New ICCL complaint against European Commission at EU Ombudsman

First Floor, Castleriver House,
14/15 Parliament Street, Dublin 2,
D02 FW60, Ireland
T:  +353 1 912 1640
E:   info@iccl.ie
W:  www.iccl.ie

Dr Emily O’Reilly
European Ombudsman

26 April 2023

Complaint regarding European Commission failure to monitor
application of the GDPR by all Member States 

Dear Dr O’Reilly,

1. We write to submit a complaint about the European Commission’s failure to uphold its obligations to monitor and collect the necessary information about the application of the GDPR by all Member States. We suggest that this complaint merits categorisation as a public importance case, and would be grateful if it could have your Cabinet’s direct attention.
   
   
2. This complaint concerns all Member States, not only Ireland. It follows our previous Complaint, 97/2022/PB, which solely concerned the Commission’s failure to collect the necessary information about Ireland’s application of the Regulation 2016/679 (the GDPR). We are grateful to you for launching your Inquiry into that matter on 10 February 2022, publishing your Decision on 19 December 2022, and correcting that Decision on 29 March 2023 following our request for review.
   
   
3. We have attempted to raise the subject of today’s complaint directly with the Commission. Regrettably, Commissioner Reynders has neither replied to our letter of 10 March nor our reminder letter of 17 April. We stress that today’s complaint should not be considered a failure to reply complaint. In any case, Commissioner Reynders has stated his position the subject of today’s complaint very clearly, as we outline in paragraph 11, below.
   
   
4. We note that the one-year period that the Commission allows itself to act on an infringement complaint, per the system it devised in 1977, does not apply to the matter of the Commission’s failure to monitor. This complaint concerns significant and ongoing maladministration over an extended period. We suggest that it merits rapid investigation.

The obligations of the Commission

5. The Commission has at least the following four obligations:

1. 1. Although Article 258 TFEU gives the European Commission discretion to decide whether to launch infringement proceedings against Member States, it also imposes two obligations on the Commission. The first obligation arises from the wording of the first clause of the first line of Article 258 TFEU (emphasis added):

      “If the Commission considers that a Member State has failed to fulfil an obligation under the Treaties, it shall deliver a reasoned opinion on the matter after giving the State concerned the opportunity to submit its observations. …”

      The determining factors are i) that “a Member State has failed to fulfil an obligation under the Treaties”; and ii) that the Commission “considers” this failure to have arisen. However, such a consideration is impossible to undertake without diligently monitoring Member States’ application of EU law. The Commission has the obligation to be able to undertake this consideration.

   2. The second obligation arises from the second clause of the first line of Article 258 TFEU (emphasis added):

      “If the Commission considers that a Member State has failed to fulfil an obligation under the Treaties, it shall deliver a reasoned opinion on the matter after giving the State concerned the opportunity to submit its observations. …”

      The Commission has the obligation to deliver a reasoned opinion, when its consideration indicates a failure on the part of a Member State.

   3. A third obligation arises in Article 97 of the GDPR. It provides that the Commission shall conduct evaluations and reviews of the GDPR every four years, after an initial review in the GDPR’s second year of application.
      
      
   4. A fourth obligation – or set of obligations – is defined in Article 17(1) TEU, which assigns to the Commission the guardianship of the treaties. It is thereby obliged to monitor the application of the GDPR by the Member States and ensure that it is properly applied by them.

6. The Commission has the power to gather the necessary information to fulfil these obligations. As you observed in your letter of further inquiry to the Commission on 17 July 2022:

“the Commission has full competence to request, from any source, the relevant data. This includes defining the detailed specific data requested, the way it shall be presented, and any related clarifications”.[1]

7. From the foregoing, it is clear the European Commission has (at a minimum) the obligation and power to diligently monitor Member States’ application of the GDPR and to deliver a reasoned opinion where any fail to fulfil their obligations.

56 month and ongoing data deficit

8. The Commission wrote to you in January with a commitment to now begin to gather information from all other Member States about their “large-scale investigations”. This new initiative confirms that the Commission has not gathered this information from the Member States previously.

9. The situation is somewhat different in the case of Ireland. The following circumstances are known from your Inquiry and Decision for Complaint 97/2022/PB about the Commission’s monitoring of Ireland’s application of the GDPR.

1. 1. First, although the GDPR became applicable on 25 May 2018, the Commission did not have an “established” practice of obtaining a bi-monthly overview from Ireland. The Commission received only two such “bi-monthly overviews” in the period from the GDPRs application in 2018 to early 2022. As we highlighted previously, it is notable that those two overviews were received in October and December 2021, after ICCL raised the data deficit in correspondence with the European Commission. This is why your corrected Decision rightly removes the reference to the Commission having “an established practice” of receiving case updates from the DPC on large-scale investigations. As your letter of 29 March noted, “the use of the term ‘established’ can give the impression that the practice was a long-standing one, which was not the intention”. 
      
      
   2. Second, your Decision rightly highlighted your “serious doubts as to the adequacy” of all other information that the Commission relied upon to monitor Ireland’s application of the GDPR, including the Irish Data Protection Commission’s (DPC) annual reports.[2] Therefore, there is a data deficit for the period before the commencement of bi monthly reporting in October 2022. The Commission lacks the necessary information to monitor Ireland’s application of the GDPR for a period of 41 months, from May 2018 to October 2022.
      
