Dealing with Data Protection Authority Inertia
My Irish friends tell me that it is the law in Ireland that you must never upset the fairies at the bottom of your garden because their revenge may be swift and deadly. Of course, this relies on an equally mandatory belief that those fairies actually exist and that they have the power to take action against you.
I was reminded of this when I read that the Oireachtas Justice Committee, the Justice Committee of the Irish Parliament, has published a report on the General Data Protection Regulation (GDPR) in which it was highly critical of the Irish Data Protection Commission’s (DPC) approach to handling complaints from data subjects.
The DPC, remember, is responsible for regulating the data processing activities of a large number of, mostly US-based, big tech companies under the GDPR’s “One-Stop Shop” mechanism, because those companies have decided to make Ireland their EU headquarter. Indeed, many digital rights activists believe that the rather light touch approach the DPC has historically taken when enforcing Irish data protection law was a not unimportant factor in those companies’ choice of HQ.
The Justice Committee voiced particular concerns about the DPC’s slowness when handling complaints. It highlights that “of the 196 cases in which the DPC asserted its status as lead authority in the EU between May 2018 and December 2020, it produced a draft decision in only 2% (or four) of these cases. This not only causes “significant issues with other DPAs in Europe and pose[s] a reputational risk to Ireland as a result”; the Committee also fears that “citizens’ fundamental rights are in peril”. It therefore recommends that the DPC, rather than “emphasising guidance”, should adopt “a culture of enforcement” by increasing the use of its sanctioning powers – particularly by issuing orders to stop infringers from processing data unlawfully and by imposing “dissuasive fines”.
The report struck a note because here, at DFF, we are currently considering a field building event in 2022 on how to counter DPA inertia. The idea behind such an event is to explore collaboratively, how digital rights organisations can act strategically to ensure that data protection authorities’ reluctance to enforce the GDPR to its full effect does not succeed in turning a framework designed to be a gold standard of fundamental rights protection into a paper tiger.
DPA enforcement inertia
The most prominent instances of enforcement inertia coming out of Ireland could, of course, be observed in the two cases named after Austrian digital rights activist Max Schrems, where significant effort was required to get the DPC to take any enforcement action at all.
Schrems had asked the DPC to prevent Facebook from sharing his personal data with its US parent company
In his original complaint, Schrems had asked the DPC to prevent Facebook from sharing his personal data with its US parent company. He argued that the DPC should prevent those transfers because, post-transfer, US law enforcement and intelligence services had extensive rights of access to the transferred data without US law providing the kind of fundamental rights protection that EU citizens are granted under the EU Charter. The DPC refused, meaning that Schrems had to take the case to the Irish High Court, from where it was referred to the CJEU. Although the EU court ruled that the transfers were indeed unlawful (because the safe harbour agreement on which the transfers were based was invalid), the DPC initially refrained from enforcing the judgment.
Instead, it allowed Facebook to continue the transfer on a different legal basis while asking the High Court for affirmation of this approach. The High Court duly referred this case to the CJEU too, where it met with an almost identical outcome.
While both decisions provide data protection nerds with a welcome amount of detailed case law on cross-border data transfers, one cannot help but wonder how the CJEU must have felt, when the second reference hit its doormat. “You again?”, they probably said. “Weren’t we clear the last time?”.
A friend in need is a friend indeed?
Of course, the real concern for digital rights organisations is that the DPC’s approach may be a feature rather than a bug. What if the obvious delaying tactics in both Schrems cases were in fact primarily designed to extend the period during which Facebook could continue transferring data to the US? And how difficult will it be now – after the second judgment – to ensure that those transfers are properly regulated?
The good news is that digital rights activists may not have to do this alone.
