DUBLIN — As Ireland’s data protection authority was closing in late last year on its first major penalty against Facebook over alleged privacy abuses, the agency — a key global enforcer of data protection rules — reshuffled its top team, replacing a senior official in charge of its most high-profile cases.
Dale Sunderland, a soft-spoken deputy commissioner who was overseeing the agency’s investigations into Facebook, as well as others targeting Apple and Google, moved into a new supervisory role.
In his place three regulators — Anna Morgan, John O’Dwyer and Tony Delaney — took on shared responsibility for these blockbuster cases that have become a bellwether in Europe’s effort to rein in how Big Tech collects, stores and makes money from personal data.
The yearlong restructuring, which culminated last fall, capped a lengthy transformation for the watchdog from bit player to the Western world’s first line of defense against misuses of people’s data. As many Silicon Valley companies have international headquarters in Dublin, the country’s regulator has overarching powers to enforce the European Union’s tough privacy standards.
But the agency’s face-lift also contributed to confusion about its ability to enforce the law, according to more than two dozen current and former Irish data protection officials, other countries’ European privacy regulators, tech company executives, data protection lawyers and privacy campaigners. Many spoke to POLITICO on the condition of anonymity due to their ongoing relationships with Ireland’s Data Protection Commission (DPC).
“When you deal with them, you don’t get the sense that they are there to vindicate data protection rights” — Fred Logue, a privacy lawyer in Dublin
The internal changes were not well communicated outside the DPC, leaving some across the bloc in doubt over who was in charge of high-profile cases, according to officials at other EU agencies. People who had filed complaints with the regulator went months without a response, raising questions about how officials were enforcing the rules. Other European watchdogs began to voice concerns in public that the region’s flagship privacy standards were not being enforced.
“Nothing has really changed,” said Fred Logue, a privacy lawyer in Dublin who has filed multiple cases on behalf of clients with Ireland’s privacy watchdog, adding that months would go by without hearing from officials. “When you deal with them, you don’t get the sense that they are there to vindicate data protection rights.”
The agency’s restructuring was the latest headache for the regulator two years after Europe’s landmark privacy overhaul, known as the General Data Protection Regulation, or GDPR, came into force in late May 2018.
Over that time, Helen Dixon, the agency’s head, and her staff of more than 140 regulators have yet to complete any of their investigations into Big Tech. Europe’s new laws allow officials to impose fines of up to 4 percent of a company’s global revenue, or potentially billions of euros, for failures to protect people’s personal information. They’ve become the de facto global standard from Colombia to Japan, an achievement Brussels is eager to promote.
Yet discussions with both advocates and critics of Dublin’s oversight reveal a picture of an agency struggling to come to terms with a powerful new regulatory weapon, with little experience or training about how to wield it. Last year, the agency received more than 7,000 data protection complaints, a record high. It’s working through a backlog of cases as EU agencies are still trying to figure out how best to enforce the rules.
“We’re dealing with a new framework,” Dixon told POLITICO at the agency’s Georgian townhouse headquarters in central Dublin, just a stone’s throw from the country’s parliament, in early March. She rejected claims her agency had been slow to act. “We are now on a pathway where we are going to resolve, one by one, as fast as we can with as many resources as we can, these very entrenched issues.”
Pressure on Ireland
With the two-year anniversary of Europe’s privacy standards coming next Monday, Dixon is under mounting pressure to show that her agency can act.
Significant fines and orders for change against both Facebook and Twitter are still expected by early summer, almost a year after the enforcement actions were originally expected.
It will be a make-or-break moment for the privacy regulator — and for Europe’s boasts that it’s the global trendsetter on privacy.
For the agency defenders, its slow pace in taking on cases, putting together bulletproof investigations and figuring out how to enforce Europe’s new data protection laws is a sign that Dixon and her team are taking their beefed-up role seriously. The bloc’s revamped privacy regime, advocates insist, does not give enough detail on how to implement the rules, particularly for policing multinational tech giants, It has been left mostly to the Irish to fill in the gaps.
“It’s 10 times more complicated, and regulators aren’t ten times as big,” said Eduardo Ustaran, global co-head of the privacy and cybersecurity practice at Hogan Lovells, a law firm, in London. “Nothing really could have prepared them for the size of GDPR.”