      
   3. Even after the commencement of bi monthly reporting, there remains a significant gap in the information provided to the Commission by the DPC. The Commission receives only reports about “large-scale cross-border investigations”. This creates a gap where the DPC has incorrectly used “amicable resolution” for matters that should be large-scale cross-border investigations. Our examination of the EDPB register of final decisions indicates that many of the DPC’s amicable resolutions fell into one or more of the following categories: 
      
      1. the issue was resolved only for the individual data subject who made a complaint, but continues to affect many other data subjects;
      2. the issue indicated systemic failures; or
      3. the issue arose from the same very large companies again and again.[3]

Using amicable resolution in such cases, rather than fully investigating them, is contrary to the guidelines agreed by vote by all of its counterparts at the European Data Protection Board (EDPB).^[4]

Irish law gives the DPC the discretion to choose whether to use amicable resolution or not.^[5] It is evident from the DPC’s own separately published statistics that it choses to use amicable resolution in the vast majority of Big Tech cases, contrary to EDPB guidelines: eight large-scale data controllers are the subject of 87% of the cross-border complaints the DPC receives.^[6] Despite that fact, the DPC reports that 83% of the cross-border complaints it has resolved were by way of amicable resolution.^[7] The result of the DPC’s choice to use amicable resolution in such cases is to put matters that it should have investigated as large-scale cross-border investigations outside the scope of the Commission’s current information gathering, because the Commission only collects bi monthly updates on matters the DPC has categorised as “large-scale cross-border investigations”. 

There therefore appears to be a very significant gap in the information provided to the European Commission  in the new bi monthly reports on “large-scale cross-border investigations”. The Commission has not taken steps to ensure that large-scale matters, irrespective of whether they are classified as “investigations” or not, do not slip out of the scope of its information collection.

10. In summary, the Commission did not collect the necessary information about the application of the GDPR by other Member States from the date of application of the GDPR in May 2018 to at least as late as January 2023. The Commission’s data deficit is at least as follows: 
    
    
    1. 1. for 56 months or longer for all Member States other than Ireland;
       2. for 41 months for Ireland, and an ongoing information gap thereafter.

11. In these circumstances, the Commission is obliged to remedy its historical data deficit. Regrettably, Commissioner Reynders refuses to do so. Last month, on 21 March, Commissioner Reynders made the Commission’s position clear in his reply to a question from Birgit Sippel MEP:

    “There will be no retroactive collection since the objective is to have information on the progression of important on-going investigations. This is what the Commission has already done for Ireland in the past years.”[8]

    We stress that Ms Sippel raised the matter with the Commission at our request. There is no separate process underway at the European Parliament to in any way preclude the European Ombudsman from launching an inquiry.

Consequences of Commission’s data deficit

12. This data deficit arises because the Commission did not diligently monitor Member States’ application of the GDPR. The deficit persists because the Commission has now also failed to gather the information retroactively. The Commission’s failure to collect the necessary information has the following consequences:

1. 1. The Commission has undermined its role and duty as guardian of the treaties: it cannot intervene because its failure to diligently monitor renders it unable to know whether to intervene. In November 2022, Commissioner Reynders told the Irish Minister for Justice that: “the Commission will act against any Member State in case of a systemic failure to act by its independent authorities”.^[9] However, the Commission’s failure to collect the necessary information over so long a period makes it impossible for the Commission to identify whether there is such a systematic failure. It has rendered itself incapable of making the “consideration” required in Article 258 TFEU.
      
      
   2. The Commission has announced it will shortly propose a Regulation “specifying procedural rules relating to the enforcement of the General Data Protection Regulation”. This Regulation is intended to “streamline cooperation between national data protection authorities when enforcing the General Data Protection Regulation (GDPR) in cross-border cases.”[10] But it is plain that the Commission can not properly consider what measures are required without the necessary information about how the GDPR has functioned thus far. The Commission is preparing legislation without the necessary information, despite that information being obtainable.
      
      
   3. In June 2020, the Commission published a report[11] purporting to evaluate and review the functioning of the GDPR, which it was obliged to do by Article 97 of the GDPR. It is now plain that it did so without having collected the necessary information. Its failure to diligently monitor Member States’ application of the GDPR meant that it was unable to properly review and evaluate the GDPR, too.

      As we noted in our letter to you of 24 June 2022, the Commission’s June 2020 report was effectively silent on the subject of our complaint. The longer Staff Working Document that accompanied the report[12] expended only 373 words on its “One stop shop” section,[13] and its analysis of “challenges to be addressed” (for both the one-stop-shop and for other matters including cooperation and consistency mechanisms) occupied less than a single page.[14]

   4. In May 2024, the Commission must produce a second review under Article 97 of the GDPR. But this is an impossibility because the Commission cannot evaluate the application and functioning of the GDPR without the necessary information for the full period.

Request

13. The Commission continues to fail to collect the necessary information despite the significance of the matter, and despite the matter being repeatedly brought to its attention. The consequences from the Commission’s failure to gather the necessary information put at risk the fundamental rights and freedoms of all who live in the Union.
    
    
14. We request that the Ombudsman launch an expedited examination of whether the Commission has collected the necessary information to diligently monitor Member States’ application of the GDPR.
    
    
15. We anticipate that the Ombudsman will wish to recommend that the Commission take the following steps:

1. 1. remedy the data deficit from May 2018 onward,
   2. ensure that no matter of large-scale significance that should have been treated as a large-scale cross-border investigation is allowed to fall outside the scope of its information collection

16. Consideration of the persisting severity of the matter suggests that there should be a finding of maladministration against the Commission.

Yours sincerely,