DPC problems are not due to Irish legislation, ICCL tells EU Parliament LIBE Committee & Oireachtas Justice Committee

26 September 2022

James Lawless TD, Chair of the Oireachtas Justice Committee
Alan Guidon, Clerk to the Justice Committee 

cc. 
Maite Pagazaurtundúa MEP 
Clare Daly MEP
Birgit Sippel MEP
Paul Tang MEP
Gwendoline Delbos-Corfield MEP

Application of the GDPR and meeting with LIBE Committee

Dear Mr Lawless,

In the course of the Oireachtas Justice Committee meeting on 22^nd September a number of statements were made about the legal constraints under which the DPC operates. Some of the points made were incorrect and we wish to provide information to the Committee on those points:

1. National legislation does not unduly burden the DPC;
2. The Committee used the correct data in its report; and
3. The EDPS Conference was a missed opportunity for the DPC.

1. National legislation does not unduly burden the DPC

A view was expressed that Ireland’s national legislation delays the DPC’s delivery of draft decisions in cross-border cases to the European Data Protection Board, whereas authorities in Spain and other Member States are not so burdened.

However, we can identify no bar or hindrance in the Irish Data Protection Act to delay the DPC relative to its counterparts in other EEA jurisdictions, or prevent it from issuing sanctions in a timely manner.

First, it was asserted that the DPC is required to attempt amicable resolution, which delays its work and produces an anomaly in the EU IMI statistics. This is not the case. Points 1 to 4 of Section 109 of the Irish Data Protection Act state (emphasis added):

(1) For the purposes of section 108 (2)(a), the Commission shall examine the complaint and shall, in accordance with this section, take such action in respect of it as the Commission, having regard to the nature and circumstances of the complaint, considers appropriate. 

(2) The Commission, where it considers that there is a reasonable likelihood of the parties concerned reaching, within a reasonable time, an amicable resolution of the subject matter of the complaint, may take such steps as it considers appropriate to arrange or facilitate such an amicable resolution. 

(3) Where the parties concerned reach an amicable resolution of the subject matter of the complaint, the complaint shall, from the date on which the amicable resolution is reached, be deemed to have been withdrawn by the complainant concerned. 

(4) Where the Commission considers that an amicable resolution cannot be reached by the parties within a reasonable time, it shall proceed—

(a) in the case of a complaint to which section 113 applies, to comply with section 113 (2), or
(b) in the case of any other complaint, to take an action specified in subsection (5).

The words “considers appropriate” in Section 109 (1) and “may take such steps as it considers appropriate” in 109 (2) and “where the Commission considers” in 109 (4) give the DPC very broad discretion in whether to pursue amicable resolution or not. 

We note our grave concern about the DPC’s use of that discretion. The DPC’s most recent statistics report that the vast majority (86%) of cross-border complaints it handled were about the same ten companies.[1] EU data protection authorities collectively adopted formal EDPB guidelines against the use of amicable resolution in such cases where there is “likelihood of further violations in the future”.[2] Despite this, the DPC chose amicable resolution to resolve 86% of its cross-border complaints (545 complaints), [3] most or all of which concerned those same ten repeat offender companies. Amicable resolutions between one person and a data controller do not resolve systematic infringements affecting many other people, too.[4]

Contrary to the suggestion that the DPC’s cases fall into an unfair statistical limbo when it chooses to pursue amicable resolution, Section 109 (3) provides that amicably resolved complaints are deemed “withdrawn”. As a result the DPC does not proceed to the Article 60 process in Section 113, unless it decides (“as the Commission thinks fit”) to open an inquiry under Section 109(5)(e). It is evident in the EU IMI data that the 544 cross-border complaints that the DPC reports amicable resolutions for as of December 2021 are not counted as DPC IMI “cases”.[5]

Second, it was suggested that the DPC is not required to produce a decision in all cross-border cases because the legal threshold at which a decision is required is higher in Ireland than in Spain or elsewhere. But to the contrary, Section 113 of the Irish Data Protection Act requires that the DPC deliver a draft decision on every cross border complaint. The only time this does not arise is when a complaint has been withdrawn, which can follow the DPC’s choice to pursue amicable resolution.

2. The Committee used the correct data in its report 

It was stated that certain figures cited by the Committee in its report on the GDPR were “inaccurate” because they compare cases with complaints. Those figures appear to come from our report of 2021[6] and we affirm them.

First, it is a fact that the DPC had delivered only four draft decisions on cross border cases to the EDPB by the end of 2020.[7] This alone was an inescapable indication that people’s fundamental rights have not been adequately protected by the DPC. The figure is accurate and the Committee was right to cite it.

Second, measuring outcomes in cross-border EU matters requires counting data protection authorities’ cases (not just complaints) and the draft decisions delivered on those cases. A case can arise from a single complaint, or consolidate several related complaints, or may be opened by a data protection authority that proactively investigates something itself despite having received no complaints. EU IMI data are the only EU-wide source of live data for each data protection authority’s case load.

IMI data come with caveats: figures may be higher than counted if cases resulted in more than one decision, or where cases are still in the preliminary phase of identifying the roles of the lead authorities; or they may be lower than counted if cases include inactive cases or a data protection authority other than the lead authority leads a case. The IMI does not measure whether any of these high/low variables arise or have ever arisen. We have communicated to the European Commission our concern that no statistics for DPA’s backlogs can be used without caveat, despite the passage of six and a half years since the GDPR’s entry into force.

The EU IMI case statistics are not unfair to Ireland: the number of unresolved DPC cross border cases according to the IMI[8] is roughly half the DPC’s own count of outstanding cross border complaints.[9] You will also note the point already made above that amicably resolved cases are evidently not counted in the IMI as unresolved DPC cases.

Therefore, the Committee was right to refer to the IMI figures of the DPC’s backlog of 196 cross-border cases. Indeed, the German Federal Data Protection Authority had already cited these figures in writing to the LIBE Committee on 16 March 2021, and the DPC had had the opportunity to dispute them.[10]

3. The EDPS Conference was a missed opportunity for the DPC 

The value of the landmark EDPS conference of 16-17 June was highlighted at the meeting as a means of improving cooperation and standardisation between data protection authorities. It is therefore particularly disquieting that DPC declined the organiser’s repeated requests to participate.

I would be grateful if you would circulate this letter among the Committee Members. We are available discuss these matters with any Members of the Committee.

Yours sincerely,  

Liam Herrick

Executive Director