The 5-Year Itch? - ICCL report details that GDPR enforcement against “Big Tech” has reached crisis point | Fieldfisher
Skip to main content

The 5-Year Itch? - ICCL report details that GDPR enforcement against “Big Tech” has reached crisis point



As the fifth anniversary of the General Data Protection Regulation (“GDPR”) approaches, the Irish Council for Civil Liberties (“ICCL”), Ireland’s most prominent civil rights organisation, released a report on 15 May 2023 detailing its concerns in relation to the enforcement against “Big Tech” firms. 
The report, titled ‘5 years: GDPR’s crisis point’ (the “Report”), takes somewhat of a critical view of data protection in Ireland and the EU, particularly in relation to enforcement against big tech companies.

According to the Report, the GDPR is “largely paralysed” when it comes to enforcement against big tech companies. The key insights highlighted by the Report are as follows:
  • Compliance orders are “the most powerful GDPR enforcement tool”. However, the European Data Protection Board (the “EDPB”) register of EU-level decisions shows that only 49 compliance orders have been made since the GDPR came into effect.
  • 64% of enforcement taken by late-2022 were “merely reprimands”.
  • The world’s top three technology firms are based in Ireland (Apple, Microsoft and Google).
  • 87% of cross-border complaints to Ireland involve the same eight big tech companies: Meta, Google, Airbnb, Yahoo!, Twitter, Microsoft, Apple and Tinder.
  • The Data Protection Commission (the “DPC”) in Ireland used its discretion to choose an “amicable resolution” to conclude 83% of cross-border complaints it received.
  • 75% of the DPC’s GDPR decisions in EU cases were overruled by other EU data bodies. The report highlights that “Only one other country, in one single case, has ever been overruled in this manner.” (France)
  • The combined budget of the European Economic Area’s data protection authorities in 2022 was a staggering €326,730,549.
  • The Report describes Ireland’s GDPR enforcement as a “bottleneck”. However, funding does not appear to be an issue in this regard as the DPC’s budget ranks top five amongst EU countries.
The forward of the Report, authored by Dr Johnny Ryan, likens the GDPR to a shield with “enforcement powers to protect people from the misuse of data that enables much of the digital world’s problems”, however he concludes that this shield “has yet to be taken up.”

The Report comes following the high-profile enforcement action taken against Meta in Ireland, with two decisions of the DPC being published on 31 December 2022 in which Meta was fined €210 million for breaches of the GDPR relating to Facebook services and €180 million for breaches in relation to Instagram services. Despite this, the Report urges the European Commission to take “serious action” to tackle the enforcement crisis in Europe.

The ICCL’s report is available here.

Written by: Steven Whelan and Rosie Callan