Two years after the EU launched its landmark GDPR data rights charter, there are signs Ireland is faltering in its outsized role as regulator of many of the most powerful digital giants.
Hailed as a potent weapon to bring tech titans to heel, the General Data Protection Regulation endowed national watchdogs with cross-border powers and the possibility to impose sizeable fines for data misuse.
Ireland hosts the regional headquarters of Facebook, Apple, Google and Twitter, and is therefore largely responsible for policing their European activities.
But its Data Protection Commission has yet to issue a major decision against any of the giants in Dublin’s glimmering “Silicon Docks”.
“It’s a blessing for Ireland economically to be the seat of these big digital companies for Europe, and that brings a lot of revenue,” one EU Commission official with deep knowledge of the area told AFP.
“With this, of course, comes an obligation. With the role as a lead regulator it has a duty to the citizens all over Europe.
“The patience of the other authorities will fade if Ireland doesn’t get its act together. It’s as simple as that.“
Government and business leaders are coy but it is generally understood that multinational tech companies chose Ireland because of its low 12.5 percent corporate tax rate.
In 2018, Facebook Ireland generated 25.5 billion euros ($29 billion) in revenue and paid 63.2 million euros ($73.8 million) in tax, according to the Companies Registration Office.
Meanwhile the government coffers of Ireland — a nation of just five million people — are regularly padded with receipts from multinationals.
Last year, 77 percent of Irish corporation tax receipts came from foreign multinationals and 40 percent were from just 10 companies.
Tax Justice Network chief executive Alex Cobham said his campaign group generally avoids the term “tax haven” because “every jurisdiction has a lot of work to do to improve“.
“With that caveat, yes, Ireland is a tax haven,” he said.
“Ireland is probably the most exposed to a small number of fairly similar US multinationals in pharma and in tech and it really can’t afford to cross them.“
GDPR stipulates that data protection commissions should be separate from outside interference and there is no suggestion of government influence in the Irish process.
But little of the tax bonanza from tech companies is funnelled into Ireland’s Data Protection Commission, which acts as the EU’s regulator for firms like Facebook and their services such as Whatsapp and Instagram.
GDPR requires that countries ensure their data protection commission has the “human, technical and financial resources… necessary for the effective performance of its tasks and exercise of its powers“.
Ireland’s Data Protection Commissioner, Helen Dixon, said the organisation was “disappointed” by the 2020 government allocation of 16.9 million euros ($19.7 million).
Additional funding was “less than one third” of the figure requested which “reflected a year of experience of regulating under the GDPR“, she added.
For Cobham, this suggests “regulatory austerity“, where high regulatory standards are set “but then you refuse to provide the resources to allow any type of effective enforcement“.
“You achieve the effect of not having the regulations while being able to say, ‘but look, we have the regulation’, he added.
Ireland’s 2021 budget raised DPC funding to 19.1 million euros ($22.3 million) — the same amount Facebook Ireland generated in revenue in about six and a half hours in 2018.
A government spokesman insisted the DPC “has received ongoing and positive funding support which has more than met its actual resourcing requirements”.
DPC Deputy Commissioner Graham Doyle added the “considerable” increases in government funding had allowed it to go from 29 staff in 2014 to 150.
But the EU Commission insider said: “It’s a good step forward but more is necessary.”
The first case
The DPC’s first major decision is expected against Twitter in November, making it the first European authority to complete a cross-border case against a tech giant under GDPR.
It is a relatively straightforward test of whether Twitter informed the data protection authority of a breach within 72 hours and properly documented the event.
Nonetheless, the investigation was started in January last year and the DPC made a draft decision in May.
The case has since been tied up in regulatory mechanisms seeking input and consensus from data watchdogs in other EU states.
The drawn-out process is a reminder that the complexities of pan-European regulation still sprawl across the bloc.
But under the stiff GDPR regime Twitter could be fined up to four percent of its annual global turnover — a $140 million wedge of the firm’s reported $3.5 billion 2019 revenue.
If Ireland’s DPC becomes the first watchdog to impose such a stinging penalty accusations its bark is worse than its bite may begin to fade.