17 May 2021
On 27 April ICCL testified at the Joint Oireachtas Justice Committee (Irish Parliament) about problems at the Irish Data Protection Commission (DPC). See the video here https://www.oireachtas.ie/en/oireachtas-tv/video-archive/committees/4074
ICCL strongly supports the role of the DPC. Indeed, ICCL has been to the forefront of supporting the independent enforcement role of the DPC on contentious issues such as its report on the Public Service Card, where Government has refused to comply with the findings of the DPC’s report into that issue.
However, ICCL also believes there are significant issues that must be addressed.
We raised the fact that almost 1,000 days after receiving evidence of the largest data breach of all time, the DPC has yet to act upon it.
We also told the Committee about the hazards for Ireland of the DPC's failure to enforce the GDPR.
This note summarises ICCL’s two key recommendations, and also deals with two issues that arose at the hearing.
Recommendation 1:
On the issue of a review of the operations of the DPC, ICCL welcomes the DPC’s openness to a review of its operation. It is essential that any such review should be independent of the body subject of that review. Any suggestion that a consultation process on the future strategic plan of the DPC or any internally commissioned review of its operations would clearly not be sufficient.
We suggest that the procedural improvements suggested by Dr Logue and Mr Schrems be considered as part of the independent review.
Recommendation 2:
On our proposal that Government should appoint additional commissioners as is provided for on the Data Protection Act, ICCL welcomes Members support for moving to three commissioners.
We urge the Committee to recommend these measures to Government as a matter of urgency.
In addition, we highlight two items that arose at the hearing for the Committee’s consideration.
1. For the avoidance of any doubt on the part of the DPC about its responsibilities, ICCL wishes to make it known that the DPC is required to investigate every complaint, and inform the complaint of the outcome, per Article 57(1)f of the GDPR. The only exception is if a complaint is withdrawn by the person who made it. There may have been confusion about this responsibility in the Commissioner’s testimony. We elaborate in Appendix A, below.
2. ICCL is concerned that the Commissioner dismissed criticism from the European Court of Justice, European Parliament, and from Germany, France, Italy, Austria, the Netherlands, and Hungary, from the UK Competition & Markets Authority, and from the three other witnesses called by the Committee. We set out the factual basis on which these critiques are grounded in Appendix B, below.
ICCL commends the Committee for focusing on this problem. We believe it is critically important, and are available to assist the Committee and Members as they deliberate on the problems of the DPC.
The DPC has a legal obligation to investigate all complaints, and to inform complainants of the outcome.
The Commissioner’s testimony raises a concern that the DPC may have an imprecise understanding of its legal obligation on it to investigate every complaint, and to notify every complainant of the outcome.
The Commissioner said in an answer to a question from the Chair of the Committee, James Lawless, TD, that “the only obligation on the DPC now is to handle a complaint to the extent appropriate”.[1] She elaborated on this point in her reply to a question from Martin Kenny, TD. The Commissioner said that previously, before the application of the GDPR, the DPC had been required to “investigate every complaint and to produce a decision if the complainant so required”.[2] She appears to think that this obligation no longer applies under the GDPR:
“However, there is no obligation on the DPC under the 2018 Act to produce a decision in the case of any complaint. We are obliged to seek to resolve it amicably and then otherwise produce an outcome, which may not be a decision.”[3]
For the avoidance of any misunderstanding on the part of the DPC about its responsibilities, ICCL wishes to make it known that the DPC is required to investigate every complaint, and inform the complaint of the outcome, per Article 57(1)f of the GDPR. The only possible exception is if the complaint is withdrawn by the person who made it.[4]
For the further avoidance of doubt, ICCL also clarifies four points about the DPC’s responsibilities under the GDPR and the Irish Data Protection Act 2018.
First, Article 57(1)f of the GDPR says that each supervisory shall:
“handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary”
This means that the DPC shall “handle complaints” and shall “investigate, to the extent appropriate…”. It shall also “inform the complainant of … the outcome of the investigation”.
