Little evidence from European Commission that it properly monitored Ireland’s application of the GDPR

Rosita Hickey
Director of Inquiries, European Ombudsman

cc.
Dr Emily O’Reilly 
European Ombudsman

6 October 2022

Complaint 97/2022/PB

Dear Ms Hickey,

1. The Commission has produced little to indicate that it has diligently monitored Ireland’s application of the GDPR, despite the passage of eight months since the EU Ombudsman first requested the President of the Commission to provide a detailed and comprehensive account. 
   
   
2. The chronology of materials received during this inquiry is revealing:

• • On 10 February this year, the EU Ombudsman made the decision that ICCL’s complaint was admissible. She requested that Commission President von der Leyen “provide a detailed and comprehensive account of the information that it has so far collected to inform itself as to whether the GDPR is applied in all respects in Ireland” by 15 May. 
    
    
• • On 2 March, the EU Ombudsman and the European Commission met to discuss the matters of the complaint. The Commission indicated that it had received a confidential report from the DPC, and shared this with the EU Ombudsman on 3 March. It also pointed to several other sources of information, including the EDPB and the EDPB’s rendering of IMI data, data protection authorities’ annual reports, two expert groups, and the Commission’s own report of June 2020. 
    
    
  • On 22 March, ICCL sent observations on the report of the meeting of 2 March to the EU Ombudsman, highlighting deficiencies in IMI data, recalling that the DPC’s annual report does not contain adequate data on cross-border complaints, and pointing out that the documented agendas and outputs of the expert indicated they were irrelevant to the subject of complaint. 
    
    
  • On 15 May, the European Commission said it was not in a position to reply by the deadline. 
    
    
  • On 25 May, the European Commission said it was still unable to reply. 
    
    
  • On 21 June, the Commission finally replied to the EU Ombudsman’s request of 10 February. It confirmed again that it relies on the information sources that it referred to at the 2 March meeting: the two previously cited expert groups, the EDPB and IMI statistics produced by the EDPB, direct contact with data protection authorities, and with Member States, and data protection authorities’ annual reports. The Commission again referred to the report it had produced June 2020, which it described as “detailed”. In addition, the Commission also referred to the DPC’s February 2021 note on cross-border statistics. 
    
    
  • On 24 June, ICCL sent observations to the EU Ombudsman on the Commission’s reply, highlighting again that the two expert groups cited by the Commission are irrelevant, and its June 2020 report is largely silent on the subject of the complaint. ICCL also pointed out again the problem of IMI statistics, and the lack of relevant information in the DPC’s annual reports. ICCL noted that the Commission pointed to only two recent meetings (one with the DPC and one with the Irish Minister for Justice) as evidence of its bilateral contacts. ICCL also drew to the Ombudsman’s attention problems in the DPC’s February 2021 statistical note and suggested that the Commission should have examined this more closely. 
    
    
  • On 1 July, ICCL sent a further observation to the EU Ombudsman on the IMI data and EDPB reporting. The EDPB had confirmed to ICCL that it has no IMI data on Member States’ case backlogs in cross-border cases. 
    
    
  • On 17 July, the EU Ombudsman replied to the European Commission’s letter of 21 June to say that the Commission’s response was “not a detailed and comprehensive account of the actual information that it has so far collected”. It therefore requested further information by 30 September and enclosed an appendix of questions. 
    
    
  • On 29 September, the European Commission replied to the EU Ombudsman. Its reply indicated no additional information beyond what it had already conveyed in the 2 March meeting and its response of 21 June, though it noted that it had now received additional confidential reports from the DPC on particular cases.

3. The Commission’s latest answers raise several concerns regarding i) its new position on the value of statistics, ii) the “overviews” it has now requested from the DPC, and iii) the Commission’s claim to have discharged its responsibilities to monitor by way of its June 2020 report.

The Commission’s new position on statistics

4. First, the Commission’s previous response of 21 June highlighted the role of statistics, and cited the EDPB statistics “as the most authoritative source” (while noting caveats). 
   
   
5. Yet, the Commission has taken a new position on the value and role of statistics in its latest response. It now argues that what it calls a “mechanical examination of statistics” will not distinguish between easy enforcement cases and more complex and difficult ones. 
   
   
6. However, our suggested proposal for a resolution (in ours to you of 24 June) was that the Commission should obtain regular detailed statistics that include information on “the types and scale of controllers concerned” for this very reason. 
   
   
7. The Commission now also argues that unspecified information derived from participation at EDPB meetings would provide a “qualitative assessment” of the progress of strategic cases. However, the EDPB, by its own admission, does not even possess data about how many cross-border cases each Member State is responsible for (see EDPB statement in our letter of 1 July):

“the EDPB does not specifically hold data on the total number of cases being currently subject to a cooperation procedure between LSA and CSAs on the basis of Art 60(1), (2), and (3) 1st sentence”.

DPC “overviews” 

8. Second, the Commission says that it requested “overview” information from the DPC regarding large scale inquiries, and now receives this every two months. Three questions arise:
   
   

   1. What other supervisory authorities are subject to the same request?
   2. What concern prompted the Commission to make this request to the DPC?
   3. Did the Commission request bi-monthly reporting from the DPC before or after the EU Ombudsman launched her inquiry?