The DPC’s reputation for taking an “industry-friendly” line has clearly not escaped the notice of some of its Continental European brethren either
The DPC’s reputation for taking an “industry-friendly” line has clearly not escaped the notice of some of its Continental European brethren either. And because the DPC is now the lead authority for many data protection complaints brought by data subjects from other jurisdictions – which makes it a lynchpin in GDPR enforcement – some of those (continental) European DPAs are trying to use the full spectrum of measures available under the GDPR to seize the right to take action against big tech controllers where they fear that the lead authority may not do so.
However, the requirements of the One-Stop Shop under the GDPR severely limit the powers of other DPAs to circumvent the decision-making of the lead authority. In the Belgian case of Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v Gegevensbeschermingsautoriteit the CJEU held that, as a general rule, the lead authority remains responsible, even in cases involving cross-border processing, for adopting a decision, giving notice to the relevant controller or processor, and informing the other supervisory authorities concerned and the EDPB of the decision.
Limited exceptions to this rule exist, but only in circumstances where another DPA is competent to initiate proceedings in a way that respects the One-Stop Shop mechanism. This is possible, for example, where a DPA receives a complaint that relates solely to the processing activities by an establishment in its own member state or that substantially affects data subjects only in that member state (Article 56(2)). A DPA may also adopt provisional measures under the urgency procedure in Article 66 GDPR, if the lead authority has not provided the requested information in response to a request for assistance.
Most recently, the DPA of the German state of Hamburg availed itself of that second option when it published a decision that banned Facebook from processing personal data from WhatsApp users because it viewed the latter’s new user terms as illegal. It considered that final measures needed to be adopted urgently by the DPC as lead authority and it requested an urgent binding decision of the European Data Protection Board (EDPB) to that effect.
…the DPA of the German state of Hamburg availed itself of that second option when it published a decision that banned Facebook from processing personal data from WhatsApp users
Although the EDPB ultimately denied the Hamburg DPA’s request for urgent final measures by the DPC, it nevertheless acknowledged that there was a “high likelihood of infringements” by Whatsapp and Facebook. In its own urgent binding decision, the EDPB therefore requested the DPC to carry out, as a matter of priority, a statutory investigation to determine whether infringing processing activities are taking place or not. Cue packets of popcorn making their way into the microwaves of data protection activists all over Europe.
While it is an obvious target, the DPC is by no means the only culprit in the area of “industry-friendly enforcement”. Across the Irish Sea, the UK seems to pursue a similar objective even while taking a different approach. Its DPA, the Information Commissioner’s Office, is also not exactly renowned across Europe for the speed and severity of its enforcement action.
Like the DPC, the ICO has long favoured “guidance” and “working with industry” to the aggressive enforcement of data protection laws
Like the DPC, the ICO has long favoured “guidance” and “working with industry” to the aggressive enforcement of data protection laws. Most recently, it first suspended, then closed a complaint on adtech and real-time-bidding brought by digital rights organisation the Open Rights Group (ORG) and individual complainant Michael Veale, despite identifying considerable compliance concerns with regard to the technology and commercial practice in its own original report on the matter. It subsequently reopened the investigation after the co-complainants took the case for review to the Upper Tribunal. However, the approach still leaves a bad taste in the mouth.
There is also little hope for future improvement. As the current Information Commissioner’s tenure is now coming to an end, the Public Appointment procedure for the new Commissioner was launched earlier this year. Unlike the Irish Parliament Committee, it seems that the UK government openly wants to make the “industry-friendliness” of the new Commissioner part of the selection criteria – maybe in a bid, post-Brexit, to attract some of the big tech companies currently established in Ireland to UK shores. The appointment notice published in February 2021 emphasises, in particular, the role of personal data as a strategic (commercial) asset and sees the use of those data “as a huge opportunity to embrace”.
With that in mind, the UK is looking for a new Commissioner, who has “a key role to play to drive the responsible use of data across the economy, to build trust and confidence, and to communicate the wider benefits of data sharing for our society as well as for competition, innovation and growth”. This notion is reinforced by the job description, which specifically requires “experience of using data to drive innovation and growth, in industry, research or a scientific field”. Freshly out of the EU, it seems that the UK feels no longer constrained about “saying the quiet part out loud”, meaning that it is probably unlikely that the ICO will change its approach to enforcement any time soon.
