One of Ireland’s most prominent civil advocacy groups has launched a stinging attack on the Office of the Data Protection Commission in a letter to the Minister for Justice, questioning the Commission’s ability to successfully advance “urgent investigations”.
The Irish Council for Civil Liberties’ executive director Liam Herrick has written to Minister Helen McEntee to express its unhappiness at the “unacceptable” delay in actioning a complaint first delivered to the DPC by its now employee, Dr Johnny Ryan, two years ago today.
That complaint revolved around Google’s online marketing process of Real Time Bidding (RTB), which sees users advertised to based on profiles created using their internet activity and personal data.
The DPC launched an own-volition inquiry into that system in May 2019.
Last Monday Dr Ryan submitted a dossier of files to the DPC stating that Real Time Bidding has grown exponentially in that two-year period, leading to the detailed profiling of Irish citizens, including those possibly suffering from HIV/AIDS or substance abuse issues.
Asked for comment on the matter, deputy commissioner with the DPC Graham Doyle said that “the investigation has progressed and a full update on the next steps has been provided to the concerned party”.
“The DPC must operate under the legal framework that constrains it and issues of risk that the DPC has identified are being appropriately addressed in accordance with that framework,” Mr Doyle added.
In his letter, which has been seen by the, Mr Herrick describes the ICCL as being “deeply concerned” at the perceived failure of both the State and the DPC “to take effective measures to enforce the GDPR… in the two years since it was formally notified of this privacy crisis”.
“RTB is the most massive data breach ever recorded,” Mr Herrick said. “The DPC’s failure to act is of critical importance because it is the lead supervisory authority for Google in the European Economic Area,” he said.
Mr Herrick, in his letter, states the ICCL’s belief “that it is incumbent on the Government and your Department to establish whether the DPC is capable of advancing urgent investigations of this nature”.
While he acknowledges that the DPC operates independently of Government, he states that it is the Government’s duty, under GDPR, to provide its regulator with “the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks”.
“We suggest that your Department should examine whether the actual effective regulatory output of the DPC indicates that it has adequate resources, including technical and procedural competence, to discharge the tasks required of it,” he says.
The DPC had 70 GDPR investigations in progress at the end of 2019. However, just two fines under GDPR have been applied by the Commission to date, both to child and family agency Tusla in May of this year, although a number of investigations are close to a final decision, according to the DPC.
Under GDPR regulators have the power to apply enormous fines for non-compliance, up to €20 million or 4% of a firm’s annual global turnover, whichever is higher. For Irish State bodies, the maximum fine is capped at €1 million, however.