Would you like to oversee whether big tech companies are playing by the EU’s privacy rules? Irish government published Job advertisements Additional commissioners will be appointed to lead the Data Protection Commission (DPC), which oversees compliance with the region’s data protection framework by dozens of major technology companies – and has the power to impose fines of up to 4% of global annual sales for violations of the data protection framework. regime.
The Irish DPC is playing a key role in the pan-EU implementation of the General Data Protection Regulation (GDPR) due to the number of tech giants choosing to locate a large regional base in the country.
The new commissioners will join current Commissioner Helen Dixon, who will become chair under the new tripartite structure of commissioners. But she is due to leave the regulator next year, when her term ends, so a full leadership restart is on the horizon.
The change in the structure of the DPC was approved by the Irish Government in July 2022following calls to strengthen the capabilities of a watchdog through a massive and growing number of cases overseeing the compliance of many tech giants with the GDPR.
Companies used by the DPC to monitor data protection include Apple, Google, Meta, TikTok and X (Twitter). While AI giant OpenAI recently opened an office in Dublin in what appears to be a bid to gain so-called ‘principal organisation’ status in Ireland in the future – which would mean the DPC becoming the main GDPR regulator too. So, the new commissioners will be involved in overseeing a wide range of familiar tech giants, and will likely be involved in key legal calls relating to a new generation of AI giants.
Candidates for these roles must have a range of qualifications including “a comprehensive understanding of the relevant legal systems and frameworks with the ability to demonstrate or quickly acquire knowledge and understanding of national law, EU law on data protection, human rights law and law enforcement procedures”. and administrative law,” according to the job ad, as well as “a deep understanding” (or the ability to quickly acquire one) of ICT and data processing methods and “excellent knowledge and understanding of data protection issues arising from their use.”
The closing date for applications for commissioner positions is October 19. Irish Appointments Committee at the highest levels (TLAC) will be responsible for scheduling appointments. The same commission reappointed Dixon as commissioner to a second five-year term Back in 2019.
It is not clear why it has taken so long for the Irish government to appoint the two new commissioners. “Ireland plays a key role in implementing the GDPR across Europe,” the report now says. “This is due to the ‘one-stop-shop’ mechanism, which is a key element of the GDPR, which provides a central enforcement point by a leading supervisory authority in Member States. As is the case with many internet platforms, search engines and very large technology companies that operate In the European Economic Area [European Economic Area] With its European headquarters in Ireland, the DPC has supervisory authority responsibilities in relation to these bodies within the European Economic Area.
Whoever the new commissioners are, they will face an office burdened with a lot of baggage. Not just in terms of the number of existing cases – with major cases open against the likes of Google (location tracking; ad tech) and no shortage of new complaints and issues coming in (not least how generative AI is regulated) – but because of the Data Protection Commission’s (DPC) approach to… General Data Protection Regulation (GDPR) The application of the law to big tech companies has been the target of harsh criticism for years.
Since the GDPR came into force in May 2018, privacy experts have regularly accused the regulator of – at best – sleeping on the job when it comes to applying the framework in a way that properly interrogates the power of the platform and its harmful influence on EU citizens. rights.
Dixon has always responded forcefully to critics, arguing that the DPC works as quickly as it can, given the number of cases and the scale and complexity of multiple key investigations. Finally, the regulator was able to point to a growing raft of big decisions announced outside of Ireland, including (earlier this month) a $379 million fine on TikTok for failing to keep children’s data safe; (in May) $1.3 billion fine on Meta for illegal data export; And (in January) a $410 million fine against Meta for failing to obtain a legal basis for tracking and profiling users to target ads.
However, DPC draft decisions on high-profile investigations have regularly faced critical review and pushback from peer authorities and the European Data Protection Board, a key guideline in the GDPR – resulting, often, in more broad findings of breaches and the imposition of higher fines. on the likes of Meta, TikTok, and X than originally proposed by DPC. So its approach seemed like a low enforcement of the GDPR.
Privacy rights group noyb claims that the DPC’s aforementioned penalty in January over Meta’s ad processing effectively let the company off the hook in a big way — arguing that Meta should have faced a significantly larger fine of more than $4 billion — so the regulator is accused of diminishing liability to… The giant companies that you supervise. Or, well, worse: In November 2021, Noib filed a criminal corruption complaint against the Data Protection Commission (DPC) accusing it of “procedural blackmail” in relation to a complaint against Facebook/Meta.
Last year, the Irish Civil Liberties Council (ICCL) also lost patience and sued the DPC for not taking any action on a long-standing complaint against advertising firm Google – which has yet to result in a decision. While Dixon’s appearance at a European Parliament hearing earlier this year saw the commissioner fend off hostile questioning from European lawmakers at the parliament’s civil liberties committee.
The European Commission itself has been forced to increase its monitoring of how regulators, including the Data Protection Commission (DPC), enforce the General Data Protection Regulation (GDPR), following complaints to its ombudsman that arose from criticism of the DPC. . This summer, the EU executive also came out with a decision A proposal to reform procedural rules around enforcement of the General Data Protection Regulation (GDPR). With the aim of making the handling of cross-border issues “more efficient and coordinated across the European Union”.
Changes to how the General Data Protection Regulation (GDPR) applies to cross-border cases involving tech giants are clearly coming at a high level – but a pair (and later a trio) of new brooms at the DPC could certainly make a mark. Therefore, the two new appointments of DPC Commissioners should be closely monitored.
ICCL has been pushing for years for the DPC to have more than one commissioner. She told TechCrunch that she was happy to see the move finally happen today. However, it also preceded that He called for more reforms Dr. Johnny Ryan, a senior fellow at the organization, said it would carefully monitor the appointment process. “We will write to [the TLAC] He added: “We will soon be urging that maximum attention be paid to conflicts of interest and the involvement of human rights experts.”
in press release In response to the job advertisements posted, ICCL reiterated its call for “further major reforms”.
“While the appointment of additional commissioners is welcomed, we remain deeply concerned that the Government has not launched an independent review into how to strengthen and reform the EPC. Without this review, it will be impossible for the new commissioners to know what they need to fix,” said CEO, Liam. “The Minister’s suggestion that the DPC review itself is completely inappropriate,” Herrick said in a statement.