Security Experts:

Connect with us

Hi, what are you looking for?



All Bark No Byte? Unease Over Irish Performance as EU’s Lead Data Watchdog

Two years after the EU launched its landmark GDPR data rights charter, there are signs Ireland is faltering in its outsized role as regulator of many of the most powerful digital giants.

Two years after the EU launched its landmark GDPR data rights charter, there are signs Ireland is faltering in its outsized role as regulator of many of the most powerful digital giants.

Hailed as a potent weapon to bring tech titans to heel, the General Data Protection Regulation endowed national watchdogs with cross-border powers and the possibility to impose sizeable fines for data misuse.

Ireland hosts the regional headquarters of Facebook, Apple, Google and Twitter, and is therefore largely responsible for policing their European activities.

But its Data Protection Commission has yet to issue a major decision against any of the giants in Dublin’s glimmering “Silicon Docks”.

“It’s a blessing for Ireland economically to be the seat of these big digital companies for Europe, and that brings a lot of revenue,” one EU Commission official with deep knowledge of the area told AFP.

“With this, of course, comes an obligation. With the role as a lead regulator it has a duty to the citizens all over Europe.

“The patience of the other authorities will fade if Ireland doesn’t get its act together. It’s as simple as that.”

– ‘Tax haven’ –

Government and business leaders are coy but it is generally understood that multinational tech companies chose Ireland because of its low 12.5 percent corporate tax rate.

In 2018, Facebook Ireland generated 25.5 billion euros ($29 billion) in revenue and paid 63.2 million euros ($73.8 million) in tax, according to the Companies Registration Office.

Meanwhile the government coffers of Ireland — a nation of just five million people — are regularly padded with receipts from multinationals.

Last year, 77 percent of Irish corporation tax receipts came from foreign multinationals and 40 percent were from just 10 companies.

Tax Justice Network chief executive Alex Cobham said his campaign group generally avoids the term “tax haven” because “every jurisdiction has a lot of work to do to improve”.

“With that caveat, yes, Ireland is a tax haven,” he said.

“Ireland is probably the most exposed to a small number of fairly similar US multinationals in pharma and in tech and it really can’t afford to cross them.”

– ‘Regulatory austerity’ –

GDPR stipulates that data protection commissions should be separate from outside interference and there is no suggestion of government influence in the Irish process.

But little of the tax bonanza from tech companies is funnelled into Ireland’s Data Protection Commission, which acts as the EU’s regulator for firms like Facebook and their services such as Whatsapp and Instagram.

GDPR requires that countries ensure their data protection commission has the “human, technical and financial resources… necessary for the effective performance of its tasks and exercise of its powers”.

Ireland’s Data Protection Commissioner, Helen Dixon, said the organisation was “disappointed” by the 2020 government allocation of 16.9 million euros ($19.7 million).

Additional funding was “less than one third” of the figure requested which “reflected a year of experience of regulating under the GDPR”, she added.

For Cobham, this suggests “regulatory austerity”, where high regulatory standards are set “but then you refuse to provide the resources to allow any type of effective enforcement”.

“You achieve the effect of not having the regulations while being able to say, ‘but look, we have the regulation’, he added.

Ireland’s 2021 budget raised DPC funding to 19.1 million euros ($22.3 million) — the same amount Facebook Ireland generated in revenue in about six and a half hours in 2018.

A government spokesman insisted the DPC “has received ongoing and positive funding support which has more than met its actual resourcing requirements”.

DPC Deputy Commissioner Graham Doyle added the “considerable” increases in government funding had allowed it to go from 29 staff in 2014 to 150.

But the EU Commission insider said: “It’s a good step forward but more is necessary.”

– The first case –

The DPC’s first major decision is expected against Twitter in November, making it the first European authority to complete a cross-border case against a tech giant under GDPR.

It is a relatively straightforward test of whether Twitter informed the data protection authority of a breach within 72 hours and properly documented the event.

Nonetheless, the investigation was started in January last year and the DPC made a draft decision in May.

The case has since been tied up in regulatory mechanisms seeking input and consensus from data watchdogs in other EU states.

The drawn-out process is a reminder that the complexities of pan-European regulation still sprawl across the bloc.

But under the stiff GDPR regime Twitter could be fined up to four percent of its annual global turnover — a $140 million wedge of the firm’s reported $3.5 billion 2019 revenue.

If Ireland’s DPC becomes the first watchdog to impose such a stinging penalty accusations its bark is worse than its bite may begin to fade.

Related: Irish Regulator Probes Google, Tinder Over Data Processing


Related: Ireland Reports Multiple GDPR Investigations on Tech Giants

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...


U.S. fighter jets successfully shot down the high altitude spy balloon launched by and belonging to China.

Application Security

Less than a week after patching critical security defects affecting multiple enterprise-facing products, VMware is warning that one of the flaws is being exploited...