Irish Data Protection Commission
A BigBrotherAward 2022 goes to the Irish Data Protection Commission, represented by the Commissioner, Helen Dixon, for their comprehensive sabotage of European Data Protection law. And since this supervisory authority for data protection in Ireland has been doing this so methodically, for so many years and with such Kafkaesque creativity, the category “Government and Administration” will not suffice. This is a case for the Lifetime Achievement award.
The Irish Data Protection Commission blocks the enforcement of established law – through years of delay, de-facto refusal to process complaints, bureaucratic tricks, deterrent costs for complainants, and lack of cooperation with European colleagues. The head of the Commission, Helen Dixon, acts erratically and reacts aggressively to criticism. The Commission she leads lets European data protection law go nowhere – while faced with exactly those who are most in need of tough control: Google, Facebook, Apple, Microsoft, and such.
Refusal to Work
This refusal to work does not only affect people living in Ireland. It undermines the personality rights of 450 million EU citizens.
Throwback to May 2018: The EU’s General Data Protection Regulation comes into force. It makes clear: 1. No matter where a company is based, as soon as it wants to process personal data of EU citizens, it must adhere to the data protection rules of the EU. This is the “marketplace principle”. 2. Violations of data protection law will now lead to tough fines. “Tough” means: up to 4% of a company’s global revenue. This made data protection a top management issue. Yay!
But sadly, we have rejoiced to soon: It is not enough to enact a European law, it must also be enforced in every European state. And there lies a problem. It is called: Ireland.
Every company must be assigned to a lead data protection authority, which is the authority in the EU member state where the company has its EU headquarter. This lead data protection authority becomes the first stop for all complaints against that company. If citizens or organisations decide to complain about a company’s data processing, they submit the complaint at their own country’s data protection authority, which will then forward it to the responsible authority for the company’s EU headquarter. This rule – that data protection supervision for one company lies in the hands of just one EU country – is called “One-Stop Shop”.
This seems practical – competency will be bundled and the authority will know how to handle their local rogues, saving the time that would be needed to get acquainted with these people for each new complaint.
But there is a catch: The large digital corporations with their intangible assets are rather flexible in the choice of their headquarters. Which is why they will seek out their favoured data protection authority and open their ostensible headquarter in that country.
A conspicuous agglomeration has ensued – in Ireland: the EU home of Google, Apple, Facebook and WhatsApp, Microsoft and LinkedIn, Adobe, Tiktok, Airbnb, Tinder, Twitter, Dropbox, Yahoo and so on.
So, what could possibly have clinched it for all these digital corporations? Is it the green grass, the vast meadows, the dark beer … Or perhaps the peculiarities of the Irish supervisory authority for data protection?
Let’s take a closer look:
How much Ireland prioritises data protection becomes impressively clear by looking at the main building of the Irish Data Protection Commission: an office on the first floor above a convenience store in the small city of Portarlington – more than 70 km (45 miles) south-west of Dublin, way out there. This photo of the Data Protection Commissions’s office with its convenience store has amused the European press for many years. Okay, the Centra store has now made way for a Spar branch and at least a new layer of paint has been applied.
In 2017, a new sub office was opened, very presentable in the middle of the capital. But that was not done in response to an increased relevance of data protection in the EU, but – to quote a Commission spokesperson – it “would be useful in facilitating interaction with [large multi-national] organisations in Dublin”(!).1
A creative authority
The Irish Data Protection Commission goes to every imaginable length not to betray the trust that Big Tech places in it. And to that end, they have become rather creative:
Prime strategy: Just leave complaints against Big Data corporations unattended.
It’s that simple – do not process them.
Some numbers to illustrate: Since the GDPR came into force in 2018, Germany’s Federal Commissioner for Data Protection and Freedom of Information, Ulrich Kelber, has forwarded around 50 cases to the DPC as the responsible authority – most of these were cases against WhatsApp. Of these 50 cases, not a single one has been concluded with a decision on the substance of the case.
