ICCL alerts Irish Government of strategic economic risk from failure to uphold the GDPR

This note makes public a letter to the Irish Government describing how Ireland is being sidestepped as a regulatory center. 

EU Member States are sidestepping Ireland to enforce the GDPR. This threatens Ireland's position in the global digital economy.

It also puts at risk the European Commission's proposed new role for Ireland as a regulator of large platforms, which is contemplated in the new Digital Services Act proposal.

This letter sets out these concerns, and proposes a remedy. The full text of this letter is copied below. You can download the PDF here.

Download document (PDF)
Image

Minister for Justice, Helen McEntee TD.

By Email

cc.
An Taoiseach, Micheál Martin TD
Minister for Finance, Paschal Donohoe TD

Martin Fraser, Secretary General, Department of the Taoiseach
Oonagh McPhillips, Secretary General, Department of Justice
Derek Moran, Secretary General, Department of Finance

1 February 2021

Hazard to Ireland’s place in the global digital economy,
and to the rights of individuals.

Dear Minister

  1. You will recall that on 28 September 2020, I wrote to you to set out our concerns regarding the ability and capacity of the Data Protection Commissioner to fully and effectively execute her functions under the General Data Protection Regulation, with specific reference to her role as the Lead European Supervisory Authority in relation to large technology companies whose regional headquarters are located in Ireland. 

  2. As set out in that letter, the Irish Council for Civil Liberties (ICCL) is concerned that the failure of the Data Protection Commissioner to execute these functions effectively jeopardised the data rights of all person within the European Union. At this point, we feel it is necessary to raise with you our concerns about further significant developments over the intervening months. At this point, we believe that ongoing inadequacy in enforcement of GDPR by the Data Protection Commission not only presents a serious failure with regard to the vindication of data rights; but not also threatens the position of Ireland as the centre of data regulation in Europe. Our view is that failure to uphold the fundamental right of individuals now carries an additional strategic economic risk to Ireland. 

  3. Ireland’s “Lead Supervisory Authority” for all firms that claim a European headquarters in Ireland, including Google and Facebook, promised significant benefit to Ireland’s status and role in the global digital economy. However, recent developments indicate that despite its special status, Ireland may be sidestepped by other Member States because of concerns about LSA management of investigations and enforcement.

Recent developments 

  1. On 13 January, the European Court of Justice published Advocate General Bobek’s opinion on the question of whether the Belgian Data Protection Authority sought the power to enforce directly against Facebook, despite the Irish Data Protection Commission being Facebook’s Lead Supervisory Authority. 

  2. The opinion says that other Member States can directly enforce against firms headquartered in Ireland in order to remedy “persistent inertia from the LSA in charge”. 

  3. The opinion includes a pointed description of “persistent administrative inertia”:

“in which an LSA [Lead Supervisory Authority] - for lack of expertise and/or staff, or for whatever other reason – fails to take any meaningful action in order to investigate possible breaches of the GDPR and, where appropriate, enforce its rules.”[1]

Note that the case concerned Facebook, and the LSA in question is the Irish Data Protection Commission.

  1. The Advocate General’s conclusion was that other Member States can sidestep Ireland and act directly if the Irish Data Protection Commission fails to take action where action is urgently required. This reflects Article 66 of the GDPR, which allows an enforcer in a Member State other than the “lead” to directly enforce it believes there is “an urgent need to act in order to protect the rights and freedoms of data subjects”. 

  2. Other Member States have started to use Article 66 to sidestep Ireland. For example, in August 2019, the Hamburg Data Protection Authority sidestepped the Irish Data Protection Commission, and used Article 66 directly launched administrative proceedings against Google’s “voice assistant”.[2]

  3. Most recently, on 22 January 2021, the Italian Data Protection Authority sidestepped the Irish Data Protection Commission and responded to the death of a young girl arising (from activity on Tik-Tok) with a ban on the processing of data.[3]

  4. It has been widely reported that other Member States believe the Irish Data Protection Commission is unable to efficiently discharge its duties under the GDPR. For example, Germany’s federal enforcer equates Ireland’s approach to regulating Facebook with the “go-slow” approach of Germany’s automotive regulator on diesel emissions fraud.[4]

  5. Of particular concern is a report published on 9 November 2020 by the European Data Protection Board, which comprises all Member State supervisory authorities. It details formal criticisms from Germany, France, Spain, Italy, the Netherlands, Austria, and Hungary of how the Irish Data Protection Commission handled an important investigation in to Twitter. They said that the Irish Data Protection Commission did not properly understand the roles of Twitter’s subsidiaries, incorrectly identified Twitter’s GDPR infringements, and administered the incorrectly penalty.[5] No such report has been published about a supervisory authority of any other Member State.

  6. We anticipate other Member States will therefore begin to routinely exploit the Article 66 mechanism to sidestep the Irish Data Protection Commission in future.

Future opportunity

  1. The implication extends beyond the GDPR. On 15 December 2020, the European Commission proposed a Digital Services Act that contemplates a “one stop shop” mechanism like that in the GDPR, in which a the Member State where a large company has its headquarters is the lead authority across the Union.[6] The European Commission’s proposal would therefore give Ireland jurisdiction across the Union. This would add to Ireland’s pre-eminence as a location for business in the European Union, and increase its influence in the global digital economy.
  1. However, if Member States find that they must use the Article 66 mechanism to avoid what Advocate General Bobek refers to “persistent administrative inertia” in Ireland, the prospects for this new proposal are dim. It is unlikely that the European Parliament or Member States will countenance such a situation if the Ireland does not efficiently handle its existing lead authority responsibility under the GDPR. In short, we anticipate that the Commission’s proposal will not survive the trilogue process there is a significant change in how other Member States view the Irish Data Protection Commission – and perhaps in how the European Court of Justice views it, too.

  2. The 2018 Data Protection Act provides for a college of three commissioners.[7] At present, the Irish Data Protection Commission is entirely run by one commissioner. We propose the urgent appointment of two new commissioners to allow the Commission to fully and effectively fulfil its mandate. We further propose that once the full complement of Commissioners is in place, that the Minister put in place a separate process for the designation of one member as Chair of the Commission.[8]

Yours sincerely,

Image

Liam Herrick

Executive Director
Irish Council for Civil Liberties

 

encl. 
Letter of 28 September 2020

Download document (PDF)

Notes

[1]  “Opinion of Advocate General Bobek, Case C‑645/19 Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v Gegevensbeschermingsautoriteit”, 13 January 2021, paragraph 114 and 135.

[2]  “Speech assistance systems put to the test - Data protection authority opens administrative proceedings against Google”, (URL: https://datenschutz-hamburg.de/assets/pdf/2019-08-01_press-release-Google_Assistant.pdf).

[3]  “Tik Tok: dopo il caso della bimba di Palermo, il Garante privacy dispone il blocco del social”, Garante per la protezione del dati persoonali, 22 January 2021 (URL: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9524224).

[4]  "German regulator says Irish data protection commission is being 'overwhelmed'", The Irish Times, 3 February 2020.

[5]  “Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65(1)(a) GDPR”, European Data Protection Board, 9 November 2020, p 8.

[6]  Article 38 and Article 40 of Proposal for a regulation of the European Parliament and of the Council on a Single Market for Digital Services (digital services act) and amending directive 2000/31/EC, 15 December 2020.

[7]  Section 15(1) of the Irish Data Protection Act 2018

[8]  Section 16(1) of the Irish Data Protection Act 2018