:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/OFXSHWIGERQXS5QZZ7BBWDGYVY.jpg)
The European Commission has fired a warning shot about the slow enforcement of EU data privacy law, saying the regulation of big companies might be centralised in Brussels if they are not quickly taken to task for flouting the rules. Sharp questions arise for the Irish Data Protection Commission (DPC), which oversees the pan-European operations of groups such as Facebook from Dublin, and the Government, which sets the DPC’s budget.
Technology permeates these days to a degree that few imagined when the Internet was in its infancy. Online devices are integral to the way we live. But services provided free of charge to billions of people enable large companies to harvest personal data which they exploit for vast profit. With that comes the need to ensure that the use of such data does not turn to abuse, a justifiable concern given egregious breaches over the years.
EU privacy laws known as the general data protection regulation (GDPR) were hailed as a game-changer when introduced in 2018. Rule-breakers face the threat of heavy fines. Because so many big tech companies have their European headquarters in Ireland, the DPC here assumed sweeping powers to supervise scores of multinationals. The regime allows national regulators to run a one-stop-shop to oversee company operations online throughout the EU.
Notwithstanding budget disputes, questions arise as to whether national data bodies can effectively regulate the titans of online commerce
Although the Irish regulator has started many cross-border inquiries, it has concluded all too few and has clashed with counterparts over the size of fines. Critics have claimed the office is overwhelmed. Now Vera Jourová, commission vice-president with responsibility for values and transparency, has said inquiries are too slow and that “crunch time” has come. “Either we will all collectively show that GDPR enforcement is effective or it will have to change.” Any overhaul would intensify centralisation via the European Data Protection Board, which oversees the GDPR, or the commission.
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/4BZF4EPX3Z7NO4BJ5LF3V4MWKI.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/7P34XLEECHUKHYLQBVSTI5RVPM.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/W7J7ALWENMJATVIWV6L5ERO76U.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/VHKQEZBS6LKVBY755VOICREY7I.jpg)
This public intervention reflects disquiet widely shared at the failure to bring big tech’s excesses to heel, despite recourse to tough sanctions. Data Protection Commissioner Helen Dixon has dismissed attacks on her organisation’s record. But a budget submission from the DPC to the Government said its structure and management framework was “unsustainable and unfit for purpose” and belonged to another legal era.
There are big reputational issues for Ireland, which pushed for an enhanced role for the DPC in talks on the GDPR and was perceived to be close to big tech companies with Irish investment. Notwithstanding budget disputes, questions arise as to whether national data bodies can effectively regulate the titans of online commerce. Such groups face more forceful supervision when it comes to European competition policy. Consumer protection deserves the same rigour.