Fancy overseeing whether Big Tech is playing by European Union privacy rules? The Irish government has posted job ads for two additional commissioners to lead the Data Protection Commission (DPC), which oversees scores of major tech firms’ compliance with the region’s data protection framework — and has the power to levy fines of up to 4% of global annual turnover for infringements of the regime.
The Irish DPC has a kingpin role in enforcement of the the pan-EU General Data Protection Regulation (GDPR) on account of how many tech giants opt to locate a substantial regional base in the country.
The incoming commissioners will join current commissioner Helen Dixon who will become chair under the new trio-of-commissioners structure. But she is set to depart the regulator next year, when her term expires, so a full leadership reboot is looming.
The DPC’s change of structure was approved by the Irish government in July 2022, following calls to beef up the capabilities of a watchdog with a massive and still growing case load overseeing multiple tech giants’ GDPR compliance.
Companies that the DPC is the go-to for data protection oversight include Apple, Google, Meta, TikTok and X (Twitter). While, just recently, AI giant OpenAI opened a Dublin office in what looks likely to be a bid to gain so-called “main establishment” status in Ireland in the future — which would mean the DPC becoming its lead regulator for the GDPR too. So the new commissioners will be involved in oversight of a raft of familiar tech giants and, potentially, weighing in on major legal calls related to a new generation of AI-fuelled giants.
Candidates for the roles must have a range of qualifications including “a comprehensive understanding of relevant legal systems and frameworks with an ability to demonstrate, or quickly acquire, knowledge and understanding of national and EU Law on data protection, human rights law, law enforcement procedures, and administrative law”, per the job ad, as well as a “deep understanding” (or the ability to quickly acquire one) of ICT and data processing methods and an “excellent knowledge and understanding of the data protection issues arising from their use”.
The closing data for applications for the two commissioner roles is October 19. The Irish Top Level Appointments Committee (TLAC) will be responsible for making the appointments. The same committee reappointed Dixon as commissioner for a second five year term back in 2019.
It’s not clear why it’s taken so long for the two new commissioner roles to be posted by the Irish government. “Ireland has a key role in enforcement of GDPR across Europe,” it writes now. “This is due to the ‘one stop shop’ mechanism, which is a core element of the GDPR, providing for a central point of enforcement by a lead Member State supervisory authority. As many of the very large online platforms, search engines and technology enterprises that operate in the EEA [European Economic Area] have their European headquarters in Ireland, the DPC has lead supervisory authority responsibilities in respect of these bodies within the EEA.”
Whoever the new commissioners are they will face a desk saddled with a lot of baggage. Not just in terms of existing case load — with major open cases against the likes of Google (location tracking; adtech) and no shortage of fresh complaints and incoming issues (not least how to regulate generative AI) — but because the DPC’s approach to GDPR enforcement on Big Tech has been the target of trenchant criticism for years.
Since the GDPR entered into application back in May 2018, privacy experts have regularly accused the regulator of — at best — sleeping on the job when it comes to applying the framework in a way that properly interrogates platform power and its deleterious impact on EU citizens’ rights.
Dixon has always aggressively hit back at critics, arguing the DPC is working as fast as it can, given the case load and scale and complexity of multiple major investigations. And, latterly, the regulator has been able to point to a growing pipeline of big decisions announced out of Ireland, including (earlier this month) a $379 million fine for TikTok for failing to keep kids’ data safe; (in May) a $1.3 billion fine for Meta for unlawful data exports; and (in January) a $410 million fine for Meta for failing to have a legal basis for tracking and profiling users for ad targeting.
However the DPC’s draft decisions on high profile probes have regularly faced critical review and push-back from peer authorities and the European Data Protection Board, a key GDPR steering body — leading, frequently, to more expansive breach findings and higher fines being levied on the likes of Meta, TikTok and X than the DPC had originally proposed. So its approach has looked like it’s low-balling GDPR enforcement.
Privacy rights group noyb contends the DPC’s aforementioned January penalty on Meta’s ads processing actually let the company massively off the hook — arguing Meta should have faced an exponentially larger fine of over $4 billion — so the regulator stands accused of shrinking liability for the giants it oversees. Or, well, worse: Back in November 2021, noyb even filed a criminal corruption complaint against the DPC accusing it of “procedural blackmail” in relation to a complaint against Facebook/Meta.
Last year the Irish Civil Liberties Board (ICCL) also lost patience and sued the DPC for inaction on a long-standing complaint against Google’s adtech — which still hasn’t yielded a decision. While an appearance by Dixon at a European Parliament hearing earlier this year saw the commissioner fending off hostile questioning from EU lawmakers on the parliament’s civil liberties committee.
The European Commission itself has been forced to dial up its monitoring of how regulators including the DPC are enforcing the GDPR, following complaints lodged with its ombudsman which stemmed from criticism of the DPC. This summer the EU’s executive also came out with a proposal for reforming procedural rules around GDPR enforcement with the aim of making the handling of cross-border cases “more efficient and harmonised across the EU”.
Changes to how the GDPR is enforced on cross border cases involving tech giants are clearly coming down the pipe at the high level — but a pair (and later a trio) of new brooms at the DPC could certainly make a mark. So these new DPC commissioner appointments should be closely watched.
The ICCL has been pushing for years for the DPC to have more than one commissioner. It told TechCrunch it’s pleased to see this step finally happening today. However it has also previously called for further reforms and Dr Johnny Ryan, senior fellow at the organization, said it will be watching the appointment process carefully. “We will write to [the TLAC] shortly to urge that utmost attention is paid to conflicts of interest, and involvement of human rights experts,” he added.
In a press release responding to the job ads being posted, the ICCL reiterated its call for “other key reforms”.
“While the appointment of additional Commissioners is welcome, we remain deeply concerned that government has not launched an independent review of how to strengthen and reform the DPC. Without such a review it will be impossible for the new commissioners to know what they need to fix. The Minister’s suggestion that the DPC review itself is totally inadequate,” said executive director, Liam Herrick, in a statement.