The Irish Council for Civil Liberties (ICCL) filed a formal complaint against the European Commission before the European Ombudsman on Monday (29 November) for failing to monitor enforcement of the EU’s data protection law, known as the GDPR, and for not holding Ireland accountable.
ICCL’s complaint is unusual as it is divided into two components. The first part might have stronger resonance, as it highlights the fact that the EU executive has not put in place a monitoring mechanism to keep track of the implementation of the General Data Protection Regulation.
The second part refers to the fact the Commission has not held Ireland accountable for allegedly failing to apply GDPR. In September, the ICCL published a report indicating that the Irish Data Protection Commissioner (DPC) only reached a decision on 2% of the cross-border cases it is leading on.
“Not only has the European Commission not acted, but it also has not even gathered information to know whether to act,” Johnny Ryan, a senior fellow at ICCL, told EURACTIV.
“We are pointing to a deep problem with the GDPR. And that problem seems to be that this Commission has no interest in the data protection agenda of the previous Commission,” he added.
Guardian of the treaties
The Irish NGO acknowledged that the Commission, as the guardian of the treaties, has significant room for discretion in deciding whether or not to launch an infringement procedure against member states that go openly against or fail to uphold EU law.
However, the complaint noted that the EU executive has a duty to monitor whether EU rules are properly applied. While the NGO urged Justice Commissioner Didier Reynders in September to take action against Ireland, it is now reporting the EU executive for maladministration.
Ryan tracked the origin of the complaint to the research behind the report published in September, for which ICCL interviewed virtually all EU data protection authorities and analysed the data provided by the European Data Protection Board (EDPB), the body that gathers them.
“What we learned is that the statistics that were given to the European Commission were completely inadequate,” Ryan added.
He gave examples of how many cases each privacy watchdog is the lead for, how many times authorities have used their investigative or sanctioning powers and the number of days needed to move from a complaint to a draft decision and hereby to a final decision. None of this data is currently available.
The European Ombudsman will now review the complaint and decide whether to open an inquiry. In 2019, 79% of the EU Ombudsman’s recommendations were taken on board by the European Commission.
The spotlight on Ireland
The ICCL is not the only one to have pointed the finger at Ireland’s DPC. Other data protection authorities in the EU have also accused the Irish regulator of falling short of its obligations. The overwhelming majority of very large tech companies have their legal basis in Ireland, which therefore has the lead on most cross-border cases.
The European Parliament also joined in the debate in May, as EU lawmakers adopted a non-binding resolution calling on the European Commission to open an infringement procedure against Ireland precisely for allegedly failing to apply the EU data protection law.
“There is no denying that the system now has some distortions, but these could be corrected by greater cooperation and delegation to other authorities for cases raised in individual member states,” noted Vincenzo Tiani, a partner at Panetta law firm. However, Tiani stressed that doing so would require the will of all authorities, including the Irish one.
The European Data Protection Supervisor (EDPS) has recently announced a conference in June next year to reconsider the GDPR enforcement architecture. Ongoing inefficiencies in the GDPR enforcement have also influenced the policy discussions on the Digital Services Act (DSA).
For ICCL’s Ryan, the Commission’s lack of action has unintended consequences also for disinformation and market power, two issues the EU executive has been trying to address through new legislative proposals.
“What this Commission needs to do is return again to the GDPR and see that that piece of law is enforced, because if it is not, what is the point in having a new generation of digital law?” Ryan said.
The Commission was not readily available for comment by the time of publication.
[Edited by Zoran Radosavljevic]