Most of Big Tech chose Dublin as their EU base. The regulator responsible for 400M Europeans' data against these companies has been called the 'bottleneck of Europe.'
The Irish Data Protection Commission (DPC) is the lead EU regulator for Apple, Google, Meta, Microsoft, TikTok, Twitter/X, LinkedIn, Airbnb, and dozens more — because they all placed their European headquarters in Ireland for tax reasons.
Ireland offered low corporate tax rates (12.5%) to attract tech companies in the 2000s. Under GDPR's one-stop-shop rule, the country where a company has its EU HQ is the 'lead supervisory authority' for all EU complaints against that company. This means the Irish DPC — a small national regulator — became the frontline privacy enforcer for 400+ million Europeans against the world's largest tech companies.
ICCL (Irish Council for Civil Liberties) found the DPC took an average of 5 years to resolve major cross-border cases. Between 2018 and 2022, the DPC issued zero fines against Big Tech on its own initiative — every major fine came only after intervention from other EU regulators using the GDPR dispute resolution mechanism. Former DPC Commissioner Helen Dixon publicly argued for 'dialogue' over enforcement. The European Data Protection Board overruled the DPC on Meta's data transfers, forcing the €1.2B fine the DPC had tried to avoid.
Meta €1.2B (2023) — for US data transfers. Only issued after the EDPB overruled the DPC's draft decision. WhatsApp €225M (2021) — originally proposed at €30-50M by the DPC; other EU regulators forced an increase. TikTok €530M (2025) — China data transfers. DPC initially sought to settle informally. Twitter/X €450K (2020) — a breach affecting 5 million Europeans drew a fine smaller than a single engineer's salary. The pattern: the DPC proposes weak action; other regulators intervene; the final decision is stronger than what Ireland wanted.
Underfunded relative to its responsibilities (budget €26M in 2023 for a caseload that should require €100M+). Staff turnover. A legal strategy that favours negotiation over adversarial enforcement. Cases routed through the Irish High Court add years of delay. Companies exploit this: Meta alone has launched over 20 legal challenges against DPC proceedings in Irish courts. The DPC is not corrupt — it's structurally inadequate for the role GDPR assigned it.
If you use a product headquartered in Ireland (most Big Tech), your GDPR complaints go to the DPC. They will be handled — eventually. But enforcement will likely be weaker and slower than if your complaint went to CNIL, the Dutch AP, or a German DPA. The one-stop-shop rule means you cannot choose a tougher regulator. Some privacy advocates argue this makes Ireland a 'data protection haven' — companies get EU market access with the weakest possible regulatory oversight.