First there was criticism in the Dáil (Irish Parliament) – its Senate Justice Committee published a new report noting the need to reform the Irish Data Protection Commission (DPC). It recommended that the DPC urgently “move from emphasising guidance to emphasising enforcement”. Then the European Data Protection Board told them to think again when they wanted to impose a much lower fine on WhatsApp than the €225 million eventually levied.
Now the Irish Council for Civil Liberties (ICCL) and its highly respected Senior Fellow Johnny Ryan, has the DPC in its sights accusing it of causing a bottleneck across the European Union in the enforcement of data subjects’ rights.
In its recent report entitled “Europe’s Enforcement Paralysis” (Report), the ICCL looks at the overall enforcement capacity of European data protection authorities in cross-border cases. It paints a gloomy picture, highlighting several glaring issues, two of which we explore in greater detail below:
“Ireland is the GDPR’s worst bottleneck”
Three and a half years since the introduction of the General Data Protection Regulation (EU) 2016/679 (GDPR), the Report states that the EU’s GDPR enforcement against the large multi-national technology companies (Big Tech) is incapacitated by Ireland’s inability to deliver draft decisions on major cross-border cases. Of the major GDPR cross-border cases referred to Ireland, it says that 98% remain unresolved. This is problematic for two main reasons:
- The DPC are the “lead” authority for the Big Tech firms (Google, Facebook, Apple and Microsoft among others) because they are headquartered in Ireland, making the Irish DPC the most important enforcer of GDPR. The ICCL says that only four draft decisions have been issued by the DPC between May 2018 and this year according to their research. As a consequence, they say that EU GDPR enforcement against the Big Tech firms is effectively paralysed. This is compounded by the fact that no other EU Supervisory Authority can intervene, should the Irish DPC assert its lead role in cases against Big Tech firms headquartered in Ireland - much to the consternation of the German Federal Commissioner for Data Protection and Freedom of Information!
- The Report alleges that there is no consistent view across the European Economic Area (EEA) on how often lead Supervisory Authorities (SAs) should use their investigative powers, what specific powers or sanctioning powers to use (with less than half (44%) of the European Data Protection Board’s final EU-wide decisions enforcing corrective measures). This has become particularly problematic since the DPC is currently the lead supervisory authority for 164 cases of Europe-wide significance and given current output, the ICCL says something must change.
The DPC would likely point the blame at being chronically underfunded for two decades. However, it now ranks fifth among the EU DPAs for budget, and despite holding a smaller budget, Spain’s Supervisory Authority (AEPD) managed to provide more than ten times the number of draft decisions than the DPC.
Investment in SAs are in decline
The Report highlights that the combined budget of EU SAs (UK excluded) has increased by €132.6 million since 2016, but goes on to say that the annual increases to SA budgets peaked in 2018 and have steadily declined every year since. Nine DPAs have budgets of less than €2 million per annum it says.
In tandem with declining budgets, is a perceived lack of capacity to investigate and understand what tech companies do with people’s data. Of the EU Member State SAs combined, the ICCL says that there are only 293 tech specialists in total (excluding IT support staff). In fact, only five EU Members States have more than 10 tech specialists, and more than half have four or less. In comparison, the UK ICO (despite being the largest single SA prior to Brexit) only has 13 tech specialists (1.7% of its staff).
Given all “the fanfare that surrounded the launch of the GDPR”, if its enforcement is allowed to fail, the EU’s global influence in the realm of data protection will also surely fade, the Report states. It accuses the EU Commission of being quiescent in this failure, too distracted by the next generation of legislation.
ICCL recommendations
The ICCL is calling for urgent intervention.
It wants the immediate reform and strengthening of the DPC, adding additional resources and moving it from effectively hand holding to enforcement.
It says the EU Commission should use its powers under other EU Treaties (such as the Treaty on the Functioning of the European Union and the Treaty on European Union to:
- launch infringement proceedings against Member States that jeopardise the protection of personal data (through their inactivity);
- improve its oversight of the GDPR by demanding regular reports from SA’s detailing the number of cases being handled, the number of days each case takes to reach the decision stage, how many times investigative powers are invoked and how many times sanctions are imposed.
If no action is taken, the ICCL believes that the worst-case scenario will be that consumers will continue to suffer, as innovative start-ups and respected news publishers will be unable to compete with Big Tech’s “entrenched internal data free-for-alls”, making it increasingly difficult to police.
And finally
In Ireland, Budget 2022 will be published in early October. The annual contribution to the DPC should be a good indicator of how seriously the government supports its European role.