European Union lawmakers are facing further pressure to step in and do something about lackadaisical enforcement of the bloc’s flagship data protection regime after the European Parliament voted yesterday to back a call urging the Commission to start an infringement proceeding against Ireland’s Data Protection Commission (DPC) for not “properly enforcing.”
The regulation. The Commission and the DPC have been contacted for comment on the parliament’s call. Last summer, the Commission’s own two-year review of the General Data Protection Regulation (GDPR) highlighted a lack of uniformly vigorous enforcement — but commissioners were keener to point out the positives, lauding the regulation as a “global reference point” But it’s now nearly three years since the rule began being applied and criticism over weak enforcement is getting harder for the EU’s executive to ignore.
The parliament’s resolution — which, while non-legally binding, fires a solid political message across the Commission’s bow — singles out the DPC for specific criticism given its outsized role in enforcing the General Data Protection Regulation (GDPR). It’s the lead supervisory authority for complaints brought against the many big tech companies which choose to site their regional headquarters in the country (on account of its corporate-friendly tax system).
The text of the resolution expresses “deep concern” over the DPC’s failure to reach a decision on several complaints against breaches of the GDPR filed the day it came into an application, on May 25, 2018 — including against Facebook and Google — and criticizes the Irish data watchdog for interpreting ‘without delay’ in Article 60(3) of the GDPR “contrary to the legislators’ intention – as longer than a matter of months”, as they put it. To date, the DPC has only reached a final decision
on one cross-border GDPR case — against Twitter. The parliament also says it’s “concerned about the lack of tech specialists working for the DPC and their use of outdated systems” (which Brave also flagged last year) — as well as criticizing the watchdog’s handling of a complaint brought initially by privacy campaigner Max Schrems years before the GDPR came into the application, which relates to the clash between EU privacy rights and US surveillance laws, and which still hasn’t resulted in a decision.
The DPC’s approach to handling Schrems’ 2013 complaint led to a 2018 referral to the CJEU — which in turn led to the landmark Schrems II judgment last summer invalidating the flagship EU-US data transfer arrangement Privacy Shield. That ruling did not outlaw alternative data transfer mechanisms. Still, it made it clear that EU DPAs must step in and suspend data transfers if European’s information is being taken to a third country that does not have essentially equivalent protections to those they have under EU law — thereby putting the ball back in the DPC’s court on the Schrems complaint.
The Irish regulator then sent a preliminary order to Facebook to suspend its data transfers, and the tech giant responded by filing for a judicial review of the DPC’s processes. However, the Irish High Court rejected Facebook’s petition last week. And a stay on the DPC’s investigation was lifted yesterday — so the DPC’s process of reaching a decision on the Facebook data flows complaint has started moving again. A final decision could still take several months more, though — as we’ve reported before — as the DPC’s draft decision will also need to be put to the other EU DPAs for review and the chance to object.
The parliament’s resolution states that it “is worried that supervisory authorities have not taken proactive steps under Article 61 and 66 of the GDPR to force the DPC to comply with its obligations under the GDPR”, and — in more general remarks on the enforcement of GDPR around international data transfers — it states that it: