The departure of Helen Dixon in February 2024 from her role Ireland's Data Protection Commissioner marks the end of an era in data and privacy regulation across the European Union.
During Ms Dixon's 10-year tenure she has overseen the Irish rollout of the GDPR as well as levying some of the largest fines against the worlds biggest internet platforms. Indeed, some 27 fines issued by Ms Dixon totalled nearly €3bn with the vast majority of these fines being issued against tech multinationals. Recovery is, however, another question. She recently commented that just €20m of the €3bn in fines has been collected to date due to ongoing court appeals.
The One-Stop-Shop mechanism via the European Data Protection Board has meant that, with Ireland being the main establishment in the EU of a number of major tech companies, the DPC has and will continue to be the Lead Supervisory Authority on any number of important data and privacy investigations.
Perhaps unsurprisingly, funding for the office of the Data Protection Commission (the "DPC") has increased significantly under Ms Dixon's watch up more than six-fold since 2015, transforming the organisation from a small regional office with 27 staff to a Dublin-headquartered regulator with more than 220 staff. The growth of the office of the DPC reflects the important role of the Irish regulator to protect European data and privacy issues.
However, the office of the DPC has not been without criticism in recent years including for the perceived slow pace of its investigations. It is also noteworthy that many of the DPC's decisions have been subject to disapproval by other supervisory authorities, resulting in referrals to the EDPB for final rulings under the One-Stop-Shop mechanism. The inquiry into how Meta Ireland transferred personal data from the EU/EEA to the US in connection with Facebook is just one such example. Powers allowing the DPC to declare its procedures confidential have also been criticised by consumer activist groups [1] , which have accompanied longstanding allegations that the DPC has been too lenient on major technology companies.
The next chapter for the Irish DPC
As part of the evolution of the DPC, the Irish Government has approved the appointment of three commissioners to support the development and business needs of the office of the DPC. Following Ms Dixon's departure, Dr. Des Hogan and Mr Dale Sunderland have commenced their roles as Commissioners for five-year terms, with Dr Hogan acting as Chair of the Commission. Dr Hogan has worked as the assistant Chief State Solicitor and in the Irish Human Rights Commission. Mr Sutherland has worked in the IDPC since 2016, as a deputary commissioner. A third commissioner is also expected to be appointed later this year.
The Irish Minister for Justice, Helen McEntee, speaking about these appointments, commented on the DPC's ever growing regulatory presence: “ 85 per cent of the fines issued across Europe last year, including the EU, EEA, and UK, were issued by the DPC on foot of detailed and comprehensive investigations. This underlines both the DPC’s significant role, and positive record of effective and robust data regulation. " [2]
In fact this large proportion of fines may become larger still, based on the following recent comments by Mr. Sunderland: “ Where we do have repeat offenders who are really breaking the rules or pushing the boundaries, we won't be shy about taking action against the m… We are looking more intently at all of our complaint handling, and particularly in the domestic context at repeat offenders, companies who don't comply with enforcement notices. We are looking to go down the prosecution route. ” [3]
The incoming Commissioners will face a regulatory landscape in a state of flux. Interestingly, with the newly formed Regulator "Coimisiún na Meán" designated as Ireland's media regulator, the DPC will not be the lead competent authority for the Digital Services Act. It remains to be seen whether the DPC's role will be expanded further given that member states are required to have an AI supervisory authority and regulator under the new EU AI Act. However, one way or another, the emergence of artificial intelligence will no doubt continue to provide the DPC with various GDPR-related queries and complaints. We have already seen evidence of this in June 2023, when the DPC raised privacy concerns with a major technology company about the launch of its chatbot within the European Union - ultimately prompting changes to bring the chatbot in line with GDPR. And this certainly seems to be a focus of the new office of the DPC with Mr Sunderland recently commenting that the DPC will focus on regulating big tech AI. “ One of the big issues we were dealing with last year, and we're continuing to do this year, is in the Al space … We’re particularly looking at large language models, with companies such as Google, Open Al, Microsoft and others .”
Based on these comments, it's certainly fair to say that we do not expect the DPC's office to slow down in the coming years.
[1] https://noyb.eu/en/ireland-corrupt-gdpr-procedures-now-confidential
[2] https://www.gov.ie/en/press-release/bfa2b-minister-mcentee-announces-appointment-of-new-data-protection-commissioners-and-pays-tribute-to-outgoing-commissioner-helen-dixon/
[3] https://www.independent.ie/business/technology/newly-appointed-data-protection-commissioner-says-big-tech-ai-will-regulated/a1789555403.html