MEPs have said that “a lack of political will and resources” had resulted in a laggard approach to enforcement of the EU’s general data protection regulation (GDPR), singling out in particular the lack of sanctions dished out by the Irish data protection authority.
In a resolution on the Commission’s GDPR resolution adopted on Thursday (25 March) by 483 votes to 96 and 108 abstentions, MEPs were “particularly concerned that the Irish data protection authority generally closes most cases with a settlement instead of a sanction,” and that certain cases dating back to 2018 “have not even reached the stage of a draft decision.”
Ireland’s Data Protection Commission (DPC) declined to respond immediately to the resolution.
To date, the Irish DPC has issued six fines for GDPR breaches. These include three against Tusla, the country’s Child and Family Agency, a €65,000 penalty issued against Cork University Maternity Hospital, a €70,000 fine for University College Dublin, and, in the first fine for a cross-border case, a €450,000 charged levied against Twitter for falling short of data breach notification obligations.
In 2020, the authority disclosed that 4,660 complaints had been received under the GDPR, but that at the close of the year it only had 83 statutory inquiries on hand, which comprised 56 domestic inquiries and 27 cross-border probes.
The Irish DPC is also the lead authority for a number of high-profile cases including some of the world’s largest tech firms. These currently include nine investigations into Facebook, three into Instagram, and two into Whatsapp. Three probes are also being carried out into Apple and Twitter each and Google is subject to two investigations.
‘One Stop Shop’ mechanism not functioning as it should
GDPR’s so-called One Stop Shop mechanism, which allows companies that conduct cross-border data processing to come under the remit of one data regulator, has meant the Irish authority has had to deal with the vast majority of cases including global technology giants.
On Thursday, MEPs expressed “great concern” that the provision is not working as it should, particularly with regards to the operation of the Irish data protection commission.
EU lawmakers agreed that “the success of the one-stop shop mechanism is contingent on the time and effort that DPAs can dedicate to the handling of and cooperation on individual cross-border cases … and that the lack of political will and resources has immediate consequences on the extent to which this mechanism can function properly.”
The resolution further deplored a lack of “human, technical and financial resources, premises and infrastructure” noted by many supervisory authorities in the EU, and said that “the inaction on the part of the Commission to address the lack of resources of the DPAs leaves the burden of enforcement on individual citizens to bring data protection claims to court.”
For the Irish case, in particular, there have long been concerns that the authority would struggle to meet the demands of overseeing the world’s most dominant players in the online ecosystem.
Such worries came to a head towards the end of 2019, when head of the Irish authority Helen Dixon said that she had been “disappointed” by the government’s 2020 budget allocation for the authority, which represented less than a third of the funding that the DPC had requested.
[Edited by Josie Le Blond]