For Justice Commissioner Didier Reynders, it is too early to assess whether the cooperation mechanism at the basis of the enforcement of the EU’s privacy rules, the GDPR, is functioning correctly.
Reynders stated his view in a reply to an open letter from 6 December co-signed by Dutch MEPs Sophie in ‘t Veld and Tineke Strik and the German Birgit Sippel and Cornelia Ernst.
“If no action is taken soon to dramatically improve enforcement of this EU flagship, the GDPR risks becoming a paper tiger,” the MEPs wrote, asking the EU executive whether it considered the EU privacy law was applied correctly in Ireland.
Under the GDPR, Ireland has the lead on most of the high-level cases as most Big Tech companies have their European legal basis there. MEPs consider the Irish Data Protection Commissioner (DPC) has interpreted such policing role too timidly and have called several times on the Commission to act.
“We have not so far identified issues with the Irish data protection rules or have evidence that these rules have not been respected,” the Commission replied, pointing to a recent case that saw the DPC issue a €225 million against WhatsApp.
The latest spat relates to a series of documents published by NOYB, an NGO led by activist Max Schrems, that challenged the legal basis Facebook uses to process personal data based on a contract rather than user consent.
For Schrems, the internal documents showed that Facebook and the DPC had developed the contract legal basis to bypass the user consent requirements.
In addition, NOYB accused the Irish authority of lobbying in favour of the social networking giant in the context of the guidelines developed by the European Data Protection Board (EDPB), a body that gathers all EU data protection authorities.
“While establishing the EDPB, the legislator provided that the very purpose of the consistency mechanism is to allow for an open discussion and transparent and honest exchange of different points of view on how the GDPR should be interpreted,” Reynders responded.
The Commissioner stressed that it is not for the Commission to intervene or start an infringement procedure based on opinions expressed during such exchanges, even less so on a ‘complex matter’ such as the contractual basis where different views have been articulated.
Moreover, Reynders added that the Commission did not hesitate to initiate an infringement procedure to defend the GDPR in the past, mentioning the cases of Belgium, Poland and Hungary, but that the caution of the Irish regulator and its different point of view did not meet the necessary conditions.
Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties (ICCL), said that “the Commission’s unspoken position appears to be that it has a duty only to monitor the independence of supervisory authorities, and nothing else. That is not a viable position”.
Reynders also contested the statistics mentioned by the MEPs, arguing that they are based on “a misinterpretation of the statistic produced by the EDPB.” The EU lawmakers referred to a study of the ICCL, which indicated that the Irish privacy watchdog only delivered a draft decision for 2% of its cross-border cases.
The Commission noted that amicable settlements, a practice widely used and within the scope of the GDPR, can lead to a case being closed without a decision.
However, in a letter from 14 December, the ICCL already dismissed this argument, pointing to the fact the data was from the Internal Market and Information System (IMI), where cases can be marked as closed or withdrawn.
“The IMI case register appears to be the only Union-wide source of data about each supervisory authority’s case backlog. If its data are deficient, then the Commission cannot fulfil its duty to effectively monitor the application of the GDPR,” the ICCL wrote.
The point on data availability is an important one. In November, the ICCL filed a formal complaint before the European Ombudsman accusing the Commission of failing to monitor the enforcement of the EU data protection law.
While the EU executive has discretion on launching an infringement procedure, as the guardian of the treaties, it cannot abstain from overseeing that EU law is being applied adequately.
While welcoming the Commission’s prompt reply, MEP Sophie In’t Veld told EURACTIV that “the Commission has a very hands-off approach.”
The Dutch lawmaker pointed to a recent paper that makes the case that, since José Manuel Barroso’ Commission, the EU executive has increasingly avoided clashing with member states over infringement procedures in exchange for support for its policy proposals.
For In’t Veld, the GDPR case is a symptom of the broader problem spanning policy areas such as emission standards, money laundering and the rule of law.
“We’re building facade legislation. But behind the facade, there’s nothing because it’s not being put in practice properly,” In’t Veld said.
[Edited by Zoran Radosavljevic]