Second, the Irish Data Protection Act 2018 provides that the DPC can facilitate an amicable resolution,[5] which will cause a complaint to be deemed withdrawn if successful.[6]
Third, Section 122(4) requires the DPC to take an “action” on all complaints (unless they are withdrawn). Section 122(5) requires the DPC to notify all complainants in writing about the action it has taken.[7] The “actions” defined in Section 122(4) are as follows:
“(a) rejection of the complaint;
(b) dismissal of the complaint;
(c) provision to the complainant of advice in relation to the subject matter of the complaint;
(d) serving on the controller or processor concerned of an enforcement notice, requiring it to do one or more than one of the following:
(i) comply with the data subject’s request to exercise his or her rights under a relevant provision;
(ii) bring processing into compliance with a relevant provision, in a specified manner and within a specified period;
(iii) where the enforcement notice is given to the controller, communicate a personal data breach to data subjects;
(e) causing of such inquiry as the Commission thinks fit to be conducted in respect of the complaint;
(f) taking of such other action in respect of the complaint as the Commission considers appropriate.”
In addition, Section 125(1) of the Act provides that the DPC shall make a “decision” about whether there has been an infringement, and Section 126(b) provides that the DPC shall notify the complaint of this.
The DPC is therefore required by the Act to notify every complainant about the “action” it has taken on their complaint. This action may include a “decision”.
Fourth, the words “action” and “decision” in Section 122 and 124 of the Act are not used in Article 57 of the GDPR, which defines the tasks of all GDPR supervisory authorities. Instead, that Article uses the words “outcome of investigation”. The supremacy of European Law means that any confusion arising from the Act’s use of “action” and “decision” is irrelevant.
Therefore, the DPC is required to investigate every complaint and inform the complaint of the outcome, per Article 57(1)f of the GDPR. It is for the DPC to decide “the extent appropriate” to the investigation. The DPC’s obligation to investigate a complaint ceases to apply when a complaint is withdrawn, as recognised in Section 122(3) of the Irish Data Protection Act.
This point is critical to the question of effective enforcement of GDPR and ICCL would urge the Committee to seek further clarification from the DPC on its understanding of its obligation to reach an outcome in each investigation.
Statements and Comments of the Commissioner during the Hearing of 27 April 2021
Commissioner dismisses criticism from other witnesses called by the Committee
The testimony of the three other witnesses (Dr Johnny Ryan of ICCL, Max Schrems of Noyb, and Fred Logue of FPLogue Solicitors) was critical of the DPC’s performance.
The Commissioner said “the problem, some of which we have seen this evening, is that it seems very easy for those who are determined to criticise the DPC”.[8] The Commissioner also referred to testimony given by Dr Ryan of ICCL, Max Schrems, and Fred Logue as an “imbalanced set of views”. ICCL is alarmed that the Commissioner dismissed criticism in this manner.
ICCL has supported the DPC on matters such as the Public Services Card and a wide range of State surveillance issues. ICCL hopes to be able to support the DPC on many other matters. However, it is the mission of ICCL, to defend rights without fear or favour. Where rights are not upheld by those with the statutory responsibility to do so, ICCL must call attention to this fact and work to correct it. There is no other “determination” at play and we strongly reject any suggestion to that effect.
Max Schrems is perhaps Europe’s preeminent data protection expert, and is in the remarkable position of having had been vindicated by the European Court of Justice in disputes with the DPC on two separate occasions. Senator Byrne rightly noted the “enormous contribution” made by Mr Schrems on data protection matters.[9]
Dr Fred Logue is a practising solicitor of good standing. We note that Dr Logue has previously supported the DPC on matters such as the Public Services Card,[10] and matters such as the DPC v the Court Service.[11]
These witnesses were chosen by the Oireachtas Justice Committee. We are surprised by the Commissioner’s suggestion that the Committee should have picked different witnesses who could express views supportive of the DPC’s performance.[12] It is not for the Commissioner to dictate what witnesses the Committee should hear from.
We are also alarmed that the Commissioner appears to have criticised the Committee for not relying on the annual report that she had published.[13] Indeed, as became clear at the hearing, Committee Members had read the DPC’s annual report, and questions remained to be answered.
If it is suggested that the Committee might wish to hear from further leading experts in this area, we have several who have intimate experience of these issues that we can recommend.
Uncontested facts
In fact, ICCL presented facts that the Commissioner did not contest. We reiterate them here:
1. Almost three years after receiving information (and a formal complaint) about the vast “Real Time Bidding” (RTB) data breach, and two years after opening an investigation in to that breach, the DPC has not yet produced an issues paper setting out the issues that it plans to investigate. This is a test case of international significance.
It is therefore apparent that there are unacceptable delays in investigating critically important cases at the DPC.
