Helen Dixon has left her post as Irish Data Protection Commissioner after a decade of issuing some of Europe’s most high-profile enforcement decisions. She is replaced by two new Commissioners: Ex-human rights lawyer Des Hogan and former Deputy Commissioner Dale Sunderland. Throughout her ten-year term, Dixon led on the regulation of the many US tech giants, including Google, Apple, Microsoft, TikTok, and Meta, the parent company of Facebook, Instagram, and WhatsApp. The Irish DPC has been behind six of the seven highest-ever GDPR fines, almost all of which followed the intervention of the European Data Protection Board (EDPB).
Here’s a look at what lies ahead under the Irish DPC’s new leadership.
Coordinated DSAR enforcement
On 19 March, the Irish DPC announced that it will be participating in the EDPB’s coordinated enforcement action on data subject access requests (DSARs). The DPC will distribute surveys to controllers across Ireland’s private and public sectors to help understand how Irish organisations have implemented the guidelines on the right of access adopted by the EDPB last March. The DSAR survey is part of a wider effort that the EDPB says could result in “further supervision and enforcement actions.”
Outstanding ‘one-stop-shop’ case
Last January, tensions came to a head between Dixon and other regulators on the EDPB when the Irish DPC announced that it was taking the board to court. The DPC claims the dispute arose after the EDPB directed it to undertake an “open-ended and speculative” investigation into how Meta processed sensitive personal data across its companies. Dixon argued that the Board had overstepped the mark, and that the DPC would seek to have the decision annulled. She left office before the Court of Justice of the European Union (CJEU) had a chance to rule on the case, so the challenge is now passed to her successors.
Under the GDPR’s “one-stop-shop” process, many cross-border enforcement cases go through Ireland. Disputes with between Ireland and other EDPB members have slowed down DPC investigations and changed the outcome of many important cases. This court case won’t undermine the one-stop-shop entirely, but it will test the limits of the process. If the DPC succeeds, the regulator might become more agile and confident in its enforcement approach.
Unresolved investigations and unanswered questions
Dixon leaves office with several complicated cases unresolved. The results of these cross-border investigations could impact any organisation covered by the GDPR. Last June, Microsoft announced that the Irish DPC had proposed a $425 million fine against LinkedIn. Once more details are revealed, this case could have implications for how organisations justify the legality of their advertising activities.
In January, MLex reported that a yet-undelivered decision on Meta’s “consent-or-pay” policy was due “within weeks”. The DPC must decide whether controllers can offer a paid alternative to behavioural advertising—an issue with a huge potential impact on digital marketing and the meaning of “consent” under the GDPR.
Last September, the DPC fined TikTok €335 million over alleged “data protection by design” and transparency failures. Results of a probe into TikTok’s alleged transfer of personal data to China have also been expected since 2023. This case could disrupt data flows to China and other non-democratic countries.
A chief aim of the GDPR was to harmonise data protection regulation across the EU. Yet many businesses still deal with inconsistencies and unclear expectations.
HewardMills has a wealth of experience working with businesses all over the world. Our team of data protection experts can help support a compliance approach that mitigates risk across multiple jurisdictions while enabling your business to thrive.
