New US Senate Bill may stop Ireland processing US data, unless Ireland acts on GDPR enforcement

Ireland's digital sector threatened by a proposed requirement that data protection law must be properly enforced. 

This afternoon United States Senator Ron Wyden has proposed a new Bill to impose export controls on personal data about people in the US to countries that have inadequate data protections, or enforcement of data protection law. 

If Ireland (and any other jurisdiction) is designated as a jurisdiction with inadequate enforcement, then every significant company operating here will be unable to process the data of customers in the United States, unless the company first obtains an export license from the US Department of Commerce.[4] Obtaining these licences is difficult: these are the same restrictions that are applied to nuclear material.[5]

A company based in Ireland, or a data center operated in Ireland, would not be able to seamlessly deliver digital services to the United States. This would be a multi billion Euro[6] threat to the Irish economy, directly attributable to a failure to enforce the GDPR.

ICCL understands from those who wrote the draft Bill that Ireland’s failure to enforce the GDPR is of particular concern. The Bill intentionally uses language from the GDPR, and targets this enforcement failure. The draft Bill makes clear that merely enacting strong data protection law such as the GDPR is not enough. That law must be enforced.

This afternoon ICCL wrote ICCL has written to relevant ministers to alert them, and recommend urgent actions. Over the last eight months, ICCL has written to Ministers to warn of the hazards created by Ireland’s failure to enforce the GDPR. 

Download letter (PDF)
Image

Minister for Justice, Helen McEntee, TD. 
Acting Minister for Justice, Heather Humphreys, TD.
Minister for Finance, Paschal Donohoe, TD.

cc.
An Taoiseach, Micheál Martin, TD. 
An Tánaiste and Minister for Enterprise, Trade and Employment, Leo Varadkar, TD.
Martin Fraser, Secretary General, Department of the Taoiseach
Oonagh McPhillips, Secretary General, Department of Justice and Equality

15 April 2021

New economic risk: draft US Senate Bill
and Ireland’s GDPR enforcement 

Dear Ministers,

  1. US Senator Ron Wyden has this afternoon introduced a draft Bill that may have grave consequences for the Irish economy. I enclose a draft herewith for your careful attention.
  2. The draft Bill, titled “Protecting Americans’ Data From Foreign Surveillance”, restricts the export of US personal data to jurisdictions designated as having inadequate data protection: to “protect the covered personal data from accidental loss, theft, and unauthorized or unlawful processing”.[1] 
  3. This language is intentionally identical to the wording of Article 5 of the EU General Data Protection Regulation (GDPR).[2] We understand from those who drafted the Bill that Ireland’s failure to enforce the GDPR[3] is of particular concern. The Bill intentionally targets this failure.

Risk for Ireland

  1. If Ireland is designated as a jurisdiction with inadequate enforcement, then every significant company operating here will be unable to process the data of customers in the United States, unless the company first obtains an export license from the US Department of Commerce.[4]
  2. Obtaining these licences is difficult: these are the same restrictions that are applied to nuclear material.[5]
  3. This would be a multi billion Euro[6] threat to the Irish economy, directly attributable to a failure to enforce the GDPR.

The urgent need for enforcement

  1. As today’s draft US Senate Bill makes clear, merely enacting the GDPR as law is not enough. That law must be enforced. We have repeatedly written to Ministers to warn of the hazards created by Ireland’s failure to enforce the GDPR.
  2. On 28 September 2020, Liam Herrick of ICCL wrote to Minister McEntee to set out our concerns regarding the ability of the Data Protection Commissioner to fully and effectively execute her functions under the GDPR in relation to large technology companies whose regional headquarters are located in Ireland.
  3. On 1 February 2021, Mr Herrick wrote to Minister McEntee, copying the Taoiseach and Minister Donohoe, to again warn of the economic hazard of Ireland’s enforcement failure. As ICCL warned, other Member States would sidestep Ireland if the Irish Data Protection Commission did not take action, and Ireland would lose its position as the centre of data regulation in Europe.
  4. That letter also drew the Minister’s attention to criticism of Ireland’s GDPR enforcement from the European Court of Justice,[7] the European Parliament,[8] and from other Member State supervisory authorities.[9] 
  5. I enclose ICCL’s submission to the Joint Justice Committee of 26 March 2021. It outlines a pattern of enforcement failure, and concludes that Ireland is the bottleneck of GDPR enforcement against Google, Facebook, Microsoft, and Apple, everywhere in the EU.

