Amid reporting on GDPR fines and enforcement activity, the press has been critical of the Irish DPA and its slow start to enforcement since the GDPR was introduced. The Irish Times reports as follows:
Data protection authorities in Europe issued fines worth a combined €410 million to organisations last year for violations but none originated in the Republic, despite it being home to many of the world’s biggest technology companies.
New figures compiled by the Italian data protection body Osservatarorio di Federprivacy – which includes data from official sources in 30 countries – show authorities in the European Economic Area imposed 190 fines in 2019.
Italy was the most active data protection authority, with 30 actions last year, while the UK was the most punitive, with fines totalling €312 million, some 76 per cent of all sanctions issued.
Ireland and Luxembourg were among a small handful of countries yet to impose fines for data privacy violations. Informed sources have said that the Data Protection Commission is in the final stages of its investigation into WhatsApp over possible breaches of EU data privacy rules, with a draft decision expected to be circulated to other authorities to consider within weeks.
This is the first of the commission’s many investigations to approach its end point with delays blamed on complications that arise from pursuing companies that operate cross-border.
(Privacy press clipping sourced via The Irish Times)
Press attention continues to focus on the, as yet, zero fines reputation of Ireland and Luxembourg. Both jurisdictions have not issued a single monetary penalty under the GDPR.
The scrutiny on Ireland is greater given the local regulator, the Data Protection Commission, is lead enforcer on a number of large tech companies including Facebook, WhatsApp and Google. These companies have their corporate presence in Ireland and fall within the Data Protection Commission’s jurisdiction as the “lead supervisory authority”.
That said, the press could be criticised for placing almost all the emphasis on the effectiveness of large, headline-grabbing fines. Other steps, including cautions and educational measures are also part of a privacy regulator’s toolkit.