MEPs call for infringement procedure against Irish data protection authority over lack of GDPR enforcement

MEPs express 'deep concern' that many complaints filed with the Irish DPC since 2018 have not yet been decided

The European Parliament has voted in favour of a resolution calling on the European Commission to open an infringement procedure against the Irish Data Protection Commission (DPC) for failing to enforce the GDPR.

541 MEPs voted in favour of the motion with only one against; 115 abstained.

The vote concerns specifically the so-called Schrems II case brought by Austrian Lawyer Max Schrems which invalidated the EU-US Privacy Shield. The MEPs also took Issue with the slow pace of Schrems' original complaint against Facebook's data transfer practices, which after seven years is still unresolved.

In a document released after Thursday's vote, MEPs said the Parliament "is disappointed" that the Irish Data Protection Commissioner (DPC) brought proceedings against Maximilian Schrems and Facebook to the Irish High Court, rather than taking a decision itself, which it is empowered to do.

MEPs expressed "deep concern" that many complaints filed with the Irish DPC in 2018 when the GDPR became law have not yet been decided, in contravention, they say, with the GDPR stipulation that complaints are processed "without delay".

And they said they are "worried that supervisory authorities have not taken proactive steps … to force the DPC to comply with its obligations".

They further criticise the DPC for its lack of technical expertise and its "outdated systems," and particularly for its attempts to "shift the costs of the judicial procedure on to the defendant, which would have created a massive chilling effect."

The MEPs went on to "deplore" the DPC's "absence of meaningful decisions and corrective measures" in regard to data transfers to third countries.

Because of its low corporate tax regime, Ireland is a favourite location for big US tech companies such as Facebook and Microsoft, many of which have their European headquarters in the country, selecting the DPC as their chosen data protection authority (DPA), as required under the GDPR. This means the DPC is the lead agency handling many data protection disputes.

The DPC has faced accusations of a conflict of interest over its duties to protect citizens' data and a desire not to jeopardise Ireland's favoured position with tech giants.

Despite receiving thousands of complaints, the DPC has only issued six fines for GDPR breaches to date, by far the largest (and the only cross-border case) being a €450,000 demand against Twitter for falling short of data breach notification obligations. At the end of 2020 it revealed it had received 4,660 GDPR complaints but only 83 statutory inquiries were ongoing.

The Irish Data Protection Commissioner Helen Dixon has blamed a lack of resources for the slow progress.

Commenting in EURACTIV, Schrems criticised the DPC's lack of action, calling the numbers "staggering".

"The DPC reported about 10,000 complaints last year, but has not made any formal decision on any of these complaints," said Schrems.

He continued: "The DPC openly acknowledged in a recent parliament hearing that it feels 'handling' of a complaint is also to just close it without an investigation. This means that the main path to enforce your fundamental right failed 100 per cent in Ireland in 2020. If this is not a case for an infringement procedure, then I would not know what is."

Last month, Cédric O, France's secretary of state for digital transition, called for strong action from the DPC against Facebook for a data leak that exposed the personal details of about 533 million users. The DPC only moved to open a probe into the data leak after the European Commission intervened to apply pressure.

"Let's hope they respond to the unacceptable situation, which has affected millions of French citizens. If not, we will have to draw some conclusions about the European data protection framework," O said.