2. As of the beginning of this year, the DPC had produced decisions in only 4 of 196 EU cases for which it was lead authority. Since the DPC is the lead authority for Google, Facebook, Microsoft, and Apple, the DPC’s 98% backlog of EU cases prevents progress across the EU.
The DPC’s vast backlog of EU-wide cases is undeniable.
3. As ICCL revealed earlier this year, the DPC’s “Lotus Notes” project is chronically delayed, five years after being announced and having cost the taxpayer more than €1 million so far. A former DPC employee told ICCL is "like trying to run your payroll system with an abacus".
ICCL believes that the failure of the DPC to put in place an adequate case management and IT system gives rise to serious concerns about its capacity to fulfil its statutory functions.
Commissioner dismisses criticism in ECJ opinion
The Data Protection Commissioner quoted the opinion of ECJ Advocate General Bobek in her testimony to the Committee of 13 January 2021. She said that ICCL “has called an aid a completely erroneous interpretation of the opinion”.[14] In addition, she said:
“the Advocate General said that the GDPR, and its implementation and enforcement, is in its infancy and criticised those who were seeking to undermine it with speculation regarding under-enforcement of the GDPR”.[15]
But in fact, the Data Protection Commissioner has quoted parts of the opinion that concern matters that ICCL did not raise.
The Commissioner’s quote refers to the discussion in that ECJ opinion of a “challenge to the new cooperation mechanism introduced by the GDPR”[16] arising from the Belgian Privacy Commission’s allegation that lead supervisory authority underenforcement requires a fundamental change to the one-stop-shop mechanism.[17] The opinion said that this hazard was hypothetical[18] and the GDPR was still in its infancy.[19] The Advocate General was therefore unwilling to attempt to “predict … in the context of a single, or indeed rather singular, procedure – how the mechanisms set up by that regulation will work in practice, and how effective they will be”.[20]
In short, the Advocate General Bobek had no interest in extending the facts of a single case to a broader analysis of whether the GDPR “one stop shop” cooperation mechanism should be altered. Nor does ICCL.
For the avoidance of any doubt, ICCL has expressed no interest in challenging the GDPR cooperation mechanism. To the contrary, ICCL fears that reopening the text of the GDPR for redrafting in order to modify the cooperation mechanism could create opportunities for large data controller lobbying to dilute the GDPR’s strong protections. The Commissioner’s reference to these issues is irrelevant to ICCL’s observations.
Rather, ICCL brought five facts to the Committee’s attention.
First, the ECJ opinion said that supervisory authorities can potentially be faced with “persistent inertia” from the lead supervisory authority in charge.[21]
Second, the DPC was the lead supervisory in charge in the case.[22]
Third, the parties in the case under consideration were Facebook[23] and the Belgian Privacy Commission. The ECJ opinion concerned a reference from the Brussels Court of Appeal in a dispute between the Belgian Privacy Commission and Facebook about the exclusive powers of the DPC as lead supervisory authority.[24]
Willem Debeuckelaere, then head of the Belgian Privacy Commission, asserted his Commission’s powers in the context of its frustrated attempts to secure assistance from the DPC to enforce against Facebook. This is described in ICCL’s written submission to the Committee.[25]
ICCL notes in its that submission that Debeuckelaere told ICCL that “the Irish authority is not the least bit supportive and seems to be pulling out all the stops to avoid taking a decision”.[26]
Fourth, with these facts in mind, and despite the fact that Appeals Court had not asked the ECJ to remedy the problem of a lead supervisory authority that fails to act promptly,[27] the ECJ opinion speaks of the GDPR’s
“mechanisms to overcome situations of administrative inertia. Those are, in particular, the situations in which an LSA [lead supervisory authority] – for lack of expertise and/or staff, or for whatever other reason – fails to take any meaningful action in order to investigate possible breaches of the GDPR and, where appropriate, enforce its rules”.[28]
Fifth, the ECJ opinion in this case, in which the DPC is the lead supervisory authority, and where the Belgian Privacy Commission is fighting to assert its enforcement powers and right to litigation because it alleges that the DPC has failed to act, concludes that
“any supervisory authority may adopt urgent measures where the appropriate conditions are fulfilled. There are, furthermore, situations in which the urgency of the measures is presumed. That may be so, for example, in cases where an SAC [supervisory authority concerned] is potentially faced with persistent inertia from the LSA [lead supervisory authority] in charge. Since Article 66(1) of the GDPR provides for a wholesale setting aside of the consistency mechanism, it is fair to assume that in such an exceptional situation, the entire range of powers vested in a supervisory authority (which under normal circumstances is not to be exercised because it is blocked by the special rules on the competence of an LSA for cross-border processing) is revived and may be temporarily exercised. This, therefore, naturally includes the power to commence legal proceedings pursuant to Article 58(5) of the GDPR”.[29]
It is unwise for the DPC to interpret this as unrelated to its performance as lead supervisory authority of Facebook thus far.