Having said that, the times, they may be a-changing. After several years of enjoying a similarly “industry-friendly” reputation, news reached us in July that the Luxembourg data protection authority, Commission nationale pour la protection des donées (CNPD), has imposed a EUR 746 million fine on Amazon. Although the details of the breach that was sanctioned officially remain subject to CNPD secrecy obligations until the pending appeal has been concluded, it is widely believed that the fine related to Amazon’s use of its customers’ personal data for targeted advertising purposes. So maybe there is light at the end of the tunnel.
An “effective judicial remedy”?
In the meantime, though, the question remains as to how an activist should deal with reluctant DPAs. On the face of it, this should not be so difficult. The GDPR now specifically provides data subjects with a way to take remedial action for regulatory delay. Article 78(2) grants individuals a right to an “effective judicial remedy”, if the competent lead authority does not “handle” their complaint. This should, in theory, mean that complainants can take matters further not just in cases where they are unhappy with their DPA’s decision but also where they do not receive a decision at all. However, the proof of this particular pudding will very much be in the eating.
…the question remains as to how an activist should deal with reluctant DPAs
For a start, it will be interesting to see how DPAs and the courts will interpret the term “handle”. What level of activity will DPAs actually be required to evidence here?
As for the remedy itself, this is left to the member states themselves to create – in alignment with their own domestic legal systems. Some have done this in a relatively straightforward way, others… not so much.
For example, Germany simply refers claimants to the administrative courts (§20 Bundessdatenschutzgesetz) while the UK grants them a right to apply to the Information Tribunal (s.166 UK Data Protection Act 2018).
The Irish Data Protection Act 2018 – an unnecessarily complex piece of legislation seemingly designed to obscure more than to instruct – does mirror the GDPR by requiring the DPC to “handle” any complaint it receives from a data subject (s. 108(2) DPA 2018). It also grants complainants a right to apply to either the Circuit Court or the High Court, if the DPC fails to comply with this obligation (s.150(7)). However, the Act also seems to provide the regulator with ample opportunity to delay its own decision on a complaint with the full blessing of the law and hence delay the complainant’s right to challenge the absence of such a decision before the court.
Specifically, it grants the DPC the power to “arrange or facilitate […] an amicable resolution” of the subject matter between the parties “within a reasonable time” before its own enforcement obligation kicks in (s. 109(4)(b)). While this extra step may have some distant relation to the provisions of Recital 171 of the GDPR that encourages DPAs to “seek an amicable settlement” with the controller in purely domestic cases, it certainly constitutes a broad interpretation of those powers. Also, while it is often commendable, particularly in a commercial context, to encourage parties to seek a resolution to their disagreements before involving a court (or, in this case, a regulator), it is a curious approach to take when talking about the possible infringement of what is ultimately a fundamental right protected under the EU Charter.
In reality, this provision seems to stack the deck against the complainant in situations where there is already a considerable power imbalance between the controller and the data subject. For example, in the current environment, an individual’s ability to find an “amicable resolution” with Facebook with regard to its processing of that individual’s personal data is likely to be limited.
Revenge of the Fairies?
Given all this, how should digital rights organisations approach cases where the relevant DPA seems unwilling to do its job, particularly, where a reluctance to act is almost “pre-programmed” either in national law or in the culture of the organisation?
In the run-up to our field building event we are now seeking input from our network on this question. So, if you have any practical experience in dealing with a reluctant DPA in your own jurisdiction, if you have creative ideas on how the remedies established under Article 78(2) GDPR could be used more effectively, or if you just want to be included in the conversation, please email email@example.com quoting “DPA inertia” in the subject line. We will collect all ideas with a view to providing a space where we can collaboratively develop a strategic vision going forward.