Irish DPA Ready to Lead Enforcement Under EU Regulation, But Without New Huge Fines

By Stephen Gardner  

Jan. 23 --Ireland is preparing for its front-line role in the enforcement of the European Union's proposed new data protection regime, but doesn't expect to make extensive use of the new large fines that might be levied on noncompliant companies under that scheme, Irish Data Protection Commissioner Billy Hawkes said Jan. 23.

Speaking in Brussels at the 7th International Computers, Privacy and Data Protection conference, Hawkes said that fines for data protection infringements would be a “useful addition to the toolbox,” but shouldn't be triggered automatically. The Irish DPA would “use and deploy fines as required.”

Ireland will be prominent in the implementation and enforcement of the pending EU data protection regulation because, under the system currently outlined in the draft regulation, privacy complaints about a company will be handled by the DPA where that company has its main establishment.

Ireland is the European home for a large number of U.S. multinationals, including Internet and social media companies such as Facebook Inc., Google Inc. and LinkedIn Corp., and technology companies, such as Apple Inc., Dell Inc., Hewlett Packard, IBM Corp. and Intel Corp.

However, the resources of the Irish DPA are relatively limited compared with its counterparts in larger EU countries, such as Germany and Poland.

Fining Power

The Irish Data Protection Commissioner doesn't have the power to levy fines under Ireland's national law transposing the EU Data Protection Directive (95/46/EC).

Under the proposed data protection regulation, put forward by the European Commission in January 2012, a uniform regime of sanctions for the EU would be introduced.

The regulation is yet to be finalized by the EU institutions, but the European Parliament's Civil Liberties, Justice and Home Affairs Committee in October 2013 voted in favor of a version of the regulation that would allow DPAs to levy fines of up to 100 million euros ($135.5 million), or 5 percent of a company's annual worldwide revenue (12 PVLR 1817, 10/28/13).

Hawkes said that sanctions currently available to him include enforcement orders requiring companies to desist from behavior that contravene Ireland's Data Protection Act, which can ultimately be backed by court judgments obliging companies to stop data processing operations.

The lack of a power to fine companies doesn't “seriously inhibit” enforcement, Hawkes said.

Privacy Audits, Cooperation

Hawkes added that the Irish DPA carries out privacy audits of multinationals established in Ireland and generally seeks to pursue a cooperative approach with large data processors.

“Organizations wish to cooperate with us,” and there is a “general anxiety to comply and be seen to comply with the law,” he said.

“The clear enforcement power I want is to order the processing to stop,” in case of violations, Hawkes said in response to a question from Bloomberg BNA.

The Irish DPA is being allocated more resources by Ireland's government in expectation of its expanded role under the data protection regulation, he said. “I'm confident that we will be able to handle this burden.”

The Irish DPA so far has received most complaints about U.S. multinationals from outside Ireland, Hawkes said. It might under the new regulation lose the power to regulate many of the companies “that Irish people care about,” such as banks and telecoms that might be headquartered in another EU member state, he said.

Under the proposed regulation, such companies would be overseen by the DPA in the member state where they have their headquarters, he said.


To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor on this story: Donald G. Aplin at