It is also evident that this allows Ireland to be sidestepped. Further proof of this has emerged since ICCL made its written submission to the Committee: Hamburg used the procedure to sidestep the DPC on 13 April 2021, against the Facebook subsidiary WhatsApp.[30]
ICCL also makes a final observation. The ECJ opinion notes:
As a matter of principle, the GDPR requires, in cases concerning cross-border processing, the LSA to act promptly. In particular, under Article 60(3) of the GDPR, an LSA must ‘without delay, communicate the relevant information on the matter to the other supervisory authorities concerned [and] without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views’.[31]
This statement from the ECJ should encourage a reflection on how to reform and strengthen the DPC to protect us in the data age.
Commissioner dismisses criticism from European Parliament
The Commissioner claims that the Parliament “failed to engage with the DPC in coming to the views it expressed in resolutions”.[32] It was the Commissioner who refused to give testimony to the European Parliament when invited.
The Commissioner testified at the Oireachtas Justice Committee that there was “a particular onus on [the European Parliament] to ensure its information is accurate, which did not occur”.[33]
In fact, the European Parliament received critically important information from Professor Ulrich Kelber, the German Federal Commissioner for Data Protection and Freedom of Information:
“As of 31.12.2020, Ireland had the European lead in 196 proceedings. However, only four proceedings were concluded by a final decision.”[34]
Ms Dixon did not provide this information. She did not provide it to the European Parliament, or to the Oireachtas Justice Committee, or include it in her annual report. The DPC’s annual report mentions that the DPC has taken four “large scale inquiry” decisions, but not that this amounts to only 2% of the EU cases in which the DPC is required to issue a decision.[35]
The Parliament’s statement that cases referred to the DPC in 2018 remain unresolved is an indisputable fact.
ICCL has no view on the Parliament’s statement about political will and resources. We observe, however, that The Commissioner’s response to Lynn Ruane, TD:
“looking back at the budget we have been granted over the past couple of years, we have generally been granted close to what we required on the pay side of the budget. … we did not use up our full budget”.[36]
This suggests that although the Commissioner mentioned a problem of office space, she feels no urgent dearth of resources, or a lack of political will to supply them.
Commissioner dismisses criticism from EU supervisory authorities
The Commissioner dismissed detailed technical criticism from her counterparts in Germany, France, Spain, Italy, the Netherlands, Austria, and Hungary at the hearing:
“Let us put the criticisms from other EU data protection authorities in context. If we go back and look at the original proposal from the European Commission for a new regulation in 2012, we can see that the same data protection authorities that are criticising Ireland and the one-stop-shop were on record as rejecting the concept of the one-stop-shop and any role for the Commission in encroaching on regulatory roles that were the purview of national data protection authorities prior to that so it is no surprise there is a political element to the criticisms being made.”[37]
This is a remarkable statement. The Commissioner has dismissed criticism from its peers by impugning their motives, and we can only assume that this striking public statement may further damage the DPC’s relationship with its European counterparts.
ICCL has acquired some of the detailed technical criticisms from the other Member States that are at issue, under Freedom of Information. We can attest that these criticisms are substantial and detailed. ICCL can make these documents available.
Notes
[1] Official Report of Joint Committee on Justice debate - Tuesday, 27 Apr 2021, p. 22.
[2] ibid., p. 28.
[3] ibid.
[4] Irish Data Protection Act, Section 122(3).
[5] Section 122(2).
[6] Section 122(3).
[7] Section 122(5).
[8] Official Report of Joint Committee on Justice debate - Tuesday, 27 Apr 2021, p. 20.
[9] Official Report of Joint Committee on Justice debate - Tuesday, 27 Apr 2021,, p. 8.
