The recent controversies surrounding Big Tech moguls Elon Musk and Mark Zuckerberg — who are defying content moderation norms and accusing the EU of censorship — should come as no surprise to those following the tech industry closely. For over a decade, Big Tech has approached the EU's robust data protection framework as little more than a compliance checkbox, rather than a set of binding legal obligations.
A surprising body has been complicit in these Big Tech companies evading EU laws – the notorious Data Protection Commission (DPC) of Ireland.
The concentration of Big Tech headquarters in Ireland is no coincidence.
While the country’s low corporate tax rate and English-speaking workforce are significant draws, its regulatory leniency has been an equally compelling factor. This leniency extends to the application of critical regulations such as the General Data Protection Regulation (GDPR).
The GDPR, celebrated as a groundbreaking law for data privacy, was designed to deliver on promises of accountability and enforcement.
However, the persistent failures of Ireland's watchdog, the DPC, coupled with Brussels' inability to exert sufficient pressure, have transformed it into a weak link in the EU's efforts to hold US tech giants to account. This has understandably emboldened Big Tech companies, with Meta’s Nick Clegg defending the tech giant’s audacious claim that it should not be bound by the EU’s legal framework.
As of 2021, the DPC had issued decisions in just four out of 196 cases where it claimed a leading role as the EU regulator
The DPC is crucial to the implementation of the GDPR because it acts as the lead supervisory authority for most major US tech companies under the GDPR’s one-stop-shop (OSS) mechanism.
The DPC’s laxity — with a lack of robust oversight, delayed investigations and even outright dismissal of complaints — has made it a significant bottleneck for enforcement. This inaction has enabled tech giants to evade meaningful compliance, leaving the rights of millions of individuals in the dust.
The numbers confirm as much: as of 2021, the DPC had issued decisions in just four out of 196 cases where it claimed a leading role as the EU regulator. Worse, decisions in Big Tech cases often take years, with several notable rulings taking more than four years to materialise, even when GDPR violations were evident.
One of the DPC’s most troubling practices is its reliance on ‘amicable settlements’ to sideline a high number of GDPR complaints.
By accepting companies’ assurances that the problem no longer exists, the DPC often withdraws cases unless the complainant explicitly objects. This practice disproportionately disadvantages individuals, many of whom lack the resources or knowledge to challenge such decisions (and when they do so, the DPC oftentimes dismisses their concerns).
When the DPC does impose fines — arguably the most impactful tool for ensuring GDPR compliance — it does so reluctantly and under pressure from the European Data Protection Board (EDPB), which coordinates EU/EEA privacy authorities.
For instance, the recent fines against Meta were not proactive enforcement actions but responses to sustained demands from EU counterparts urging the DPC to take stronger measures.
Even more troubling, when the EDPB instructed the DPC to investigate Meta’s handling of sensitive personal data, the DPC chose not to comply but to sue the EDPB. A ruling in the case of DPC vs EDPB will be announced next Wednesday (29 January). Such defiant actions highlight the DPC’s reluctance to fulfil its enforcement responsibilities, compelling other member states to step in and bypass Ireland altogether.
The lack of sustained pressure on the DPC is not accidental. While some actors in Brussels have raised alarm about the DPC, others are complicit in perpetuating this enforcement gap. Their advocacy for deregulation — couched in the language of enhancing competitiveness or fostering innovation — is, in reality, a thinly-veiled call to weaken the application of the GDPR.
The failure to enforce data protection laws is not just a regulatory oversight but a direct threat to fundamental rights and societal well-being. At its core, the debate about data protection is about the pervasive impact of Big Tech’s algorithms, which thrive on personal data acquired under dubious circumstances.
These algorithms amplify harm, perpetuate inequality, and undermine democracy. By determining who sees what information, whose voices are amplified, and whose are marginalised, these algorithms deepen existing inequalities — economic, racial, and gendered.
Moreover, the opacity of these systems erodes public trust, leaving people powerless to understand or challenge the decisions affecting their lives, and subject to endless scrolling that uses their data to keep them hooked.
If the EU wishes to maintain its standing as a global leader in data protection and digital governance, it must urgently address the shortcomings of the DPC.
With two new commissioners now at the helm (and waiting for a third to be appointed), the DPC has an opportunity to course-correct.
However, trust will not be rebuilt overnight. They must demonstrate an unwavering commitment to upholding the GDPR’s principles, not just through more decisions and, with it, more fines but also by addressing systemic issues such as Meta’s business model and its reliance on data harvested without proper consent. It remains to be seen if this leadership will rise to the task.
Failure to do so would compromise not only the integrity of data protection but also the broader human rights framework in the digital age. At this critical juncture, the EU must choose whether to cement its regulatory legacy or cede ground to corporate impunity.
This piece was updated on 23 January with the date of the DPC vs EDPB ruling.
Itxaso Domínguez de Olazábal is policy advisor at EDRi (European Digital Rights), working as their expert in data protection and privacy, with a particular emphasis on commercial surveillance.
Itxaso Domínguez de Olazábal is policy advisor at EDRi (European Digital Rights), working as their expert in data protection and privacy, with a particular emphasis on commercial surveillance.