How Ireland lost its chance to become Big Tech’s ‘super regulator’

Incoming EU rules forcing Big Tech to police content on the internet more aggressively will be enforced directly by the European Commission, a move experts say will diminish the role Ireland has played so far in supervising digital giants in the region.

Since 2018, Ireland’s Data Protection Commission has been the main privacy watchdog supervising the likes of Facebook parent company Meta and Google under the European Union’s General Data Protection Regulation, which aims to give consumers more control over their data.

That’s because many of the largest U.S. tech firms, including Meta, Google, and Microsoft, chose Dublin for their European headquarters, due in no small part to Ireland’s favorable tax regime.

But the Irish DPC has faced criticism over the years for being slow to carry out major privacy investigations, and for failing to impose many substantial fines.

“Ireland remains a severe roadblock for GDPR enforcement,” Paul-Olivier Dehaye, founder of Personal Data, a Swiss nonprofit focused on online privacy, told CNBC.

For its part, the Irish DPC said such criticisms are incomplete and lacking in context.

Still, with the recently approved Digital Services Act, Ireland will no longer be at the center of the EU’s clampdown on Big Tech. Alongside Brussels’ new antitrust framework, the Digital Markets Act, the rules represent the most significant reforms to internet policy in the bloc’s history.

The DSA, which is expected to come into force by 2024, will require large online platforms to rapidly remove illegal material such as hate speech or child sexual abuse material, or else risk multibillion-dollar fines.

The original text of the DSA would have granted authorities in individual member states the ability to penalize the biggest online platforms with headquarters in those countries for violations.

But EU members pushed back on this, concerned it could lead to enforcement delays. Eventually, the European Commission — the executive arm of EU — was given enforcement powers instead.

“We warned the government about this a year ago,” Johnny Ryan, senior fellow at the Irish Council for Civil Liberties, told CNBC. “This has been clearly signposted for quite a while.”

Companies that breach the new rules face potential penalties of up to 6% of their global annual revenue. For a company like Meta, that could mean a fine as high as $7 billion. That’s actually lower than the maximum 10% fines enforceable under GDPR.

The problem is that enforcing such hefty fines means taking on the risk of facing costly appeals from the tech companies. Critics, from EU officials to privacy campaigners, say Ireland’s DPC is ill-equipped to deal with such blowback. According to the ICCL, the DPC has delivered rulings in just 2% of EU-wide cases since the GDPR came into force.

A spokesperson for the DPC said: “I would point out that we have recently published three separate reports, namely our annual report for 2021, a report on the handling of cross-border complaints under the GDPR, and an independent audit report conducted by our internal auditors, all of which demonstrate that the Irish DPC is clearly delivering in terms of its application of the GDPR.”

So far, more than 1 billion euros in penalties have been imposed since GDPR came into force. The largest came last year from the Luxembourg data watchdog, which fined Amazon 746 million euros for breaching the bloc’s rules.

Ireland’s 225 million GDPR fine against WhatsApp was the second largest. Both companies are appealing the respective decisions.

Ireland’s government insisted the country will “play a crucial role” in the implementation of the DSA.

“The DSA provides for a network of national authorities and the European Commission, cooperating together, exchanging information and conducting joint investigations,” a spokesperson for the Department of Enterprise, Trade and Employment, told CNBC.

While the Commission will act as the primary enforcer for “systemic” companies like Meta and Google, which have millions of users across the bloc, Ireland and other EU countries “will be responsible for all other obligations in the DSA,” the spokesperson added.

Owen Bennett, senior public policy manager at Mozilla, said the development represented a “watershed moment” for Big Tech oversight in the EU.

“Ireland had for many years been the de facto European regulator for almost all of the biggest tech companies,” Bennett told CNBC. “The DSA creates a new precedent for centralizing Big Tech oversight in Brussels, rather than Dublin.”

“I would be surprised if this doesn’t become a trend in the years to come, with the European Commission taking a more prominent role in enforcing rules against Big Tech.”

The European Commission will also be the sole enforcer of the Digital Markets Act, which seeks to stop so-called internet “gatekeepers” from harming competition. Google would be prohibited from giving preference to its services over that of a rival search engine, as an example.

Under the DMA, firms could be fined up to 10% of their global annual turnover for breaking the rules. That may climb to as much as 20% for repeated violations.

“Ireland could have been the center of the world,” said Ryan. “It could have been the super regulator, the super enforcer — basically the center of decision making for these companies.”

“Unfortunately, that’s not going to happen.”

The EU has led the way on introducing new digital regulations, and now governments in the U.S., U.K. and elsewhere are racing to catch up.

In Washington, President Joe Biden’s administration has tapped prominent Big Tech critics to lead an antitrust crackdown on the companies, while in Britain, Prime Minister Boris Johnson’s government is pushing through landmark digital reforms of its own.