*This article was updated with comments from the European Commission.
A new report from the Irish Council for Civil Liberties (ICCL) has accused Ireland’s data protection watchdog of pulling the breaks on the enforcement of the EU’s data protection regulation (GDPR) in Europe and called on the European Commission to intervene, warning that the GDPR was “silently falling”.
The Irish Data Protection Commission (DPC) is “the GDPR’s worst bottleneck”, according to the report. As many tech companies including Apple, Facebook, Google, Microsoft, Facebook and TikTok have their European headquarters in Ireland, the DPC is the leading authority on many crucial data protection cases, but for the NGO, it is falling short of its task.
The report also defines the European Commission as “quiescent” with the described situation, and accuses the EU executive of focusing excessively on new legislation while neglecting GDPR enforcement.
In an open letter, the NGO singles out Justice Commissioner Didier Reynders, urging him to start an infringement procedure against Ireland for failing to enforce GDPR.
“The Commission has the duty to see that European law is properly applied. That includes the GDPR. The data we published today shows that this has not happened. To protect us all, and make sure that Google, Facebook, and other Big Tech firms are held accountable, it is important that Commission Reynders now intervenes,” said Johnny Ryan, a senior fellow at ICCL.
A Commission spokesperson told EURACTIV that “we are aware, as stressed in our 2020 GDPR report, that the efficiency of the cooperation between data protection authorities needs to be further improved” and that the letter will be carefully assessed.
“Several steps have recently been taken in this direction within the Board. The Commission continues to closely monitor the cooperation in cross-border cases,” the Commission representative added.
The Irish case
The Irish DPC is looking into 164 cross-border cases of alleged GDPR breaches. However, almost three years and a half since the GDPR entered into force, the DPC has only issued four draft decisions, leaving almost 98% of cases unaddressed.
The report compares the DPC’s performance against that of the Spanish data protection authority, which has drafted ten times more decisions despite having an annual budget of €15.8 million, below the Irish €19 million.
“The report from Ireland’s parliamentary Justice Committee on 22 June, and ICCL’s report today, make clear that the first area of focus must be Ireland,” ICCL’s Ryan added, pointing to a report from an Irish parliamentary committee that in July similarly stressed the DPC’s shortcomings in handling GDPR complaints.
“The good news is that the GDPR already has the antibodies in place to cure the inaction of supervisors,” said Vincenzo Tiani, resident partner at Panetta law firm. Tiani pointed to a ruling of the Court of Justice of the European Union that in June opened the door to having non-leading authorities initiate GDPR-related investigations under specific circumstances.
“In cases where requests from a supervisory authority to a colleague are not dealt with within one month, the supervisory authority may take temporary autonomous measures and the matter will be referred to the EDPB,” Tiani noted.
In cross-border proceedings, non-leading authorities can contest the conclusion of the lead supervisor, in which case the European Data Protection Board (EDPB) will decide. That was the case for the record €225 million fine to WhatsApp the DPC issued earlier this month, as the EDPB obliged the Irish authority to increase the penalty.
The Irish DPC also came in for criticism by its peers for its ‘timid’ approach to GDPR enforcement. However, the report also stressed weaknesses in the overall GDPR enforcement architecture.
Enforcement is also highly concentrated in a handful of countries, as France, Germany, Ireland, Luxembourg, Netherlands, Spain and Sweden receive more than 70% of the total complaints.
The report found EU countries continuing to increase the DPAs’ budgets, but at an increasingly lower rate. The German authority alone counts for one-third of the entire EU spending.
For Paolo Balboni, a privacy professor at the Maastricht University, the Irish authority is not the only one to blame. “The Irish government and the governments of all EU member states need to allocate adequate resources to their national Data Protection Authorities in order to allow them to successfully carry out their functions as required under the GDPR.”
The report authors noted that less than 10% of the employees across EU data protection authorities are tech specialists. Furthermore, only 44% of the final decisions at the EU level include corrective measures, such as fines or orders to stop processing.
The Irish Council for Civil Liberties also emphasised the fact that the European Commission is lacking the data on whether DPAs across Europe are using their powers, to what extent, and in what instances. As a result, “GDPR is silently failing”, the report concluded.
“The current context, with the UK advocating for a more business-friendly approach and willing to move away from some of the EU bloc’ key privacy components, further increases the pressure on the EU and EU capitals. They need to demonstrate their system actually works,” said Diletta De Cicco, an associate at Steptoe law firm.
[Edited by Zoran Radosavljevic]