Ireland’s balance between Big Tech and data privacy

Ireland has long faced criticism from both privacy campaigners and fellow EU nations for failing to hold Big Tech companies to account under the EU’s General Data Protection Regulation (GDPR) - but has the recent WhatsApp fine signalled a change of direction for the supposedly soft touch regulator?

As the European headquarters to most US Big Tech companies, including Google, Facebook, Apple, Microsoft and TikTok, Ireland arguably shoulders the responsibility for upholding EU privacy rules and ensuring GDPR compliance. However, after nearly three and half years since the GDPR came into force, the Irish Data Protection Commissioner (DPC) has only issued four draft decisions, with 98% of 164 significant complaints about privacy abuses unresolved.

Tension

Tensions over Ireland’s resistance to police Big Tech have been bubbling away for some time. Other EU countries, such as Germany, Spain and France have all previously voiced concerns and openly criticised the Irish regulator for failing to not only enforce action against Big Tech, but also for the length of time it takes the DPC to handle cases - which is considered significantly slower than other EU nations. The DPC has even faced judicial review over its handling of GDPR cases by Ireland’s High Court, signalling the mounting pressure on the DPC.

One of the key justifications for introducing the GPDR was to harmonise data protection and privacy rules across Europe. However, as demonstrated above, it is interesting that data protection authorities are taking contrasting approaches to the application of the regulation, which may hinder “harmonisation” across the EU. In turn this may make it harder (rather than simpler) for businesses to operate throughout the EU due to these differing application of the rules.

Feeling the crunch

Perhaps in an attempt to appease its equivalent EU counterparts, earlier this month the DPC announced a record-breaking €225 million fine against WhatsApp for failure to meet the transparency requirements in the GDPR– the largest to date handed out by the DPC for a GDPR related violation. The fine was four times higher than that which was initially proposed at the start of the year, suggesting that the pressure that the DPC has faced from other EU data regulators may have tied its hands to take firmer action.

Moreover, it was announced last week that the DPC has launched an investigation into TikTok over its handling of children’s data and the transferring of personal data to China. Given the recent WhatsApp case, Big Tech companies located in Ireland will be interested to see if the DPC takes a similar hard line in how it deals with this investigation, as this might signal a shift in approach by the DPC.

Balance

There are many advantages driving Big Tech companies’ choice of Ireland as their central European base and the DPC’s traditionally more business-minded approach (in contrast with some other EU data protection authorities) has been one of these. In return, Big Tech brings jobs, money and opportunity, with 70% of Ireland’s foreign direct investment coming from the US.

According to an OECD report, investment from large multinational corporations has been “central to Ireland’s recovery from the financial crisis”, with this sector accounting for 16% of the value of the country’s GDP.

With an eco-system created, allowing other tech companies to enter the market, Ireland continues to attract Big Tech – but with privacy activists and other EU nations taking aim at it for its lack of enforcement, it has some difficult choices to make. It will be interesting to see if the country will hold its ground or succumb to pressure and start more actively and aggressively enforcing privacy complaints against these companies.