The European Parliament voted on Thursday (20 May) in favour of a resolution calling on the European Commission to open an infringement procedure against Ireland for failing to enforce the General Data Protection Regulation (GDPR).
In a resolution on the Schrems II case, a landmark judicial ruling that invalidated the EU-US Privacy Shield, MEPs expressed disappointment that in the judicial proceeding, Ireland’s Data Protection Commissioner (DPC) preferred to bring the legal proceeding to court rather than taking a decision on its own, as it was in power to do.
The DPC also tried, unsuccessfully, to put the judicial costs on the defendant, which would have had ‘a massive chilling effect’, discouraging EU citizens to uphold their rights in court, MEPs said.
However, the real point of contention is the fact that the Irish Data Protect Authority has still not decided on many of the privacy complains that have been filled since the entry into force of GDPR inMay 2018. ‘The numbers are staggering’ privacy activist Max Schrems, the initiator of the judicial case, told EURACTIV.
‘The DPC reported about 10,000 complaints last year, but has not made any formal decision on any of these complaints. The DPC openly acknowledged in a recent parliament hearing that it feels “handling” of a complaint is also to just close it without an investigation.
This means that the main path to enforce your fundamental right failed 100% in Ireland in 2020. If this is not a case for an infringement procedure, then I would not know what is’, he added.
In spite of thousands of complaints, the DPC has only issued one sanction for a GDPR breach. For the EU lawmakers this inaction is in contradiction with GDPR, as Article 60 requires the relevant authority to act ‘without delay’. In addition, the resolution considers that the supervisor authorities would have not taken sufficient action to make the DPC comply to GDPR.
Most Big Tech companies have their European headquarters in Ireland because of its tax system. As a result, the DPC is the leading Data Protection Authority to decide on GDPR breaches and privacy complains against these tech giants. Critics argue that there might be a temptation for Ireland to downplay the enforcement of GDPR, as it is in its economic interest that the large tech corporation remain based in its territory.
For Irish MEP Clare Daly (the Left), the focus on the DPC is excessive, as she considers the Irish agency is part of a broader problem related to the GDPR enforcement regime. ‘We absolutely think it’s correct to scrutinise the work of the Irish DPC, given how significant its role is, but we don’t think that should come at the cost of scrutiny of the wider system across Europe and its flaws and failings’ she told EURACTIV.
Tension between the DPC and its counterparts from other European countries has at times broken out in public. In March, the German DPA criticised the DPC’s slow pace in addressing complaints. Data Protection Commissioner Helen Dixon justified these delays on the ground of lacking resources. The budget of the DPC has steadily increased in recent years, reaching €19.1 million in 2021.
‘We have seen some of those resources come on stream, and there have been improvements, but we would argue that there is scope for the DPC to see its resources increased again, given the companies it’s expected to regulate have almost unlimited funds to fight and contest cases’ Daly added.
The insufficient funding in Ireland and Luxembourg was already mentioned in the European Commission’s review of GDPR two years since its application.
On that occasion, Commissioner for Justice and Consumer Rights Didier Reynders told EURACTIV that the European Commission would consider taking action against Ireland, specifying that other actions would be taken before to ensure GDPR compliance before launching a formal procedure.
Asked which actions had been taken to ensure data protection compliance, a Commission official said to EURACTIV ‘several steps have recently been taken in this direction within the [European Data Protection] Board, in particular, to improve procedures for the so-called one-stop-shop system.
The Commission will continue to support the work of the Board and will carefully follow the progress made.’
‘For the new GDPR governance system based on independent data protection authorities to work efficiently, it is essential to develop trust and a European spirit of cooperation’ the source added. The EU official declined to comment whether the European Commission will open an i infringement procedure against Ireland.
EURACTIV also contacted the DPC for comment, with no success.