The Data Protection Commission (DPC) has hit out at perceptions that the number of cases completed and the size of fines levied are "the sole measure of success" in lieu of an "elusive" agreed standard for GDPR enforcement in its annual report.
Following criticism by Facebook whistleblower Frances Haugen before the Oireachtas media committee of the DPC's ability to regulate the tech multinationals based in Ireland, Data Protection Commissioner Helen Dixon responded to a number of persistent knocks of the watchdog's performance.
Writing in her foreword to the annual report, Dixon said quantitative and qualitative metrics by which the DPC's performance can be measured needed to be "carefully laid out", along with enforcement priorities, and that the impact of enforcement measures and sanctions should be tracked and analysed over time for "impact and value-for-money".
"Whilst open in our acknowledgment that, in some respects at least, we need to do more, and better, a shared understanding of what measures we are tracking against in this combined individual rights-based/systemic supervision area of regulation would benefit all," she wrote.
Dixon went onto warn that the standing of the GDPR enforcement regime is "at risk of damage" without agreed measures and flagged a number of persistent allegations against the DPC that "serve only to obscure" the challenges presented by the GDPR framework.
She said the DPC receives complaints on issues that are not relevant to data protection; that commentators have criticised the body for prioritising certain cases to make best use of its resources; and the volume and value of fines are publicly treated as the only measure of its effectiveness.
"A narrative has emerged in which the number of cases, and the quantity and size of the administrative fines levied, are treated as the sole measure of success, informed by assumptions as to the effectiveness of financial penalties, in particular, as drivers of real changes in behaviour, capable of delivering identifiable and meaningful improvements for data subjects," Dixon wrote.
Dixon went onto say that the DPC is engaging with its counterparts across Europe to identify standardised performance metrics for regulating big tech, but warned that they must "move past both superficial totting exercises and assumptions to the effect that the bigger the fine, the greater the change of behaviour it will herald."
The report highlights that the DPC received 7,469 queries and 3,419 complaints from individuals last year, an increase of 7% year-on-year, but it adjudged just over 60% of notifications (6,549) to be valid breach cases.
The body concluded 7,081 queries and 3,564 complaints, including 1,884 received prior to 2021, and 95% of valid breach notifications (6,274).
The DPC said it concluded five large-scale inquiries in 2021; sent forward four draft decisions to the EU co-decision making process; referred one case to the EU dispute resolution mechanism; issued nine preliminary drafts of decision, and sought submissions on statements of issues or inquiry reports from relevant parties in a further 17 inquiries.
The case sent to the EU dispute resolution mechanism involved Meta-owned WhatsApp and resulted in the imposition of a €225m fine. The DPC also settled legal proceedings against the Department of Social Protection in relation to the processing of personal data when issuing Public Service Cards.
Staff numbers at the DPC increased to 190 last year, and the regulator's budget for 2022 has been increased from €19.1m to €23.2m.