Derek Mooney writes: Last Tuesday (July 4th) the EU Commission published its proposed new regulation on GDPR enforcement. (Links: Press statement / Proposal for a Regulation). The purpose of this regulation, according to the Commission, is to: “…streamline cooperation between data protection authorities (DPAs) when enforcing GDPR in cross-border cases”. This is the regulation we anticipated in this March 2023 article.
The new regulation sets procedural rules for the DPAs when investigating GDPR breach claims affecting individuals across more than one EU member state. The new regulation keeps the “lead Data Protection Authority” concept but requires that DPA to send a ‘summary of key issues' to their counterparts concerned. This “summary” will identify the main elements of the investigation and the lead DPA’s views on the case, but its true purpose is to invite other DPAs to “provide their views”.
In our opinion the Commission has produced an activist DPA charter by weakening the one-stop-shop principle which underpins GDPR. It moves the European Data Protection Board (EDPB) from its original GDPR envisioned role of facilitating dialogue between national authorities and exchanges of information, to become the supra-national tool of its more activist members. Overseeing and instructing less activist national authorities to do more and fine bigger. This is the “mission creep” and “overreach” we warned of in our Jan 2022 BEERG article.
By acceding to the EPDB’s request for new “procedural rules” the Commission has effectively decided that GDPR’s primary purpose is to enable authorities to fine multinationals, particularly US ones, millions of Euros and its ancillary function is the protection of EU citizens’ personal data.
It is difficult not to see this Regulation as privacy activist’s revenge on the less confrontational style of the Irish DPA, the Data Protection Commission (DPC). They view the Irish DPC as too pragmatic and too slow in dealing with complaints.
The DPC is the bête noire for privacy activists and crusaders as it oversees the European home to many of the major American social media and tech giants. Activists want these companies to be fined early and fined often. So, if Ireland’s DPC won’t do it, they are happy to dismantle GDPR’s one-stop-shop model and centralise things at the European level. This proposed regulation is a major step in that direction.
The DPC does not always help its own case, with recent EU parliament committee appearances being perceived as overly defensive. Though there has been six-fold increase in the DPC’s annual funding since 2015 and it now employs over 200 staff (target is 258 staff by end of 2023) there is still the fallacious depiction that it operates out of some rural office over a grocery store.
Back in Ireland the DPC has clout within government. Last week the Irish Parliament approved an amendment to the Irish Data Protection Act (via a Courts BILL) that would allow the DPC to label information in investigations as ‘confidential’ See Irish Independent story. The Minister informed parliamentarians that it was the DPC which requested the amendment, and the Irish government agreed.
The move unleashed a political row in parliament as the amendment was produced at the last minute and provoked a storm of protest from data privacy activists from Max Schrems to the Irish Council for Civil Liberties to Amnesty International. The Minister insisted that the amendment was “quite limited in scope” and is intended to protect the data (often commercially sensitive) it acquires when investigating.
Several opposition members complained that they were being answered with “…a script that says it will be all right as it [the amendment] has come from the DPC”. The point could be made in response that many of the opposition members’ arguments came verbatim from scripts from the above-mentioned groups and organisations. What we saw was the Irish Parliament turned into a theatre for a proxy war of words between the DPC and the activists… a war that did not reflect well on either party.
The key point to note here is that the Irish Justice department listens to the DPC – this will be most important when the Irish government comes to give its views on the Commission’s proposed new regulation. It is to be hoped that that Irish government will strongly oppose this centralised overreach and see it as an abuse of the core EU principle of subsidiarity (maximum independence for a lower authority in relation to a higher one).
MEANWHILE, there were two other significant GDPR developments this week. On Tuesday, the European Court of Justice (ECJ/CJEU) ruled that EU antitrust authorities are entitled to check on companies compliance with GDPR (Press release HERE). The case concerned an German antitrust agency which had ordered Meta to stop collecting users' data without consent after finding in 2019 that Facebook played a "dominant" role on the social network market and would thus be subject to "special antitrust obligations." See Reuters / DW for more details.
Also on Tuesday, Ireland’s Commercial Court agreed to the US government joining as an amicus curiae party to proceedings by Meta over the DPC’s decision that Meta must suspend the transfer and storage of user data from Europe to the US. See Independent.ie story