The law stipulates that complaints are to be handled “without delay”. The Irish Data Protection Commission is currently arguing at the High Court of Ireland that four years of processing time could still be regarded as “without delay” …
The data protection authority explains this backlog by pointing to a lack of staff and resources. But the equivalent authorities in larger states such as Spain or France have a similarly small budget, but they are getting several decisions published per day – the Irish can only manage a few in a year. It is therefore not a question of money but of efficiency. Staff numbers have already been raised from 30 (in 2014) to 195 (in 2021) – sadly without improving results. Other countries’ authorities have offered to help out years ago. But Helen Dixon has rejected all these offers.
Second tactic: Spread statistical bullshit.
The Commission seems to expend lots of energy on public relations and beautifully formatted annual activity reports, to make their inaction look good. In its annual report for 20212, one can find the claim that out of 969 complaints passed from other countries, 626 had been “concluded”3. But hang on: what does “concluded” actually mean? It does not seem to mean that the cases were processed and a decision had been made.
Another instance of embellished numbers: The Irish Data Protection Commission used to have around 10,000 “cases” on the table. But the annual report for 2021 suddenly talks about only 3,400 “complaints”, and 7,500 “inquiries”. Here is the trick: Anything that is not explicitly labelled “complaint” is filed as an “inquiry”. Inquiries end up in the trash. That is an obvious way of “handling” and “concluding” the matter: The Americans call it the circular file. Processing by renaming and trashing.
Third tactic: Excluding complainants from the procedure.
There are a whole number of tricks for this, including:
a) The blackmailing tactic:
The authority asks the complainant to sign a non-disclosure agreement (NDA). This means that they must stay silent about the negotiations, its results, and any information brought forward in the process. This is what happened to Johnny Ryan of the Irish Council for Civil Liberties in his case against Google’s Real Time Bidding auctions for advertising space. It also happened to Max Schrems of noyb (“none of your business”) in his case against Facebook. This is the Data Protection Commission’s way of making sure that everything is kept nicely under wraps, with nothing becoming known. That is simply not the kind of statement that a complaining consumer and civil rights NGO could sign! After refusing to sign “his” NDA, Max Schrems was excluded from his own case. This goes against all basic rights in the EU.
b) The circumvention method:
The Irish authority will start a parallel “own volition” procedure on the same issue as the one raised in the initial complaint. From then on, only the parallel procedure will progress – and while this goes on, the original complaint is paused. After the “own volition” procedure has concluded, the original procedure is ended, too, because the issue has now been settled! Kudos – a really elegant way of excluding citizens from their own cases.
c) The “sue me if you can afford it” method:
To start inaction proceedings against the Irish Data Protection Commission at the courts is such an expensive endeavour that for most private citizens it is out of the question. A contributory factor is the Irish procedural rule that every law you cite in a court case cannot simply be named as “paragraph XY”, it has to be fully read out in court. That doesn’t just take a lot of time, it also makes the case very, very expensive for the plaintiff, given that barristers charge up to 1,000 € per hour. One example: In the case on the “Privacy Shield” (“Schrems II”), the transfer of data by Facebook to the United States was an issue. There were three parties in this case: Facebook, the Irish DPC and Max Schrems. The losing party has to pay the legal costs of all sides involved – and in this case these amounted to about 10 million Euro (!). How fortunate that it was Max Schrems who won, and the Irish Data Protection Commission that lost.
So much about the Irish authority’s creativity – on to the behavioural grades:
Lacking in collegiality, no European spirit, secretive attitude:
Commissioner Helen Dixon, the head of the authority, presents a similar kind of behaviour. She attends almost none of the joint sessions of EU Data Protection Commissioners. She normally sends a deputy, who is then unable and unauthorised to say anything. So communications at the Commissioner level are dead in the water. This is reflected at the clerical level, too: E‑mail inquiries from German or Austrian colleagues are often not answered, phone calls are not taken. Members of other data protection authorities tend to be “ghosted” – completely ignored – by their Irish counterparts, files are not shared with EU colleagues. The Irish Data Protection Commission acts like a “black hole” where everything disappears.
This refusal of work does not only have detrimental effects for Irish citizens, but for 450 million people across the EU, whose rights are trampled on by the large digital corporations. The behaviour of the Irish Data Protection Commission creates a situation where small and medium enterprises all over Europe are sanctioned by their national data protection authorities, while the large corporations are mocking us: “Go ahead, complain – we are in Ireland.”
We couldn’t help but wonder: Why are they doing this?