Recommendation

  1. ICCL recognises the status of the DPC as a statutory body independent of Government. However, we also recognise the duty of the Government to ensure that Ireland meets its obligations under of the GDPR,[10] and to avoid the economic hazards of enforcement failure.
  2. The Government has obligations to ensure effective protection of rights across Europe where the DPC is the lead authority. This includes ensuring that the DPC is sufficiently resourced and is structured in such a way as to effectively fulfil its mandate. The Government must strengthen and reform the DPC so that it is capable of performing this task.
  3. ICCL proposes two urgent measures:

    i. The urgent appointment of two new Commissioners, as provided for in the 2018 Data Protection Act.[11] The Minister for Justice should use her power to designate a Commissioner as the Chair of the Commission.[12]

    ii. The Government should establish an entirely independent and broadly scoped review of how to reform and strengthen the DPC to discharge the tasks required of it under Article 57 of the GDPR.

  4. Action is urgently required to establish confidence for people across Europe that their data is being treated safely and legally, and to restore Ireland’s reputation as a regulatory leader.

Yours sincerely

Image

Dr Johnny Ryan, FRHistS

Senior Fellow, ICCL

 

encl.

Download letter (PDF)

Notes

[1] §1758A (b)(2)(B)(i)(II).

[2] GDPR, Article 5(1)f.

[3] Despite asserting its lead role in 196 EU-wide cases since the GDPR was applied 34 months ago, the DPC has delivered only 4 decisions. This was revealed in Ulrich Kelber’s letter to the European Parliament LIBE Committee, “Schreiben von Frau Helen Dixon (DPC) vom 09.02. und 12.03.2021” 16 March 2021 (URL: translation and original http://www.iccl.ie/wp-content/uploads/2021/03/Letter-BfDI-LIBE-on-Irish-DPC_EN.pdf).

[4] § 1758A (b)(2)(C).

[5] "Commerce Control List", Bureau of Industry and Security, US Department of Commerce (URL: http://www.bis.doc.gov/index.php/regulations/export-administration-regulations-ear).

[6] The IDA estimates that data centres brought 7+ €billion to Ireland between 2010 and 2017. "A Study of the Economic Benefits of Data Centre Investment in Ireland" IDA, May 2018 (URL: https://www.idaireland.com/newsroom/publications/ida-ireland-economic-benefits-of-data-centre-inves), p. 4.  This estimate is a small part of the value to Ireland from the provision of digital services across the Atlantic.

[7] The European Court described the DPC’s failure to act in a major case involving Facebook as “persistent administrative inertia”. See “Opinion of Advocate General Bobek, Case C‑645/19 Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v Gegevensbeschermingsautoriteit”, 13 January 2021 (URL: https://curia.europa.eu/juris/document/document.jsf?text=&docid=236410&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=194844), paragraph 114 and 135.

[8] The European Parliament passed a resolution saying it is “particularly concerned … that cases referred to Ireland in 2018 have not even reached the stage of a draft decision”. See "Commission evaluation report on the implementation of the General Data Protection Regulation two years after its application", European Parliament, 2020/2717(RSP), (URL: https://oeil.secure.europarl.europa.eu/oeil/popups/ficheprocedure.do?lang=en&reference=2020/2717(RSP)).

[9] Authorities in Germany, France, Spain, Italy, the Netherlands, Austria, and Hungary formally criticised how the DPC handled the only ‘big tech’ case that it has completed as lead authority so far. See “Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65(1)(a) GDPR”, European Data Protection Board, 9 November 2020 (URL: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_bindingdecision01_2020_en.pdf), p 8.

[10] In particular, the Irish Government’s obligations under GDPR Article 52(4).

[11] Section 15(1) of the Irish Data Protection Act 2018.

[12] Section 16(1) of the Irish Data Protection Act 2018.