European Union lawmakers are facing further pressure to step in and do something about lackadaisical enforcement of the bloc’s flagship data protection regime after the European Parliament voted yesterday to back a call urging the Commission to start an infringement proceeding against Ireland’s Data Protection Commission (DPC) for not “properly enforcing” the regulation. The Commission and the DPC have been contacted for comment on the parliament’s call.
Last summer, the Commission’s two-year review of the General Data Protection Regulation (GDPR) highlighted a lack of uniformly vigorous enforcement — but commissioners were keener to point out the positives, lauding the regulation as a “global reference point”. But it’s nearly three years since the law began being applied, and criticism over weak enforcement is getting harder for the E.U.’s executive to ignore.
The parliament’s resolution — which, while non-legally binding, fires a solid political message across the Commission’s bow — singles out the DPC for specific criticism given its outsized role in enforcing the General Data Protection Regulation (GDPR). It’s the lead supervisory authority for complaints brought against the many big tech companies that choose to site their regional headquarters in the country (on account of its corporate-friendly tax system).
The text of the resolution expresses “deep concern” over the DPC’s failure to decide on several complaints against breaches of the GDPR filed the day it came into the application, on May 25, 2018 — including against Facebook and Google — and criticizes the Irish data watchdog for interpreting “without delay” in Article 60(3) of the GDPR “contrary to the legislators’ intention – as longer than a matter of months”, as they put it.
The DPC has only decided on one cross-border GDPR case — against Twitter. The parliament also says it’s “concerned about the lack of tech specialists working for the DPC and their use of outdated systems” (which Brave also flagged last year) — as well as criticizing the watchdog’s handling of a complaint initially brought by privacy campaigner Max Schrems years before the GDPR came into the application, which relates to the clash between E.U. privacy rights and U.S. surveillance laws, and which still hasn’t resulted in a decision.
The DPC’s approach to handling Schrems’ 2013 complaint led to a 2018 referral to the CJEU, which led to the landmark Schrems II judgment last summer invalidating the flagship EU-U.S. data transfer arrangement Privacy Shield. That ruling did not outlaw alternative data transfer mechanisms. Still, it made it clear that EU DPAs should step in and suspend data transfers if Europeans’ information is being taken to a third country that does not have essentially equivalent protections to those they have under E.U. law — thereby putting the ball back in the DPC’s court on the Schrems complaint.
The Irish regulator then sent a preliminary order to Facebook to suspend its data transfers, and the tech giant responded by filing for a judicial review of the DPC’s processes. However, the Irish High Court rejected Facebook’s petition last week. A stay on the DPC’s investigation was lifted yesterday — so the DPC’s process of deciding on the Facebook data flows complaint has started moving again. A final decision could still take several months more, though — as we’ve reported before — as the DPC’s draft decision will also need to be put to the other EU DPAs for review and the chance to object.
Update: The DPC said today that it’s now written to Facebook following the lifting of the stay — giving the company six weeks to provide submissions on the preliminary order. The parliament’s resolution states that it “is worried that supervisory authorities have not taken proactive steps under Article 61 and 66 of the GDPR to force the DPC to comply with its obligations under the GDPR” and — in more general remarks on the enforcement of GDPR around international data transfers — it states that it:
The knotty, multi-year saga of Schrems’ Facebook data-flows complaint, as played out via the procedural twists of the DPC and Facebook’s lawyers’ delaying tactics, illustrates the multi-layered legal, political, and commercial complexities bound up with data flows out of the E.U. (post-Snowden’s 2013 revelations of U.S. mass surveillance programs) — not to mention the staggering challenge for E.U. data subjects to exercise the rights they have on paper. But these intersecting issues around international data flows seem to be finally coming to a head in the wake of the Schrems II CJEU ruling.
The clock is now ticking to issue major data suspension orders by E.U. data protection agencies, with Facebook’s business first in the firing line. Other U.S.-based services that are — similarly — subject to the U.S.’ FISA regime (and also move E.U. user’s data over the pond for processing and whose businesses are such they cannot shield user data via “zero access” encryption architecture) are equally at risk of receiving an order to shut down their EU-U.S. data-pipes. Or else having to shift data processing for these users inside the E.U.
U.S.-based services aren’t the only ones facing increasing legal uncertainty, either. The U.K., post-Brexit, is also classed as a third country (in E.U. law terms). In a separate resolution today, the parliament adopted a text on the U.K. adequacy agreement, granted earlier this year by the Commission, which raises objections to the arrangement — including by flagging a lack of GDPR enforcement in the U.K. as problematic. The parliament highlights how adtech complaints filed with the ICO have failed to yield a decision on that front. (It writes that it’s concerned “non-enforcement is a structural problem” in the U.K. — which it suggests has left “a large number of data protection law breaches… [un]remedied”.
