Big Instagram fine shows Europe’s top digital privacy enforcer is finally getting tough

Press play to listen to this article

Whisper it: Enforcement of the EU’s flagship privacy rulebook against Silicon Valley giants might finally be taking off.

Taking effect in 2018 and promising hefty fines of up to 4 percent of annual turnover for the likes of Google and Facebook, the General Data Protection Regulation has largely disappointed privacy hawks — until now.

The revelation by POLITICO on Monday that the Irish Data Protection Commission has whacked Instagram with a €405 million fine for mishandling kids’ personal data marks a coming of age for arguably Europe’s most important digital privacy regulator.

Because the GDPR is enforced at the national level, the Irish DPC is responsible for overseeing the vast majority of big-name U.S. and Chinese tech firms. Such companies have flocked to Ireland, lured by the promise of low taxes and able workforces.

But it’s faced stinging criticism from privacy campaigners and even fellow European watchdogs for failing to rein in Big Tech’s worst lapses in the way they handle everything from our intimate family pictures to email addresses and phone numbers.

Now, the DPC’s critics might have to change their tune.

With over half a billion euros’ worth of fines under its belt and scores of investigations into Facebook, WhatsApp, Instagram, TikTok and Google — to name a few — nearing completion, Dublin’s much-maligned data watchdog could be forgiven for feeling smug.

“We’re still full steam ahead,” said Helen Dixon, the Irish agency’s head, when asked about enforcement during an interview with POLITICO earlier this year.

The Irish regulator can also claim the EU’s own bureaucracy is holding back its bid to hammer the tech giants.

Earlier this summer Dixon proposed blocking Meta’s transfers of personal data to the U.S., sparking fears of a shutdown of Facebook and Instagram in Europe. But that order is now on hold after the Irish were forced to try to resolve other European regulators’ objections to its decision.

And yet the idea that Ireland is finally living up to its role as Europe’s top tamer of Big Tech will have the likes of Austrian privacy campaigner Max Schrems doing a double take.

Schrems’ pressure group NOYB filed several complaints on the day the GDPR came into force, but has yet to see a finalized decision on any of them from the Irish DPC. It’s a similar story for the EU’s consumer organization BEUC; in 2020, it issued a report detailing the organization’s exasperation with the Irish DPC’s handling of its complaint against Google’s location-tracking. It’s yet to see a finalized decision on that case.

Critics will also argue that Ireland has started serious enforcement only because it’s been forced to by its colleagues in the European Data Protection Board, Europe’s network of privacy regulators.

A €225 million fine for WhatsApp in September 2021 came about only after other EU regulators exerted significant pressure on Ireland, which had initially proposed a €30 million-€50 million penalty. Similarly, in the Meta data transfers case, Norway’s data protection authority argued the Irish DPC should go further and fine the company for past violations, instead of just blocking the transfers.

Nevertheless, with the Irish DPC starting to earn its enforcement chops, a crack may be appearing in the narrative that it does nothing against Big Tech.

“The DPC has been consistent over the past few years in saying that enforcement was happening and would [have an] impact soon,” said Daragh O Brien, a digital privacy consultant at Castlebridge.

“Objective observers have highlighted that bedding in a regulation on the scale of the GDPR takes time, and we are now seeing the fruit of that effort. I hope the people who were quick to criticize the DPC will be equally quick to give credit where it is due.”