The European Commission has asked all national data protection regulators to file detailed bi-monthly reports on any active large-scale cross-border investigations, in response to an inquiry by the European Ombudsman and pressure from Irish privacy campaigners.
Under new rules, regulators will be required to report directly to the European Commission every two months all details of “key procedural steps taken and dates” and “investigatory or any other measures taken”.
Ireland’s Data Protection Commission (DPC) says it has already provided such reports to the European Data Protection Board (EDPB), of which the European Commission is an observing member, since 2019.
But the office of the European Ombudsman says the changes have been introduced in the context of its inquiry, concluded in December, into whether the European Commission was collecting sufficient information to monitor Ireland’s adherence to GDPR.
Based on a complaint from the Irish Council for Civil Liberties (ICCL), ombudsman Emily O’Reilly’s report found Commission practices, examining DPC “big tech” cases regularly, was “appropriate and in line with good administration”, but proposed further technical improvements.
Earlier this month, the ICCL took issue with the ombudsman report’s assertion that the commission had an established practice of case review with national regulators such the DPC, which has frontline responsibility for US tech giants such as Dublin-based Meta, which owns Facebook.
While the DPC’s regular reports to European colleagues are seen by the commission, thanks to its EDPB observer statues, the ICCL says the commission has logged just four cases of direct communication between it and Ireland’s DPC since GDPR came into effect: in October and December 2021 and April and June last year.
“The commission has a treaty obligation to monitor the application of European law,” said Dr Johnny Ryan, an ICCL senior fellow. “Not only is the commission not intervening to make sure European law is applied, the commission also did not know whether to intervene at all. There is an acute lack of urgency.”
Last year European commissioner for justice Didier Reynders defended Ireland’s DPC from criticism by other EU member states, telling MEPs in January 2022 that the Irish regulator was correct to proceed cautiously in the “complex matter” of its Facebook investigation.
Briefing documents released to the ICCL under EU freedom of information laws indicate more intense and critical lobbying by the commission, urging Ireland to expedite its investigations into Meta complaints, filed in 2018.
During a conversation with Minister for Justice Helen McEntee in December 2021, among Mr Reynders’s talking points was that it was “essential that DPC pursue its efforts and deliver on these cases given their relevance for the credibility of GDPR”.
May 2022 briefing documents suggest Mr Reynders urged Data Protection Commissioner Helen Dixon, in a meeting she requested, to counter a “negative narrative” about “GDPR not being enforced” in Ireland.
Mr Reynders requested a timetable for upcoming DPC decisions. He also was told to “stress that it is crucial for the DPC to make progress as swiftly as possible to dispel the negative narrative on GDPR enforcement vis-a-vis big tech multinational companies”.
The new reporting procedure from Brussels, almost five years after GDPR came into place, comes after Irish DPC decisions on complaints against Meta subsidiaries Facebook, Instagram and WhatsApp were revised at European level.