Data Protection Commission fails to resolve 98% of Big Tech GDPR cases
The Data Protection Commission (DPC) is failing to process a surging backlog of hundreds of GDPR cases against big tech firms and is hindering pan-European data protection enforcement as a result, campaigners claim.
As of May 2021, the DPC was the lead supervisory authority for 164 cases of pan-European significance, according to research by the Irish Council of Civil Liberties (ICCL), but 98% of these cases remained unresolved.
In the three years between May 2018, when GDPR came into force, and May 2021, the data watchdog has only sent four draft decisions to the European Data Protection Board (EDPB) for examination and approval.
“Ireland is the big EU bottleneck,” the report states. “No other GDPR enforcer in the EU can intervene if the Irish DPC asserts its lead role in cases against big tech firms headquartered in Ireland. As a result, EU GDPR enforcement against Big Tech is paralysed by Ireland’s failure to deliver draft decisions on cross-border cases.”
The DPC is the most significant data protection authority in Europe because many major tech companies are based in Ireland.
In practice, this means 21% of all complaints referred between regulators have been referred to the DPC. Ireland, alongside Spain, Germany, the Netherlands, France, Sweden and Luxembourg, handle 72% of all complaints referred between DPAs.
When cross-border GDPR complaints arise concerning any Irish-based company, the DPC is nominated as the lead supervisory authority by default to lead the investigation under the ‘one-stop shop’ principle.
Investigators are then expected to produce draft decisions, which are referred to the EDPB and fellow data protection authorities for approval, before a final decision is submitted. For example, in January the DPC submitted a draft decision regarding a €50 million fine against WhatsApp. After intervention by fellow European regulators, and the EDPB, the Irish DPC increased the fine to €225 million.
Campaigners have, in the past, criticised the DPC for being slow to process a rising backlog of cases. The organisation’s own figures showed that, in 2019, complaints rose by 75% even though no fines were collected.
The commissioner, Helen Dixon, said in February 2020 that the regulator was trying to lay a solid foundation for enforcement in light of the DPC’s increased prominence since GDPR was introduced. This included raising the staff count to cope with the demands of 2020 and beyond.
The ICCL, however, found the DPC has been chronically underfunded for years, and, despite now being the fifth best-funded regulator, doesn’t have the structural capacity or staffing levels to cope with this demand.
On the other hand, the report praised Spain’s regulator for its output, having submitted 41 draft decisions to the EDPB for cross-border cases as of May 2021. This is despite enjoying a smaller budget than the DPC’s, and a smaller staff.
Senior fellow at ICCL, Johnny Ryan, who was previously chief policy and industry relations officer at Brave, co-authored the report and wrote a letter addressed to the EU commissioner for justice, Didier Reynders.
In this letter, he called for the European Commission to monitor GDPR enforcement across the continent much better, and to take actions against regulators that are effectively undermining the data protection regime.
“ICCL believes that the costs of failing to properly apply the GDPR will be severe,” Ryan wrote. “The fanfare surrounding the GDPR was such that the EU’s global influence will wane if it is allowed to fail.
“Consumers will suffer too, because innovative startups and venerable news publishers will be unable to compete because of Big Tech’s entrenched internal data free-for-alls. The worst cost will be that continuing data misuse will tyrannise citizens, and debase politics. Therefore, we urge you to intervene.”
© Dennis Publishing
Professional Development for IT professionals
The mission of the Irish Computer Society is to advance, promote and represent the interests of ICT professionals in Ireland. Membership of the ICS typically reduces courses by 20%. Find out more