The High Court is to be asked to make a referral to the EU’s highest court for a ruling on whether Ireland’s Data Protection Commissioner is truly independent under EU law.

Legal papers will be served on the State and the Attorney General in the coming days claiming the State has acted in breach of EU law by failing to ensure the regulator exercises its role independently.

The action is being taken by the privacy advocacy group Digital Rights Ireland (DRI), which took a successful case to the Court of Justice of the European Union in 2014 overturning the entire regime under which the telephone and internet data of over 500 million European citizens were retained for up to two years.

The papers note that the office of the commissioner, Helen Dixon, is integrated with the Department of Justice and that the commissioner and all her office’s employees are civil servants.

They also allege the commissioner has failed to act independently in policing databases of citizens created in recent years by both Irish Water and the Department of Education.

Repeated criticism

The commissioner’s office is considered one of the most important regulatory roles in Europe because of the high number of multinational, data-rich firms based in Ireland, including Facebook, Apple and LinkedIn.

It has come under repeated criticism from some EU sources for being “soft” on regulation, partly because of the number of jobs such firms support here. That allegation has been denied by the current commissioner and by her immediate predecessor Billy Hawkes.

DRI confirmed on Thursday morning it had instructed its lawyers to serve legal papers on the Irish Government.

“Ireland’s position as the EU’s centre for technology multinational companies makes it critical for the protection of all EU citizens’ rights that the state has a world class data protection regulatory regime,” it said on its website.

It noted a series of cases decided by the CJEU had stressed the critical importance of a truly independent data protection authority.

“Most recently, in the Schrems case on Safe Harbour [the agreement under which the data of EU citizens could be transferred legally to the US], the lack of such an independent watchdog was cited as one of the most significant differences between the EU and US privacy systems.”

The organisation said its case was that Ireland had failed to properly implement EU data protection law, or to follow the requirements of the Charter of Fundamental Rights by failing to ensure the Irish commissioner was genuinely independent from the Government.

Key role

“Ireland’s DPC has a key role in Europe’s data protection landscape. From our 2014 case overturning data retention to the Schrems case, to the Microsoft v USA warrant case Ireland is the critical jurisdiction for the protection for the rights of citizens across the EU,” a spokesman said.

“Ireland’s data protection authority doesn’t meet the criteria set down by the EU case law for true independence. As the Irish Government has refused to acknowledge this to date, we are turning to the courts to uphold the fundamental rights of Irish and EU citizens alike.”

Thursday, January 28th, marks the 10th annual International Data Protection Day.

A spokeswoman for the commissioner said she could not comment on the case as neither the office nor the commissioner were a party to the proceedings.

Speaking to mark the event, Helen Dixon said a key priority for her office this year was the continued expansion of resources, including the further recruitment of legal and technical specialists.

She said the office was already seeing “huge benefits” from the recent additional staffing, particularly in delivering “faster resolutions for complainants”.

Ms Dixon said there was “a clear need for better compliance” with data protection law by the Irish public sector.

“In particular, the legislative process must be improved to ensure greater deliberation and scrutiny of issues that interfere with the fundamental right to data protection.”