Max Schrems and Helen Dixon clash over Irish GDPR enforcement on big tech

The Austrian privacy campaigner, Max Schrems, has told an Oireachtas Justice Committee that Ireland is on the verge of facing infringement proceedings in Europe because of its “extremely poor” GDPR enforcement record, particularly in relation to big tech companies.

However, DPC Commissioner Helen Dixon slammed “inaccuracies” in some of the criticism presented against her office, adding that hostile commentary was “exaggerated” and “simplistic”.

The Committee invited both Mr Schrems, whose legal action against Facebook has changed European law, and Ms Dixon, Europe’s most powerful tech regulator.

Mr Schrems said that Europeans seeking to vindicate their privacy rights under GDPR are now trying to find ways around Ireland’s privacy regulator because of what he claims is chronic non-enforcement.

“There is more and more of an appetite for an infringement procedure against the Republic of Ireland,” said Mr Schrems.

“Of 10,000 complaints, the DPC says it will have six to seven decisions this year. This means that 99.93pc of all complaints are not decided. So for 99.3pc of people in Europe that rely on it, [the Irish DPC] is just not reachable.”

Mr Schrems added that a European Parliament committee has now asked for infringement procedures “and it's very likely that this vote will vote through.”

But Data Protection Commissioner Helen Dixon told the Committee that much of the criticism aimed at her office is “far too simplistic” and “a superficial skimming of the surface”.

She said that the figures cited by Mr Schrems were inaccurately portrayed.

She also rejected the argument that European authorities are now drifting toward a dilution of the ‘one stop shop’ principle, telling the Committee that these were the same regulators “who were against the idea of a one stop shop from the beginning”.

Mr Schrems said that despite Ireland’s DPC being one of the best-resourced data protection agencies in Europe, other countries have become far more efficient at dealing with GDPR issues.

“If you look at the numbers, other countries are definitely more efficient,” he said. “In Austria, we have a huge funding problem but you get your cases decided within six months by law. Spain has a similar number of complaints as the [Irish] DPC and a similar budget and number of staff but they have five or six decisions daily.”

But Ms Dixon rejected accusations of inaction. She said that the idea that “the DPC is deliberately refusing to regulate or has been deliberately constituted so as to be incapable of regulation” was wrong.

“Last year alone, with over 10,000 cases, 60pc of the complaints lodged with the DPC last year were concluded,” she said. “We handled 42 applications for the approval of binding corporate rules, we dealt with over 6,000 security breach notifications and progressed to 87 full-scale statutory inquiries.”

Mr Schrems said that one potential means of improvement would be to add two additional commissioners in Ireland, sitting alongside Helen Dixon, to deal with workflows and litigation issues.

In a separate submission, the Irish Council Of Civil Liberties’ Dr Johnny Ryan said that Ireland risked “reputational risk” from slow enforcement procedures.

“In the three years since the GDPR was applied, the Data Protection Commission asserted its lead role in 196 cases, but delivered decisions in only four,” he said.

“In other words, the DPC has failed to resolve 98pc of cases important enough to be of EU-wide concern. That means Ireland is the bottleneck of GDPR investigation and enforcement against Google, Facebook, Microsoft, and Apple, everywhere in the EU.”

In response, Ms Dixon said that Mr Ryan and the ICCL had misunderstood a European advocate general’s comments, calling Mr Ryan’s understanding of the comments “erroneous”.