How Ireland became Europe’s data protection watchdog

When the GDPR (General Data Protection Regulation) took effect a year ago, it promised to overhaul the EU’s data protection landscape. Things have moved a little slower than expected for most member states, but that’s not been the case in Ireland.

The country’s DPC (Data Protection Commission) flew out of the tracks, dealing with more than 1,000 GDPR queries and logging 60 data breaches in the first three weeks of the Regulation’s enforcement.

Since then, it has launched 19 statutory investigations, setting a high bar for the rest of the EU.

Meanwhile, the country’s focus on tech firms – with Facebook, Instagram and LinkedIn among those being probed – has gone a long way to dispel the myth that Ireland is a safe haven for Silicon Valley companies.

Ireland isn’t soft on tech firms

Ireland has a long, mostly harmonious relationship with major tech firms. In the 1980s, Apple became the first Silicon Valley company to establish an office in Ireland, and in recent years many others have followed, including Google, Facebook and LinkedIn.

These organisations often cite the country’s large talent pool, with world-class engineering programmes at Trinity College Dublin and University College Dublin, as a reason for their relocation. And unlike much of Europe, US executives don’t need to worry about a potential language barrier.

But the advantages of a qualified workforce pale in comparison with the benefits provided by Ireland’s 12.5% corporate tax rate. That’s the lowest in Western Europe and 10 percentage points lower than the EU average.

Ireland obviously benefits from the deal, too. It still makes billions of euros in corporate taxes, with the influx of major US companies in the past few years helping the country climb out of an almost decade-long recession. In the past two years, tech firms have created more than 30,000 jobs across the country.

But if those organisations thought the benefits they’ve brought to Ireland would loosen the reigns when it comes to regulatory enforcement, they were mistaken.

In addition to the multiple investigations already underway, the DPC has also launched a probe into its proverbial golden goose, Google.

The organisation, which is responsible for about half of the tech jobs created in Ireland over the past two years, is currently being investigated by the DPC over claims that its use of personal data to target online advertising violates the GDPR.

Google is so far the only major tech company to be penalised under the GDPR. In January 2019, France’s data protection authority, the CNIL, issued it with a €50 million (about £44 million) fine for neglecting transparency requirements and failing to obtain a lawful basis for personal data processing.

The way Ireland is going, plenty of similar penalties could be on the way.

What are tech companies doing wrong?

The majority of the DPC’s investigations concern organisations’ inability to:

  • Justify and document a lawful basis for processing personal data;
  • Provide individuals with information about what data is collected and how it will be used; and
  • Inform individuals about their data subject rights.

Tech companies probably aren’t the only ones failing to meet these requirements. In fact, researchers believe most organisations are struggling to comply.

However, Anthony Lee, a data privacy expert and partner at the law firm DMH Stafford, believes tech giants are under closer scrutiny following the Facebook–Cambridge Analytica scandal.

“A lot of these big tech companies are consumer facing so handle a lot of personal data, but come from the US which doesn’t have as strong privacy laws as Europe,” he adds.

“If they weren’t well attuned to the requirements that GDPR imposes, they certainly are now.”

Ireland’s Data Protection Commissioner, Helen Dixon, is expected to announce her decisions on the first of the active investigations by July or August, with the final rulings made by the end of the year.

Fast-track your compliance project

If you’re among the many organisations trying to get their heads around the GDPR, you might be interested in our GDPR Compliance Solution ­– The Essentials bundle.

This bundle is for organisations with limited compliance resources, giving them the tools they need to meet the GDPR’s requirements. It contains training courses, an introductory guide to the Regulation, an implementation guide, e-learning courses, staff awareness training and documentation templates.

Find out more about our compliance solution >>