The Data Protection Commissioner has said a set of metrics against which the performance of all European data regulators can be assessed objectively must be agreed.
Helen Dixon's comments come as her office continues to come under fire from other supervisors, politicians and privacy advocates over alleged weak handling of so-called "Big Tech" firms.
"Such metrics must, however, move past both superficial totting exercises and assumptions to the effect that the bigger the fine, the greater the change of behaviour it will herald," wrote Ms Dixon in a foreword to the Data Protection Commision's (DPC) annual report published today.
"If the collective goal of all of us is to ensure better protection of people from misuses of their personal data and, indeed, to ensure they are not dis-advantaged by 'over-implementation’ of GDPR rules, the types of quantitative and qualitative metrics that need to be assessed must be carefully laid out," Ms Dixon said.
"Further, enforcement priorities must be set and the impact of different enforcement measures and sanctions must be tracked and analysed over time for impact and value-for-money," she added.
Ms Dixon added that while the DPC recognises that "in some respects at least" it needs to do more and better, she said a shared understanding of what measurements it is being compared against would be of benefit.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
She said in the absence of such agreed benchmarks, the standing of the General Data Protection Regulation (GDPR) enforcement regime is at risk of damage.
"This is particularly so when certain types of allegations levelled against this office serve only to obscure the true nature and extent of the challenges presented by the particular framework by which the EU member states are bound to legislate for the enforcement of data protection within the EU as a whole," she bluntly claimed.
The data regulator also said that to maximise the impact of its interventions and deliver meaningful outcomes, it must deploy its resources in a targeted way.
The Irish Council for Civil Liberties has called on the Minister for Justice to launch an independent review of the functioning of the DPC - something recommended by the Oireachtas Justice Committee last year and echoed yesterday by Facebook whistleblower Frances Haugen.
The DPC has also faced criticism from some MEPs over claims it is too weak on large tech companies that have their international or European headquarters in Ireland.
But Ms Dixon said that in the vacuum created by a lack of agreed standards for performance measurement, "a narrative has emerged in which the number of cases, and the quantity and size of the administrative fines levied, are treated as the sole measure of success, informed by assumptions as to the effectiveness of financial penalties, in particular, as drivers of real changes in behaviour, capable of delivering identifiable and meaningful improvements for data subjects."
"In that regard, a recent (2022) survey citing Luxembourg and Ireland as top of a league table for fines in the EU tells us little about how effective regulation under the GDPR has been," she claimed.
"Likewise, figures representing the number of cross-border cases provide little by way of meaningful insight," she added.
Ms Dixon also questioned the success of the one-stop-shop mechanism under GDPR, where multinational companies with operations across Europe can choose to be regulated out of just one territory so they do not have to deal with multiple authorities in different jurisdictions.
She said not all multinational activity falls within the scope of the one-stop-shop arrangements leading to decisions that are "difficult to reconcile" being made about the same cross-border processing operations of one particular platform but by different EU supervisory authorities.
"That so much cross-border activity can sit outside the one-stop-shop brings into question the effectiveness of the coordination efforts that were intended to be a feature of the regulation of cross-border processing operations," she said.
"It may also be said to undermine the idea, central to the GDPR, that a level playing field could be created across Europe," she stated.
The annual report shows that at the end of last year, the DPC had 30 cross border cases open, with the bulk involving large technology companies.
However, in three of these cases, all involving Facebook platforms, draft decisions had been sent to other data protection authorities across Europe under the co-decision making procedure.
Others, involving platforms such as Facebook, TikTok, Yahoo, Tinder, Apple, Twitter, Google, LinkedIn, Quantcast and WhatsApp, were at various stages of inquiry.
Last year the DPC also concluded an investigation into WhatsApp which resulted in the messaging service being fined €225m.
In total, the DPC received 10,888 queries and complaints last year, up 7% on 2020, with 8,017 of these concluded by year end.
3,419 of these were complaints and the commission concluded 3,564. Among these were 1,884 from previous years.
The DPC says 52% of complaints lodged with it last year were concluded within the same calendar year.
6,549 notifications of data breaches were received during the year, down 2% on the previous year.
95% of these cases were concluded in the calendar year.
By the end of December, the commission had 81 statutory inquiries still on-going, including the 30 cross border investigations.
Last year the DPC also conducted an audit of the data protection practices of political parties here and it also settled legal proceedings with the Department of Social Protection around the processing of personal data when issuing Public Service Cards.
The Data Protection Commission's budget in 2021 rose by €2.2m compared to 2020 to €19.1m.
