Google / WIRED

Ireland is yet to issue a single fine for a GDPR breach against an American tech giant. It’s been two years since the new data regulations were enforced and the wait is making German regulators impatient.

Thanks in part to a more relaxed tax regime, American tech giants such as Facebook and Google base their European headquarters in Ireland. An EU GDPR rule known as the “one-stop shop” mechanism means companies should normally face enforcement where they’re headquartered, rather than have multiple countries bring cases on the same issue.


Those two points mean that the Irish data protection commissioner (DPC) is the lead for Europe when it comes to investigating data breaches and doling out enforcements. But while there have been high-profile investigations, there have not yet been any rulings or financial punishments doled out, though the Irish DPC annual report has promised rulings are imminent.

And that has irked some in Europe, notably German data protection authorities. Earlier this year, Germany's Federal Commissioner for Data Protection, Ulrich Kelber, said Ireland’s inaction was “unbearable”, calling for a new EU-wide data authority to replace the “one-stop shop” idea. The Irish DPC, Helen Dixon, has said in response that such criticism isn’t fair, as the cases are complicated – as is the bureaucracy.

Read next This glacier is melting fast. Can blasts of artificial snow save it? This glacier is melting fast. Can blasts of artificial snow save it?

There are many reasons for the slow action, says Jon Baines, data protection advisor at law firm Mishcon de Reya: the cases are complex and require working with authorities across Europe, the tech companies defend themselves vigorously, and the Irish DPC lacks resources. “I’m not sure anyone expected quick investigations,” he says. “That said, it is remarkable that no rulings have yet emerged, and it is not helpful for the thousands of other organisations who look to regulators for a steer on these matters, and nor is it helpful for the millions of data subjects whose rights are engaged.”

Other regulators aren’t willing to wait. France slapped Google with a €50 million fine for behavioural advertising in 2019, while data authorities in the German city of Hamburg last year fined Facebook’s local subsidiary €51,000 for failing to appoint a data protection officer. Ireland has said fines are looming, though it’s been months since that promise was made.


Neither the €50m or €51,000 fines are likely to worry Facebook much, and the latter was described in the media as “symbolic”. Hamburg’s data regulator disagrees that it’s symbolic, but did intend the fine as a warning shot. “The fine was not symbolic, but real and substantial,” says a spokesperson for the Hamburg data protection authority, the HmbBfDI. “The ‘warning’ character might only be seen as other companies within our jurisdiction having the same obligations.” The spokesperson added the amount of the fine would have been higher if it had been possible to bring the action to Facebook, rather than its German subsidiary.

For that to happen, the case would need to be handled in Ireland, as has happened with one of the most notable sets of cases are those brought by Max Schrems and his affiliated None of Your Business group against Google and Facebook. While initially brought in different countries, each of those cases has been pushed to Ireland’s DPC. None of those cases have yet to see a decision, though the Facebook investigation was finished last summer and according to Politico is caught up in a review process. The Irish DPC did not respond to request for comment.

Those reviews and negotiations are one reason why Ireland is yet to dish out GDPR enforcement against tech giants. Such cases are complicated, cut across borders causing delays, and tech companies have the funds and lawyers to try every angle of legal challenge.

Read next How do you control an AI as powerful as OpenAI's GPT-3? How do you control an AI as powerful as OpenAI's GPT-3?

Daragh O Brien, managing director at consultancy Castlebridge, argues that the Irish DPC is slow to enforce out of well-placed caution as such cases face being picked apart by judicial review after the fact. If a case is successfully challenged, he adds, “it’s awkward if it’s a domestic case, it’s a significant embarrassment if it’s a multinational investigation.” For instance: Facebook appealed a £500,000 fine imposed against it by the UK's data protection regulator for the Cambridge Analytica scandal. The pair came to an agreement where the fine, issued under pre-GDPR rules, was eventually paid but Facebook didn't admit any guilt or liability.


Culture and politics also impact enforcement. “Germany has generally always had active, and arguably activist, data protection regulators,” says Baines. Despite that, there has only been a handful of large GDPR fines in Germany. “The majority of the fines have been relatively small and for relatively low-level infringements. This tells another tale: some supervisory authorities, notably, Ireland and the UK, do not see their role as involving issuing small fines for small infringements, whilst others do.”

The Hamburg data authority says it uses reprimands and formal orders to nudge companies into behaving correctly, but fines remain necessary. “Law enforcement without fines is toothless,” a spokesperson says, noting GDPR includes the ability to fine because data privacy is so important. “Each company which is violating data protection rights must face heavy financial sanctions by fines. This heavy stick in the background only can create deterring effects against violations of law.”

Another major concern – and point of agreement between the Irish and German DPCs – is a lack of resources. Ireland is being tasked with investigating data protection across Europe, but without the staff and funding to do so; last year, the Irish DPC asked for an extra €5.9m annually, but was only handed an additional €1.9m, bringing its budget to €16.9m. “The DPC currently receives less funding than the Irish Greyhound Board,” O Brien says. “That just does not make sense.”

That's a core issue for every country because of the “one-stop shop” model – though Ireland is hit the hardest because so many tech giants are based there. “The main issue for any supervisory authority is that data protection is such an all-pervading subject that they must police the activities of almost every company in their jurisdiction, and it’s doubtful whether any supervisory authority is adequately resourced for this,” says Baines. “And in some cases – Ireland being a key example – the bodies that they regulate are enormously wealthy, with massive legal budgets available to resist and to challenge.” Thanks to its federal system, adds Baines, Germany has a network of regional data protection authorities, meaning the country as a whole has more resources for such investigations.

Read next This French town has created its own Amazon with a difference This French town has created its own Amazon with a difference

While the many reasons behind Ireland’s slow enforcement are valid, that doesn’t reduce tensions or mitigate concerns about the future of EU data protection. “European [supervisory authorities] so far are falling short of a common, uniform approach regarding sanctions,” says the Hamburg data protection authority spokesperson. “While this hopefully might change in the future, the risk of permanently creating distinct regimes of supervision in different EU countries is imminent.” That’s not helped, the spokesperson adds, by time-consuming bureaucracy and inefficient legal structures.

Better cooperation is one answer, with member states pooling resources and tools to work on specific cases, rather than relying on local government support. But for that to work, countries need better mechanisms for cooperation, in particular sharing sensitive data across borders. “We have to worry about deficient structures and redirect our approach. Especially the legal settings for law enforcement in GDPR must be reconsidered and changed,” the Hamburg data protection authority spokesperson says. Without such changes, GDPR is at risk of not being enforced against major international tech firms – rendering it pointless. “The lighthouse project of GDPR is on the verge of collapse.”

Digital Society is a digital magazine exploring how technology is changing society. It’s produced as a publishing partnership with Vontobel, but all content is editorially independent. Visit Vontobel Impact for more stories on how technology is shaping the future of society.

Coronavirus coverage from WIRED

😓 How did coronavirus start and what happens next?

❓ The UK's job retention furlough scheme, explained

💲 Can Universal Basic Income help fight coronavirus?


🎲 Best video and board games for self-isolating couples

👉 Follow WIRED on Twitter, Instagram, Facebook and LinkedIn