DUBLIN — As Irelands data protection authority was closing in late last year on its first major penalty against Facebook over alleged privacy abuses, the agency — a key global enforcer of data protection rules — reshuffled its top team, replacing a senior official in charge of its most high-profile cases.
Dale Sunderland, a soft-spoken deputy commissioner who was overseeing the agencys investigations into Facebook, as well as others targeting Apple and Google, moved into a new supervisory role.
In his place three regulators — Anna Morgan, John ODwyer and Tony Delaney — took on shared responsibility for these blockbuster cases that have become a bellwether in Europes effort to rein in how Big Tech collects, stores and makes money from personal data.
The yearlong restructuring, which culminated last fall, capped a lengthy transformation for the watchdog from bit player to the Western worlds first line of defense against misuses of peoples data. As many Silicon Valley companies have international headquarters in Dublin, the countrys regulator has overarching powers to enforce the European Unions tough privacy standards.
But the agencys face-lift also contributed to confusion about its ability to enforce the law, according to more than two dozen current and former Irish data protection officials, other countries European privacy regulators, tech company executives, data protection lawyers and privacy campaigners. Many spoke to POLITICO on the condition of anonymity due to their ongoing relationships with Irelands Data Protection Commission (DPC).
“When you deal with them, you dont get the sense that they are there to vindicate data protection rights” — Fred Logue, a privacy lawyer in Dublin
The internal changes were not well communicated outside the DPC, leaving some across the bloc in doubt over who was in charge of high-profile cases, according to officials at other EU agencies. People who had filed complaints with the regulator went months without a response, raising questions about how officials were enforcing the rules. Other European watchdogs began to voice concerns in public that the regions flagship privacy standards were not being enforced.
“Nothing has really changed,” said Fred Logue, a privacy lawyer in Dublin who has filed multiple cases on behalf of clients with Irelands privacy watchdog, adding that months would go by without hearing from officials. “When you deal with them, you dont get the sense that they are there to vindicate data protection rights.”
The agencys restructuring was the latest headache for the regulator two years after Europes landmark privacy overhaul, known as the General Data Protection Regulation, or GDPR, came into force in late May 2018.
Over that time, Helen Dixon, the agencys head, and her staff of more than 140 regulators have yet to complete any of their investigations into Big Tech. Europes new laws allow officials to impose fines of up to 4 percent of a companys global revenue, or potentially billions of euros, for failures to protect peoples personal information. Theyve become the de facto global standard from Colombia to Japan, an achievement Brussels is eager to promote.
Yet discussions with both advocates and critics of Dublins oversight reveal a picture of an agency struggling to come to terms with a powerful new regulatory weapon, with little experience or training about how to wield it. Last year, the agency received more than 7,000 data protection complaints, a record high. Its working through a backlog of cases as EU agencies are still trying to figure out how best to enforce the rules.
“Were dealing with a new framework,” Dixon told POLITICO at the agencys Georgian townhouse headquarters in central Dublin, just a stones throw from the countrys parliament, in early March. She rejected claims her agency had been slow to act. “We are now on a pathway where we are going to resolve, one by one, as fast as we can with as many resources as we can, these very entrenched issues.”
Pressure on Ireland
With the two-year anniversary of Europes privacy standards coming next Monday, Dixon is under mounting pressure to show that her agency can act.
Significant fines and orders for change against both Facebook and Twitter are still expected by early summer, almost a year after the enforcement actions were originally expected.
It will be a make-or-break moment for the privacy regulator — and for Europes boasts that its the global trendsetter on privacy.
For the agency defenders, its slow pace in taking on cases, putting together bulletproof investigations and figuring out how to enforce Europes new data protection laws is a sign that Dixon and her team are taking their beefed-up role seriously. The blocs revamped privacy regime, advocates insist, does not give enough detail on how to implement the rules, particularly for policing multinational tech giants, It has been left mostly to the Irish to fill in the gaps.
“Its 10 times more complicated, and regulators arent ten times as big,” said Eduardo Ustaran, global co-head of the privacy and cybersecurity practice at Hogan Lovells, a law firm, in London. “Nothing really could have prepared them for the size of GDPR.”
“If a train never gets moving, less locomotives dont cause further delays” — Max Schrems, an Austrian privacy campaigner
Others disagree. They point to multiple delays in even straightforward cases, including probes into publicly-disclosed misuse of social media data, as a sign that Dublin is not taking its role seriously.
Privacy advocates and some EU regulators grumble that despite Irelands backlog of complaints, it is still dragging its feet on investigations that stretch back years, giving companies too much leeway in enforcing the rules and fostering a too close relationship with those it oversees.