“If a train never gets moving, less locomotives don’t cause further delays” — Max Schrems, an Austrian privacy campaigner
Others disagree. They point to multiple delays in even straightforward cases, including probes into publicly-disclosed misuse of social media data, as a sign that Dublin is not taking its role seriously.
Privacy advocates and some EU regulators grumble that despite Ireland’s backlog of complaints, it is still dragging its feet on investigations that stretch back years, giving companies too much leeway in enforcing the rules and fostering a too close relationship with those it oversees.
“If a train never gets moving, less locomotives don’t cause further delays,” said Max Schrems, an Austrian privacy campaigner who has become the Irish regulator’s quasi-bête noire after pushing them to take action, mostly against Facebook, since the early 2010s.
Struggling to keep up
In discussions with Irish regulators, European counterparts and others involved in Europe’s new privacy regime, POLITICO pieced together how Dublin struggled to cope with its expanded role.
A major stumbling block has been creating watertight legal cases needed to levy hefty fines because, under the bloc’s previous privacy regime that dated back to the mid-1990s, Dublin did not have the authority to issue financial penalties for wrongdoing. Under Irish law, it did gain lengthy litigation experience around privacy violations. But without a track record of financial enforcement, regulators have been racing to get up to speed just as pressure to act becomes ever more acute.
That left some within the agency anxious to avoid procedural mistakes — particularly when dealing with untested, new privacy standards — that could be unpicked in eventual appeals. Irish law provided little breathing space for such legal missteps, according to several local privacy experts.
For outsiders, the delays proved frustrating.
“You don’t hear anything about cases transferred to Ireland,” said Johannes Caspar, head of Hamburg’s data protection regulator, whose agency is the first port of call for privacy complaints about almost all U.S. tech firms in Germany. “What goes on, what type of information was exchanged, we don’t get any of that. We’re here just standing and waiting.”
Graham Doyle, a spokesman for the Irish authority, said other regulators could ask Dublin for updates on the ongoing cases during monthly meetings of EU privacy agencies.
Difficulties began soon after Europe’s new privacy rules began in May 2018.
Days into the new regime, the regulator was flooded with requests, both from locals and people abroad who wanted to take advantage of the new privacy protections to land major complaints.
Some, like those lodged by Schrems, garnered international attention and focused on Big Tech’s data collection practices. Currently, Dublin has 23 open cases into the likes of Microsoft, Apple and Facebook, which is under investigation for everything from mundane data breaches to complex probes into how the company makes money from Europeans’ personal information. The social networking giant declined to comment for this article.
The influx of work represented a challenge for a staff that had grown from just 29 when Dixon took over in 2014 (when the agency was mostly based over a small convenience store in a Portarlington, a small town in central Ireland) to a team of roughly 175 by the end of this year, spread over three different locations. Some complaints took months to garner responses, as different units divvied up tasks and regulators juggled to keep people in the loop on how investigations were proceeding, according to those involved in the some of ongoing cases.
Last year, amid a record number of complaints, the agency said it had sent people’s cases for enforcement, or closed others’ complaints, in just over 80 percent of the 6,904 cases it had received last year, according the DPC’s annual report. Roughly 4,500 were concluded without specific enforcement, while 1,100 are now waiting potential fines and other remedies.
“When the spotlight is on you, you have to be seen to act” — Daragh O’Brien, Irish data protection consultant
Currently, the watchdog has just under 2,500 open complaints filed since Europe’s new privacy rules came into effect in 2018. Dixon, the Irish regulator, said that many cases had been resolved before reaching the need for a formal investigation, and that her team was in regular contact with those who had submitted complaints.
Yet Daragh O’Brien, an Irish data protection consultant who filed multiple complaints on behalf of himself and mostly domestic clients, said that months would go by before receiving confirmation the agency had received his requests. Case workers would be replaced by someone new, often without explanation, and few, if any updates, would be sent out to those who had submitted cases. Schrems also said he had yet to receive an update from Dublin on his cases against WhatsApp and Instagram since he filed them almost two years ago. The regulator sent its initial findings to him in those cases earlier this week.
“When the spotlight is on you, you have to be seen to act,” said O’Brien.
Ireland pushes back
Just as Dublin was plowing through the increased regulatory work, European counterparts piled on the pressure.
