Reply to European Commissioner Reynders about failure to act on the GDPR

Didier Reynders
Wetstraat 200
1049 Brussels

cc. Věra Jourová, Vice-President, European Commission

14 December 2021

Application of Regulation 2016/679 (the GDPR)

Dear Commissioner Reynders,

1. Thank you for your letter of 1 December. We welcome your invitation to remain in contact.
   
   
2. We also welcome your concern for the resourcing of supervisory authorities. You must allow us to correct your suggestion that we err in highlighting a decline of total investment. Indeed, you observe this “lower pace” of increase in your letter. We agree.

Consistency and cooperation mechanisms

3. While we welcome your views on the consistency and cooperation mechanisms, these were not the subjects of our letter to you or of our complaint. It is impossible for any problems that may exist in the consistency mechanism to arise in 98% of Ireland’s lead authority cross-border cases for the simple reason that Ireland fails to deliver cross-border draft decisions in the first place. 
   
   
4. You refer to the Commission’s Communication of 24 June 2020. However, that report concerned “transfer of personal data to third countries and international organisations and of the rules on cooperation and consistency”. These were not subjects of our letter or complaint. 

Duty to diligently monitor 

5. For the avoidance of confusion, our letter to you of 13 September focused on the Commission’s duties to monitor and to intervene to uphold EU law. 
   
   
6. You refer to the Oireachtas cross-party Justice Committee’s recommendations as evidence of “steps taken at national level”. We must correct you on this point. These recommendations come not from the Irish Government, but from a parliamentary committee that is independent of government. Its recommendations are evidence that necessary steps have not been taken. Moreover, few if any of its recommendations were acted upon. 
   
   
7. Your letter referred to a recent sanction by the Irish DPC as an indication that there is no cause for the Commission to intervene. We suggest to you that a Member State’s single recent sanction cannot credibly be regarded in this way. 
   
   
8. You suggest the statistic regarding Ireland’s average time to formally decide on a cross-border case in the EDPB’s August 2021 report is accurate, and that our correction of that statistic was mistaken because we did not take account of the fact that Irish law allows for an amicable resolution, which leads to the withdrawal of complaints. However, we rely on IMI data. In the IMI, a supervisory authority can mark a case closed or withdrawn, because of amicable resolution or for any other reason.[1] 
   
   
9. The EDPB’s August 2021 report includes a section titled “Number of cross-border enforcement cases”. This presented a chart titled “Number of cross-border cases per LSA & CSA”.[2] The table on the chart shows Ireland as “LSA” for “164” and “CSA” for “348”. These data are from the IMI case register. 
   
   
10. The IMI case register appears to be the only Union-wide source of data about each supervisory authority’s case backlog. If its data are deficient, then the Commission cannot fulfil its duty to effectively monitor the application of the GDPR. 

Duty to intervene requires effective monitoring 

11. You suggest that “it is only if and when actions taken at national level are insufficient that [the] Commission’s intervention is necessary”. However, Article 258 TEFU provides two deciding factors. First, that “a Member State has failed to fulfil an obligation under the Treaties”. Second, that the Commission “considers” this failure to have arisen. It is impossible for the Commission to undertake this consideration without first diligently performing its duty under Article 17(1) TEU to effectively monitor Member States’ application of the law. When the Commission fails to fulfil its duty to monitor, it inevitably fails to fulfil its duty to intervene, too. 

Yours sincerely,