“If a train never gets moving, less locomotives dont cause further delays,” said Max Schrems, an Austrian privacy campaigner who has become the Irish regulators quasi-bête noire after pushing them to take action, mostly against Facebook, since the early 2010s.
Struggling to keep up
In discussions with Irish regulators, European counterparts and others involved in Europes new privacy regime, POLITICO pieced together how Dublin struggled to cope with its expanded role.
A major stumbling block has been creating watertight legal cases needed to levy hefty fines because, under the blocs previous privacy regime that dated back to the mid-1990s, Dublin did not have the authority to issue financial penalties for wrongdoing. Under Irish law, it did gain lengthy litigation experience around privacy violations. But without a track record of financial enforcement, regulators have been racing to get up to speed just as pressure to act becomes ever more acute.
That left some within the agency anxious to avoid procedural mistakes — particularly when dealing with untested, new privacy standards — that could be unpicked in eventual appeals. Irish law provided little breathing space for such legal missteps, according to several local privacy experts.
Dublin currently has almost two-dozen open cases into companies like Microsoft | David Ramos/Getty Images
For outsiders, the delays proved frustrating.
“You dont hear anything about cases transferred to Ireland,” said Johannes Caspar, head of Hamburgs data protection regulator, whose agency is the first port of call for privacy complaints about almost all U.S. tech firms in Germany. “What goes on, what type of information was exchanged, we dont get any of that. Were here just standing and waiting.”
Graham Doyle, a spokesman for the Irish authority, said other regulators could ask Dublin for updates on the ongoing cases during monthly meetings of EU privacy agencies.
Difficulties began soon after Europes new privacy rules began in May 2018.
Days into the new regime, the regulator was flooded with requests, both from locals and people abroad who wanted to take advantage of the new privacy protections to land major complaints.
Some, like those lodged by Schrems, garnered international attention and focused on Big Techs data collection practices. Currently, Dublin has 23 open cases into the likes of Microsoft, Apple and Facebook, which is under investigation for everything from mundane data breaches to complex probes into how the company makes money from Europeans personal information. The social networking giant declined to comment for this article.
The influx of work represented a challenge for a staff that had grown from just 29 when Dixon took over in 2014 (when the agency was mostly based over a small convenience store in a Portarlington, a small town in central Ireland) to a team of roughly 175 by the end of this year, spread over three different locations. Some complaints took months to garner responses, as different units divvied up tasks and regulators juggled to keep people in the loop on how investigations were proceeding, according to those involved in the some of ongoing cases.
Last year, amid a record number of complaints, the agency said it had sent peoples cases for enforcement, or closed others complaints, in just over 80 percent of the 6,904 cases it had received last year, according the DPCs annual report. Roughly 4,500 were concluded without specific enforcement, while 1,100 are now waiting potential fines and other remedies.
“When the spotlight is on you, you have to be seen to act” — Daragh OBrien, Irish data protection consultant
Currently, the watchdog has just under 2,500 open complaints filed since Europes new privacy rules came into effect in 2018. Dixon, the Irish regulator, said that many cases had been resolved before reaching the need for a formal investigation, and that her team was in regular contact with those who had submitted complaints.
Yet Daragh OBrien, an Irish data protection consultant who filed multiple complaints on behalf of himself and mostly domestic clients, said that months would go by before receiving confirmation the agency had received his requests. Case workers would be replaced by someone new, often without explanation, and few, if any updates, would be sent out to those who had submitted cases. Schrems also said he had yet to receive an update from Dublin on his cases against WhatsApp and Instagram since he filed them almost two years ago. The regulator sent its initial findings to him in those cases earlier this week.
“When the spotlight is on you, you have to be seen to act,” said OBrien.
Ireland pushes back
Just as Dublin was plowing through the increased regulatory work, European counterparts piled on the pressure.
At regular monthly gatherings of the regions privacy agencies, officials would ask for updates on the high-profile cases involving Facebook and other tech giants, and urged Dixon and her colleagues to move faster on enforcement, according to several officials involved in the meetings. Some, including French and German regulators, moved against these companies on their own, with Paris fining Google €50 million — a then-record penalty — in early 2019 for privacy violations. The search giant is appealing that decision.
Officials at several EU data protection authorities told POLITICO that cases they had sent to Ireland for investigation sat in an internal IT system for Europes data protection agencies for months with few, if any, updates to the case work. Some, including Hamburgs Caspar, felt they had been left in the dark over how cases involving their citizens were unfolding, despite monthly calls between Ireland and French and German regulators. Ireland recently joined forces with Spain as part of its investigation into Verizon Media.
Those inside the Irish watchdog pushed back against those claims. Officials said they would go months without receiving the necessary information from other EU agencies to push inveRead More – Source