Irish court dismissed complaint against DPC’s handling of Google’s alleged data breach

The Irish High Court dismissed arguments that the Data Protection Commission (DPC) handled a complaint about an alleged Google data breach improperly. Dr Johnny Ryan, a senior fellow of the Irish Council for Civil Liberties (ICCL), filed a complaint five years ago against Google’s Real Time Bidding system (RTB), which affects web ads based on peoples’ personal data. The complaint raised concerns about the unauthorized use of large amounts of personal data and potential transmission to other parties. Dr Ryan also claimed that DPC’s failure to investigate the alleged breaches violated the 2018 Data Protection Act and the General Data Protection Regulation (GDPR).

DPC denied the allegations and stated that they prioritised their own inquiry into the alleged data breach in 2019, claiming that this procedure would be more efficient. Judge Garrett Simons found that the DPC had the authority to investigate the alleged violation internally before looking into Dr Ryan’s complaint. Namely, the court deemed the DPC’s decision to prioritize its own inquiry over Dr Ryan’s complaint as proportionate and within the margin of appreciation allowed under GDPR.

Why does it matter?

The DPC is Ireland’s supervisory authority regarding GDPR and has been handling data protection complaints from various consumer organizations across the EU regarding Google’s processing of location data. At the same time, it has been criticized before by other data protection authorities, including the German federal data commissioner, which stated that the DPC is ‘insufficiently equipped for its task.’ Despite Dr Ryan’s complaints, it is believed that the court’s decision would have a ‘significant impact on online advertising practices worldwide.’