[10] For example, see "Public Services Card scandal: ‘Consistent disregard displayed for private data’", The Irish Examiner, 17 August 2019 (URL: https://www.irishexaminer.com/lifestyle/arid-30944485.html)
[11] For example, see "Courts Service breached data law by publishing man’s name", The Irish Times, 7 February 2020 (https://www.irishtimes.com/news/crime-and-law/courts-service-breached-data-law-by-publishing-man-s-name-1.4164590).
[12] Official Report of Joint Committee on Justice debate - Tuesday, 27 Apr 2021, p. 31.
[13] ibid., p. 20.
[14] ibid., p. 21.
[15] Helen Dixon’s recorded testimony, Official Report of Joint Committee on Justice debate - Tuesday, 27 Apr 2021, p. 21.
[16] Paragraph 109, “Opinion of Advocate General Bobek, Case C‑645/19 Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v Gegevensbeschermingsautoriteit”, 13 January 2021 (URL: https://curia.europa.eu/juris/document/document.jsf?docid=236410&doclang=EN).
[17] Paragraphs 108, 123, and124, ibid.
[18] Paragraph 123, ibid.
[19] Paragraph 125, ibid.
[20] Paragraph 125, ibid.
[21] Paragraph 135, ibid.
[22] “With regard to the cross-border processing at issue, the lead supervisory authority would be the Irish Data Protection Commission”. Paragraph 24, ibid.
[23] Facebook Ireland Limited, Facebook Inc., and Facebook Belgium BVBA.
[24] Facebook argued that the GDPR one stop shop mechanism stripped the Belgian Privacy Commission of the power to take administrative action or legal proceedings against its data processing. The Belgian Privacy Commission contested this, arguing the one-stop-shop did not limit its ability to litigate, and that it also retained the power to take administrative actions in its own territory. Paragraphs 8-11, “Summary of the request for a preliminary ruling pursuant to Article 98(1) of the Rules of Procedure of the Court of Justice”, Case C-645/19, European Court of Justice (URL: https://curia.europa.eu/juris/showPdf.jsf?text=&docid=225747&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=12276785.
For background, see previous decisions by Brussels Court of First Instance in favour of the Belgian Privacy Commission against Facebook in proceedings that began in 2015. Brussels Court of First Instance ruling (translated) of 16 February 2018 at http://www.iccl.ie/wp-content/uploads/2021/04/Brussels-Court-of-First-Instance-Facebook.-16-Februar-y-2018.pdf. See also previous ruling of 9 November 2015 (Dutch language) at http://www.iccl.ie/wp-content/uploads/2021/04/Facebook-v-Gegevensbeschermingsautoriteit-RechtbankvanEersteAanlegBrussel9november2015.pdf.
[25] "Economic & Reputational Risk of the DPC’s Failure to Uphold EU Data Rights Submission to the Joint Oireachtas Committee on Justice", ICCL, March 2021, p. 8.
[26] Debeuckelaere in correspondence to ICCL. Previously cited on p. 6 of written submission to the Committee.
[27] The six questions referred to the Court are listed in paragraph 25, “Opinion of Advocate General Bobek, Case C‑645/19 Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v Gegevensbeschermingsautoriteit”, 13 January 2021 (URL: https://curia.europa.eu/juris/document/document.jsf?docid=236410&doclang=EN).
[28] Paragraph 114, ibid.
[29] Paragraph 135, ibid.
[30] “Urgency procedure opened against Facebook in connection with the new WhatsApp terms of use”, Hamburg Commissioner for Data Protection and Freedom of Information, 13 April 2021 (URL: https://datenschutz-hamburg.de/assets/pdf/2021-04-13-press-release-facebook.pdf).
[31] Paragraph 115, ibid.
[32] Official Report of Joint Committee on Justice debate - Tuesday, 27 Apr 2021, p. 21.
[33] ibid.
[34] Ulrich Kelber to the LIBE Committee, “Schreiben von Frau Helen Dixon (DPC) vom 09.02. und 12.03.2021” 16 March 2021 (URL: (translation and original) http://www.iccl.ie/wp-content/uploads/2021/03/Letter-BfDI-LIBE-on-Irish-DPC_EN.pdf).
[35] “Annual Report, 2020”, Data Protection Commisison (https://www.dataprotection.ie/sites/default/files/uploads/2021-02/DPC%202020%20Annual%20Report%20%28English%29.pdf), pp 4-5.
[36] Official Report of Joint Committee on Justice debate - Tuesday, 27 Apr 2021, p. 25.
[37] ibid , p. 21.