The European Commission will consider the necessity of introducing infringement procedures against member states that fail to comply with the EU’s general data protection regulation (GDPR), the Commission’s Justice Chief Didier Reynders has warned.
His comments came following the recent publication of the Commission’s GDPR review, which highlighted several shortfalls across member states in terms of compliance with the EU’s data protection.
In the review, published towards the end of June, Ireland and Luxembourg were singled out as being under-resourced to the extent that their ability to ensure adequate GDPR compliance in their countries should be hindred.
Despite Reynders’ comments – a reiteration of previous Commission warnings in the past – he did, however, note that enacting infringement procedures isn’t the first step the executive would take in GDPR shortcomings.
“We will take all necessary initiatives to have a correct implementation and also, we will analyse the necessity to introduce infringement policies,” Reynders said.
“But as you know, that is not the first tool,” he continued. “The first tool is to try to have correct implementation by the member states and with enough resources to all the different national data protection authorities.”
The GDPR gives powers to privacy authorities across the EU to enforce fines of up to 4% of global revenue or €20 million, whichever is higher. The largest fine to date has been the French data protection authority’s €50 million penalty against Google in 2019 for a lack of transparency.
The Irish question
Reynders added that action against Ireland, the lead authority for actions involving several of the Big Tech firms, would be taken “if needed”.
The Irish Data Protection Commission, led by Helen Dixon, has sanctioned just one action for GDPR breaches, a preliminary decision of a probe of a 2019 Twitter bug that led to protected tweets being made public.
Dixon has previously lamented that the Irish DPC is under-resourced when analysing the volume of complaints it is required to process, after receiving less than a third of the budget it had called for in 2020.
This was a point raised in the Commission’s recent GDPR review.
“Given that the largest big tech multinationals are established in Ireland and Luxembourg, the data protection authorities of these countries act as lead authorities in many important cross-border cases and may need larger resources than their population would otherwise suggest,” the document states.
However, lawmakers in the European Parliament have recently raised the issue of the under-funding of national data protection authorities, noting that it should not necessarily be used as an excuse for a lack of actions taken out. Member states that don’t resource their national data protection authorities as appropriate should face punitive measures, EU lawmakers claimed.
Addressing Reynders yesterday, Irish leftist MEP Clare Daly (GUE/NGL) spoke specifically about the situation in her country, putting the lack of enforcement rulings in Ireland down to the fact that Ireland plays home to some of the world’s most profitable tech giants – and would seemingly hope to continue to do so.
“Ireland, as we know, has an economic policy with light-touch regulation to foreign multinationals. Our senior politicians have been called basic lobbyists for the big tech companies,” she said.
“Against that backdrop, then, is it any wonder that we’ve had 24 investigations in Ireland into the big tech companies, and no fines issued? So when you say that you’re going to look at infringement proceedings for countries which don’t resource their DPAs – but you’re going to talk to them first – I don’t think that’s really good enough.”
The European Commission has warned that privacy enforcement authorities in Ireland and Luxembourg possibly require “larger resources” in the GDPR review, even though the two countries have seen a significant increase in their staff numbers between 2016 and 2019. Ireland saw the largest upturn of EU member states, with a 169% increase in staff during this period, while Luxembourg saw an increase of 126%.
However, for Daly, this data is misleading. On Monday (13 July), she rebutted the notion that the Irish DPC had an increase commensurate with their competencies.
“In 2016, they had an office over a small shop in a Midlands town, so that type of increase is actually nothing,” Daly said.
Meanwhile, Austrian privacy activist Max Schrems has also recently spoken out against the idea that the Irish DPS is not adequately resourced.
“Ireland is one of the best-funded DPAs in Europe,” Schrems said as part of a media briefing on Monday (13 July). “The Irish DPA has 140 people for it.”
“Blaming it only on funding is shifting the blame.”
The Austrian privacy activist this week faces a showdown at the European Court of Justice as judges decide on the legality of the EU’s Standard Contractual Clauses (SCCs) which are used for worldwide data transfer agreements.
(Edited by Frédéric Simon)