ICCL’s 2021 report on the
enforcement capacity of
data protection authorities
Video: play above, or share from https://vimeo.com/601138490.
Europe is unable to police how big tech firms use people’s data. Three and a half years after the introduction of the GDPR, EU GDPR enforcement against Big Tech is paralysed by Ireland’s failure to deliver draft decisions on major cross-border cases. In addition, Europe’s DPAs remain underfunded, and have too few tech specialist investigators.
Key insights
- The Irish Data Protection Commission is the bottleneck of GDPR enforcement against Big Tech across the EU. Almost all (98%) major GDPR cases referred to Ireland remain unresolved.
- Though Covid-19 has forced many Europeans to work online, DPAs remain ill equipped to supervise the tech sector. Only 9.7% of EU DPAs 2,950 full time staff are tech specialists.
- Less than half (44%) of EDPB final EU-wide decisions include corrective measures, such has fines or orders to stop processing.
- A small number of Member States (Ireland, Spain, Germany, Netherlands, France, Sweden, and Luxembourg) receive almost three quarters (72%) of all cross-border complaints referred between DPAs.
- EU countries’ investment in DPAs is declining.
- Germany alone accounts for almost a third (32%) of all spending on EU DPAs that oversee the private sector. More than half of all national DPAs have small (€5 million or less) annual budgets.
ICCL has written to European Commissioner for Justice, Didier Reynders, to highlight the Commission's duty as "guardian of the treaties" to see that the GDPR is properly applied - and to act against Ireland and other EU Member States that jeopardise fundamental rights in the Union.
Recommendations
Recommendation 1
The Irish Data Protection Commission (DPC) must be reformed and strengthened. The recommendations of the Justice Committee of the Irish Parliament and Senate2 should be urgently implemented. In particular:
- The Irish Government should provide for an independent review of how to strengthen and reform the DPC. This is necessary to fulfil Ireland’s duty of sincere cooperation under Article 4(3) of the Treaty on European Union (TEU), and to fulfil its duties under Article 52(4) of the GDPR.
- The Irish Minister for Justice should user her power to appoint two additional Data Protection Commissioners.
- The DPC must “move from emphasising guidance to emphasising enforcement as a matter of urgency”.
Recommendation 2
The European Commission should use its power under Article 258 of the Treaty on the Functioning of the European Union to launch an infringement procedure against Member States that jeopardise the protection of personal data. Data protection is one of the Union’s objectives. Jeopardising it is a failure to fulfil Member States’ obligations under Article 4(3) of the TEU.
Recommendation 3
The European Commission must improve its monitoring of the application of the GDPR. It should request that the EDPB and DPAs publish the following data each quarter in order to enable it to perform its duty under Article 17 of the TEU:
- Time (days) to progress each case from first complaint or proactive investigation to draft decision and then to final decision.
- How many cases each DPA is the Lead Supervisory Authority (LSA) for. This should also specify the number of separate cases or complaints combined in each cases.
- How many times each LSA used each investigative power provided in GDPR Article 58(1), in that quarter.
- How many times each LSA used each sanctioning power provided in GDPR Article 58(2), in that quarter.
Each of the above should include the types and scale of controllers concerned, and whether a case is domestic or cross-border. In exceptional cases where national law precludes case-level data, robust aggregated data may suffice.
Press materials
You can support ICCL's work.
The Irish Council for Civil Liberties has been at the forefront of every major rights advance in Irish society for over 40 years. We helped legalise homosexuality, divorce, and contraception. We drove police reform, defending suspects' rights during dark times. ICCL is Ireland’s leading human rights organisation, and our work on digital and data issues has global impact.
ICCL is completely independent from Government, and relies on donations and gifts. You make our work for human rights and freedom possible. Thank you.
Contact
Irish Council for Civil Liberties,
Unit 11, First Floor, 34, Usher's Quay,
Dublin 8
Phone: +353-1-9121640
Email: info@iccl.ie