9. We note that the Commission did not respond to our freedom of information request of 15 August regarding its communications with the DPC.

The Commission’s June 2020 report 

10. Third, the Commission argues that it has complied with the obligation upon it in Article 97(1) of the GDPR to report on the evaluation and review of the GDPR by 25 May 2020, and then every four years thereafter.
    
    
11. Article 97(1)(b) of the GDPR requires that the Commission evaluate and review cooperation and consistency. The Commission’s June 2020 report was 18 pages in total, and only a portion of that concerned cooperation and consistency. As we note in our observations of 24 June, the report was effectively silent on the subject of our complaint. The accompanying Staff Working Document[1] expended only 373 words on its “One stop shop” section, and its analysis of “challenges to be addressed” (for both the one-stop-shop and for other matters including cooperation and consistency mechanisms) occupied less than a single page. 
    
    
12. In addition to the question of whether the Commission adequately fulfilled its obligation under Article 97 of the GDPR in 2020, it also has the duty under Article 17(1) TEU to ensure that Regulation 2016/679 is properly applied, and under Article 258 TFEU to be able to conduct the “consideration” of whether a Member State has failed to fulfil an obligation under the Treaties. 
    
    
13. It should in any case be apparent to the Commission that a questionnaire circulated in early 2020 is not adequate. We are surprised that it suggests otherwise.

“Amicable settlement”

15. In addition to these concerns we also take the opportunity to address an incorrect assumption regarding peculiarities of Irish Law, which has been a feature in the Commission’s previous correspondence with us. 
    
    
16. There is no bar or hindrance in the Irish Data Protection Act preventing the DPC from issuing draft decisions in a timely manner. The DPC may choose entirely at its own discretion to attempt an “amicable resolution” when it receives a complaint. The words “considers appropriate” in Section 109 (1) of the Irish Data Protection Act, and “may take such steps as it considers appropriate” in Section 109 (2), and “where the Commission considers” in Section 109 (4), give the DPC very broad discretion in whether to pursue amicable resolution or not. 
    
    
17. We also note our grave concern about the DPC’s use of that discretion. The DPC’s most recent statistics report that the vast majority (86%) of cross-border complaints it handled were about the same ten companies.[2] EU data protection authorities collectively adopted formal EDPB guidelines against the use of amicable resolution in such cases where there is “likelihood of further violations in the future”.[3] This is for the obvious reason that amicable resolutions between one person and a data controller do not resolve systematic infringements affecting many other people, too.[4] Yet the DPC chose to use amicable resolution to resolve 86% of its cross-border complaints (545 complaints). [5] Statistically, most or all of these amicably resolved complaints must have concerned the same ten companies, and should not therefore be amicably resolved. 
    
    
18. The Commission has previously suggested that the DPC’s cases fall into an unfair statistical limbo when it chooses to pursue amicable resolution. That is not so. Section 109 (3) of the Irish Data Protection Act provides that amicably resolved complaints are deemed “withdrawn”. As a result, the DPC does not proceed to the Article 60 process in Section 113, unless it decides (“as the Commission thinks fit”) to open an inquiry under Section 109(5)(e). It is evident in the EU IMI data that the 544 cross-border complaints that the DPC reports amicable resolutions for, as of December 2021, are not counted as DPC IMI “cases”.[6] 
    
    
19. For completeness, we also note that Section 113 of the Irish Data Protection Act requires the DPC to produce a draft decision in all cross-border cases. The sole exception is when a complaint has been withdrawn, which occurs when the DPC has decided at its own discretion to resolve a case through amicable resolution.

Urgency

19. The Commission’s reply of 29 September suggests that whatever deficits may exist in the information at its disposal, they will all be resolved by the EDPB. We are deeply concerned by this position. 
    
    
20. It is now four and a half years since the GDPR was applied, and six and a half years since it entered in to force. The Commission can not absolve itself of its obligation to diligently monitor by gesturing toward the gradual evolution of the EDPB. This is inadequate. Previous EDPB harmonisation documents have taken several years to materialise. The DPC then declared them non-binding.[7] 
    
    
21. The Commission’s general approach to the question of Ireland’s application of the GDPR in its reply of 29 September is contrary to the statement made by Commission Vice President Vestager a few days later:

“there was distrust between Ireland – as an enforcer because of the principle of origin – and the member states where services were delivered. So, we made a system with better checks and balances [for the Digital Services Act], and the end result was that the Commission will be the enforcer when it comes to very large online platforms”.[8] 

According to Commission Vice President Vestager, it was necessary for the Commission to design the Digital Services Act in a way that avoided giving Ireland the responsibility it enjoys under the GDPR because of the country of origin principle. If co-legislators are concerned about Ireland’s application of the GDPR then the matter is undeniably significant and urgent.

22. The fundamental rights of all Europeans hang in the balance. But after eight months, there is no evidence that the Commission has taken adequate steps to collect the necessary information, or to examine the information it receives. Nor has it used its competence to request the relevant data from any source, or to obtain comparative data across the EU. Instead, it continues to cite irrelevant or inadequate information sources.

 Sincerely

Dr Johnny Ryan FRHistS
Senior Fellow