At regular monthly gatherings of the region’s privacy agencies, officials would ask for updates on the high-profile cases involving Facebook and other tech giants, and urged Dixon and her colleagues to move faster on enforcement, according to several officials involved in the meetings. Some, including French and German regulators, moved against these companies on their own, with Paris fining Google €50 million — a then-record penalty — in early 2019 for privacy violations. The search giant is appealing that decision.
Officials at several EU data protection authorities told POLITICO that cases they had sent to Ireland for investigation sat in an internal IT system for Europe’s data protection agencies for months with few, if any, updates to the case work. Some, including Hamburg’s Caspar, felt they had been left in the dark over how cases involving their citizens were unfolding, despite monthly calls between Ireland and French and German regulators. Ireland recently joined forces with Spain as part of its investigation into Verizon Media.
Those inside the Irish watchdog pushed back against those claims. Officials said they would go months without receiving the necessary information from other EU agencies to push investigations forward despite other regulators chiding Dublin for not moving fast enough. At the regular meetings of the bloc’s privacy authorities to update on its case load, the Irish would ask others to lend a hand — requests that often went unmet.
Irish officials also questioned others’ intentions in criticizing their work. They pointed out that few, if any, EU watchdogs had successfully brought enforcement actions against international companies, like banks and other global financial institutions, which fell under other countries’ own jurisdictions.
Ireland’s data protection watchdog “will eventually come out with a few big decisions and everyone will calm down,” said Johnny Ryan, chief privacy officer at Brave, a mobile browser, who filed a complaint against Google with the agency, but has yet to receive an update on his case. “But they’re taking more than enough time.”
Amid this political wrangling, the restructuring of Ireland’s privacy watchdog was well underway, with several senior managers leaving the organization late in 2019 just as Dublin was preparing its first blockbuster enforcement action against Facebook.
Officials like Donna Creaven, former head of supervision and engagement with multinational tech companies, took senior roles in other public sector bodies, according to data from LinkedIn. As part of a recruitment push, the agency said it would hire several senior lawyers and data protection experts for its ongoing investigations. But the benefits package — maximum salaries for positions posted earlier this year topped out at €83,740 — has put off possible candidates, according to four local privacy experts who had considered applying. In response, an Irish official told POLITICO they had been inundated with applications.
Just as the watchdog’s revamp was winding down in late 2019, Helen Dixon got some bad news.
Last fall, she had asked the Irish government for an extra €5.9 million, or an almost 40 percent bump, to top up the regulator’s annual budget. The request was both to hire investigators and create new internal structures to reduce the agency’s reliance on the justice ministry for back-office functions like IT and human resources support. All EU privacy agencies have been pleading for more resources to handle the increased workload under the region’s new rules.
But the answer was no.
In October, Irish lawmakers instead doled out an additional €1.6 million, an 11 percent annual rise, for the agency’s war chest. It was enough to hire up to 40 more employees, but remained well below what many inside had hoped for.
“Governments all signed up to this law,” Dixon told POLITICO, adding that she was satisfied with the budget increase her agency was given. “If you want to meet those expectations, additional staff are going to be required.”
The budget decision came at a delicate time.
Ireland’s regulators had expected to announce their first major decision against Facebook by the end of 2019. It would be the culmination of years of work and a symbol that Dublin was able to fulfill its role as the West’s first line of defense against data protection abuses.
But amid legal delays, the decision — linked to how Facebook failed to explain to users how their data would be shared between WhatsApp and the social network, the internet messenger’s parent company — stalled. An announcement was postponed well into 2020.
For Dublin’s supporters, the delay was unavoidable. Better to wait and build cases that would hold up in court, they insist. “We want to create sustainable solutions to problems that have been around in data protection for a long time,” Dixon said when asked about why no enforcement action against tech companies had yet to be published. She did not comment on any specific case.
But for those already losing patience with Ireland, the country’s inability to bring Silicon Valley to heel almost two years after Europe’s new privacy regime began had started to wear thin.
“I won’t say they did a good job,” said Caspar, the German regulator, in reference to the Irish privacy watchdog. “To do a good job, they would need to issue draft (enforcement) decisions.”
Vincent Manancourt contributed reporting from Brussels, Elisa Braun contributed reporting from Paris.
Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email firstname.lastname@example.org to request a complimentary trial.