Would you like to monitor whether Big tech is respecting European Union privacy rules? The Irish government has published job ads two additional commissioners to head the Data Protection Commission (DPC), which oversees the compliance of dozens of major tech companies with the region’s data protection framework, and has the power to impose fines of up to 4% of the global annual billing for violations of the regime.
The Irish DPC plays a key role in the enforcement of the pan-European General Data Protection Regulation (GDPR) due to the number of tech giants choosing to locate a substantial regional base in the country.
The incoming commissioners will join current Commissioner Helen Dixon, who will assume the presidency under the new commissioner trio structure. But she will step down as regulator next year, when her term expires, so a complete reboot of her leadership is on the horizon.
The change in the structure of the DPC was approved by the Irish government in July 2022following calls to bolster the capabilities of a watchdog with a massive and still growing caseload that oversees the GDPR compliance of multiple tech giants.
Companies targeted by the DPC for data protection supervision include Apple, Google, Meta, TikTok and X (Twitter). While recently, ai giant OpenAI opened an office in Dublin in what appears to be a bid to gain “main establishment” status in Ireland in the future, which would mean the DPC would also become its main regulator of the GDPR. The new commissioners will therefore be involved in overseeing a number of well-known tech giants and potentially intervening in important legal calls related to a new generation of ai-powered giants.
Candidates for the positions must have a range of qualifications including “a comprehensive understanding of relevant legal systems and frameworks with the ability to demonstrate, or rapidly acquire, knowledge and understanding of national and EU data protection legislation, human rights laws and law enforcement procedures. “, and administrative law”, according to the job offer, as well as a “deep knowledge” (or the ability to quickly acquire one) of ICT and data processing methods and an “excellent knowledge and understanding of protection of data arising from its use”. ”.
The deadline for applications for the two commissioner positions is October 19. the Irish High Level Appointments Committee (TLAC) will be responsible for making the appointments. The same committee reappointed Dixon as commissioner for a second five-year term. back in 2019.
It is unclear why it has taken so long for the Irish government to appoint the two new commissioners. “Ireland has a key role in implementing the GDPR across Europe,” he now writes. “This is due to the ‘single window’ mechanism, which is a core element of the GDPR, providing a central point of enforcement by a lead supervisory authority of the Member State. As many of the large online platforms, search engines and technology companies operating in the EEA (European Economic Area) have their European headquarters in Ireland, the DPC has lead supervisory authority responsibilities in respect of these bodies within of the EEA”.
Whoever the new commissioners are, they will face a desk loaded with a lot of baggage. Not only in terms of the existing caseload, with major cases open against companies like Google (location tracking; adtech) and no shortage of new complaints and issues incoming (including how to regulate generative ai), but because the approach of the CPD towards the GDPR The application of the laws to large technology companies has been the subject of harsh criticism for years.
Since the GDPR came into force in May 2018, privacy experts have regularly accused the regulator of, at best, falling asleep when it comes to applying the framework in a way that properly challenges the power of the platform. and its harmful impact on EU citizens. rights.
Dixon has always responded aggressively to critics, arguing that the DPC is working as quickly as it can, given the caseload, scale and complexity of multiple major investigations. And lately, the regulator has been able to point to a growing series of big decisions announced outside of Ireland, including (earlier this month) a $379 million fine for TikTok for failing to keep children’s data secure; (in May) a $1.3 billion fine to Meta for illegal data exports; and (in January) a $410 million fine for Meta for not having a legal basis to track and profile users for ad targeting.
However, draft DPC decisions on high-profile investigations have regularly faced critical reviews and rejections by peer authorities and the European Data Protection Board, a key governing body of the GDPR, leading, often leading to findings of broader violations and the imposition of higher fines on users. Like Meta, TikTok and X that the DPC had originally proposed. Therefore, their approach has seemed like a low enforcement of the GDPR.
Privacy rights group noyb argues that the January fine cited by the DPC over Meta’s ad processing actually let the company off the hook, arguing that Meta should have faced an exponentially larger fine of more than $4 billion. , for which the regulator is accused of reducing the responsibility of the giants it supervises. . Or, well, worse: in November 2021, noyb even filed a criminal corruption complaint against the DPC accusing it of “procedural blackmail” in relation to a complaint against Facebook/Meta.
Last year, the Irish Civil Liberties Board (ICCL) also lost patience and sued the DPC for inaction on a long-running complaint against Google’s advertising technology, which has yet to result in a decision. While in an appearance by Dixon at a European Parliament hearing earlier this year, the commissioner fended off hostile questions from EU lawmakers on parliament’s civil liberties committee.
The European Commission itself has been forced to step up its oversight of how regulators, including the DPC, are applying the GDPR, following complaints to its ombudsman arising from criticism of the DPC. This summer, the EU executive also presented a proposal to reform the procedural rules around the application of the GDPR with the aim of making the processing of cross-border cases “more efficient and harmonized across the EU.”
Changes to the way the GDPR is applied in cross-border cases involving tech giants are clearly brewing at the high level, but a pair (and then a trio) of new brooms in the DPC could certainly leave a mark. Therefore, these two new DPC commissioner appointments should be closely monitored.
The ICCL has been pushing for the DPC to have more than one commissioner for years. He told TechCrunch that he’s glad this step is finally happening today. However, he has also done it before called for more reforms and Dr. Johnny Ryan, a senior member of the organization, said he will closely watch the appointment process. “We will write to (the TLAC) to soon urge that maximum attention be paid to conflicts of interest and the participation of human rights experts,” he added.
in a Press release In response to the published job advertisements, the ICCL reiterated its call for “further key reforms”.
“While the appointment of additional commissioners is welcome, we remain deeply concerned that the government has not launched an independent review into how to strengthen and reform the DPC. Without that review it will be impossible for the new commissioners to know what they need to fix. “The Minister’s suggestion that the DPC review itself is wholly inadequate,” chief executive Liam Herrick said in a statement.
