit itself to redeeming Ireland’s place in the global digital economy. It must do two things. First, it should animate the DPC with outstanding new commissioners capable of transforming it into a formidable investigative organisation armed with legal discernment. Second, it should apprise those new commissioners of what must be fixed by means of an independent review. We must steel the DPC to protect the fundamental rights of all Europeans, even in the face of some of the world’s biggest companies.

Johnny Ryan is a Senior Fellow at the Irish Council for Civil Liberties