Through all these manoeuvres and dirty tricks, the Irish Data Protection Commission is making Ireland a privacy oasis, an escape hole for criminals, a reservation for data leeches. And it is a very fitting puzzle piece for another part of the Green Island’s ecosystem:
The tax haven
Does the word tax haven make you think of the Cayman Islands or the Bahamas? You should better direct your gaze at Ireland. Officially, corporation tax in Ireland is 12.5%. But Ireland has given some foreign companies the opportunity to reduce their effective tax bill to 0 to 2.5%. There are creative names for these tax dodges, such as “Double Irish”, “Double Irish with a Dutch sandwich” oder “Single Malt”. Irelands tax saving schemes extract more money from the tax authorities – and thus from the general public – than those in the whole Caribbean.4
Lawlessness as a business model?
These are lucrative deals for Ireland. The country profits from allowing Big Tech corporations to engage in surveillance capitalism without regard to civil rights. These are the business models that collect personal data, compile profiles, identify categories, manipulate people and sell predictions of their behaviour, taking away much of their future agency. Ireland is living off the bread crumbs of Big Tech. And it is living well this way, as even 2.5% of Apple’s global sales is a whole lot of money.
We are all paying with our liberties.
There is a flipside to these business practices: Ireland is extremely dependant on the Tech corporations. Some numbers:
80% of Irish corporation tax in 2016–17 was paid by foreign companies.
Of Irelands top 50 companies, 25 are US-controlled.
In 2018, Apple alone made up a fifth of the Irish gross domestic product.5
A member of the Dáil (the lower house of the Irish parliament) who highlighted the shameful activities of corporations using the “Single Malt” tax avoidance scheme was told be the Irish Finance Minister “to put on the green jersey” – in other words: to shut their mouth for the benefit of Ireland.6 So it is not the tax dodging that the Finance Minister has concerns about, but Ireland’s reputation.
In 2023, the global minimum corporation tax rate of 15% will be introduced, as well as a digital tax. Will the digital corporations start to leave Ireland once the tax advantages are gone? Or will they still be happy as the enforcement of data protection rules continues to be blocked?
That is what the Taoiseach (Irish prime minister), Micheál Martin seems to be hoping for. In February 2022 he expressly praised Helen Dixon’s “competence and abilities” and called for Ireland to be “more robust” in defending her record in enforcing EU privacy laws.7
How long are we going to continue tolerating this?
Sadly, the “green jersey” seems to be popular with those who should really safeguard adherence to European laws. It would be the task of the European Commission – more precisely, the Directorate-General for Justice and Consumers – to control the Irish Data Protection Commission and its enforcement of European data protection law. But it hasn’t been doing that for years. Team Ireland. Seriously?
But beware: Things are beginning to stir in Europe. Because at some point even the most diplomatic, friendly and patient data protectors and politicians will have had enough.
In January 2021, the LIBE committee of the European Parliament (the committee for civil liberties, justice and home affairs) resolved to start an infringement procedure against Ireland, because Ireland is failing to implement the General Data Protection Regulation effectively.8
Cue Helen Dixon: She demands to be heard in the LIBE committee. The committee does indeed schedule a hearing for 17 March 2021. Now Dixon even wants to control proceedings in the European Parliament – saying that she will not appear if critics such as Max Schrems will be invited as well. But she is rebuffed by European parliamentarians, the LIBE committee will not be dictated to with regard to its hearings. So Helen Dixon boycots the hearing that she called for herself. Great show.
It is no surprise that even in Ireland some people have had enough. Such as the Committee on Justice of the Irish parliament, which called for a fundamental reform of data protection supervision in Ireland in July 2021. Although even this realisation would not have occurred without the initiative and engagement of civil rights organisations who try to enforce our rights against digital corporations. Our thanks go to tenacious people such as Max Schrems of noyb and Johnny Ryan of the Irish Council for Civil Liberties (ICCL).
In March 2022, the High Court of Ireland accepted a complaint by the ICCL against the Irish Data Protection Commission on its inaction. Dixon’s authority had not processed the ICCL’s complaint on Google’s online advertising auctions – the so-called Real Time Bidding – for four years. So much for “processing without delay”. On the topic of Google’s Real Time Bidding, I refer to my BigBrotherAwards laudation to Google from 2021. :)
The ICCL has also called on the European Commission to start an infringement procedure. In February 2022, EU ombudsperson Emily O’Reilly passed on the complaint to the President of the European Commission, Ursula von der Leyen, asking for a response by 15 May 2022. We are waiting for the outcome.
