EU criticised for lack of evidence that it’s monitoring Ireland’s GDPR handling

6 Oct 2022

Ursula von der Leyen, president of the European Commission. Image: Etienne Ansotte/European Union

Johnny Ryan of ICCL claimed the European Commission provided little evidence that it is keeping an eye on how Ireland polices Big Tech.

The Irish Council of Civil Liberties (ICCL) has criticised the European Commission for potentially failing to properly monitor Ireland’s GDPR enforcement while “the fundamental rights of all Europeans hang in the balance”.

In a letter written to the European Ombudsman today (6 October), ICCL senior fellow Johnny Ryan said that the European Commission “has produced little to indicate that it has diligently monitored Ireland’s application of the GDPR”.

This comes eight months after EU Ombudsman Emily O’Reilly opened an inquiry into the European Commission’s monitoring of how data protection rules are applied in Ireland.

European Commission president Ursula von der Leyen was requested to provide a “detailed and comprehensive” account of the details it has collected on how GDPR is applied by the Irish Data Protection Commission (DPC).

The Irish data watchdog acts as the EU’s lead data supervisor for several major US tech players that have European headquarters in Ireland.

The inquiry was the result of formal complaint lodged by Ryan in November last year, claiming that the European Commission neglected its duty to act on Ireland’s “failure to properly apply” GDPR.

GDPR came into effect in May 2018 and gives data regulators the power to fine companies up to 4pc of their global turnover or €20m, whichever is greater, for violating Europe’s data protection rules.

The ICCL has long been critical of the DPC over how it has been handling GDPR complaints against tech companies such as Meta, Google and Apple.

Ryan told an Oireachtas committee last year that Ireland had become a “bottleneck of GDPR investigation and enforcement” and the Irish DPC has failed to resolve 98pc of cases important enough to be of concern across the EU – a claim disputed by the DPC.

‘Several concerns’

In the letter sent today to the European Ombudsman’s director of inquiries, which O’Reilly was copied into, Ryan detailed the timeline of events that have taken place since the inquiry was launched in February.

The Ombudsman gave the European Commission a deadline of 15 May to provide its account of how it has monitored GDPR application, but it did not reply until June. The following month, the Ombudsman said the response was “not a detailed and comprehensive account of the actual information that is has collected so far”, and requested further information by the end of September.

Ryan said that the European Commission’s latest responses to the Ombudsman’s inquiry “raise several concerns” regarding its position on the value of statistics from the European Data Protection Board, which it previously described “as the most authoritative source”.

“Yet, the Commission has taken a new position on the value and role of statistics in its latest response. It now argues that what it calls a ‘mechanical examination of statistics’ will not distinguish between easy enforcement cases and more complex and difficult ones,” Ryan wrote.

He added that the European Commission’s general approach to the question of Ireland’s application of GDPR in its recent response is “contrary” to comments made by EU competition chief Margrethe Vestager on a recent visit to Dublin.

“After eight months, there is no evidence that the Commission has taken adequate steps to collect the necessary information, or to examine the information it receives,” Ryan wrote.

“Nor has it used its competence to request the relevant data from any source, or to obtain comparative data across the EU. Instead, it continues to cite irrelevant or inadequate information sources.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Vish Gain is a journalist with Silicon Republic