What can be done?
1. The One-Stop Shop system is clearly dysfunctional. It should be fundamentally reformed.9 If a single country can block enforcement of the General Data Protection Regulation in order to serve its self-interest, there is a structural fault.
2. Sidestepping: Stop passing data protection complaints to Ireland, declare yourself responsible and decide. Some EU Member States such as France are already doing this on occasion. The persons affected could also go to the courts, and not to data protection authorities, although this might be very costly.
3. Introduce a single procedural law for cross-border data protection cases, where deadlines for processing and other concerns are put down as binding rules.
4. Alternatively, choose a competent European institution that will decide major cross-border cases. This could be the European Data Protection Board (EDPB)10, with which data protection proponents from member states have had a trusted relationship for a long time.
It seems like a lot of work – but politics is the “steady, slow drilling of tough wood”11.
Whatever action we take, one thing should be clear: Where decisions are made, we need people who are motivated to investigate, with the tenacity to fight a case through and the determination to enforce data protection and citizen’s personality rights.
Bureaucracy is not the problem, it is the people who hide behind it.
Dear Helen Dixon,
this is not an inquiry, not a complaint, no intermediate notice – this is a BigBrotherAward.
The BigBrotherAwards are independent. We do not receive state money, we do not accept sponsoring from Google, Facebook et al. – the BigBrotherAwards rely on private donations from thousands of people who support our work. This BigBrotherAward shows exactly how important this independence is.
Congratulations, Ms. Dixon and the Irish Data Protection Commission – the BigBrotherAward 2022 for Lifetime achievement is yours.
1 The Journal, 3.5.2014: The Data Protection Commissioner is getting a new office, but keeping the one beside a convenience store in Laois (Web-Archive-Link)
2 DPC, Annual report for 2021 (PDF)
3 Quoted by the Irish Council for Civil Liberties in in a letter to the Data Protection Commission (PDF)
4 Quote from Wikipedia: Ireland’s base erosion and profit shifting (BEPS) tools give some foreign corporates Effective tax rates of 0% to 2.5% on global profits re-routed to Ireland via their tax treaty network. (…) Ireland’s BEPS tools are the world’s largest BEPS flows, exceed the entire Caribbean system. (Web-Archive-Link)
5 Wikipedia: Corporation tax in the Republic of Ireland (Web-Archive-Link)
6 Quote from the debate: It was interesting that when Matt Carthy put that to the Minister’s predecessor, his response was that this was very unpatriotic and he should wear the green jersey. That was the former Minister’s response to the fact there is a major loophole, whether intentional or unintentional, in our tax code that has allowed large companies to continue to use the double Irish. The Minister’s predecessor has acknowledged the reputational damage this has done to Ireland. He was not really concerned about losing tax revenue and all the rest, but about the reputational damage. Let there be no doubt that, as we close one loophole and create another door, or do not close the door, this reputational damage is going to continue. Source: Dáil Éireann debate – Thursday, 23 Nov 2017, Vol. 962 No. 2. (Web-Archive-Link)
7 The Irish Times, 22.2.2022: Taoiseach defends Irish data protection commissioner in Germany – Martin doesn’t ‘readily agree’ with many criticisms of Helen Dixon’s record (Web-Archive-Link)
8 LIBE Committee, 13.1.2021: Draft Motion for a resolution – B9-0000/2021 | European Parliament Resolution on the ruling of the ECJ of 16 July 2020 – Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (“Schrems II”) – Case C-311/18 (2020/2789(RSP))
9 Im gerade fertiggestellten Digital Services Act (DSA) hat man die Lehren aus der DSGVO gezogen und die Aufsicht anders geregelt.
10 This is the organisation that used to be called the “Article 29 Data Protection Working Party”.
11 Quote by Max Weber (translated): “Politics means a steady, slow drilling of tough wood, with passion and perspective.” (“Die Politik bedeutet ein starkes langsames Bohren von harten Brettern mit Leidenschaft und Augenmaß zugleich.”) (Web-Archive-Link)