Is the General Data Protection Regulation (GDPR) one-stop shop mechanism for dealing with complaints fit for purpose? Ireland has unfortunately provided most of the evidence in the “no” corner.
The one-stop shop mandates that if someone wishes to bring a data-handling complaint to a European regulator, the complaint is, in most cases, referred to the regulator in the country where the company named in the complaint has its European base.
You can see where this is going. In practice, the one-stop shop has meant that most complaints made in the EU about the world’s biggest data-handlers – the largest and most powerful multinational technology companies – end up on the Irish Data Protection Commission’s plate.
A decision this week from the European Commission indicates how problematic the Irish DPC has become – or at least, its functioning within the one-stop shop. In a development that should have significant impact on the speed and general accountability of investigations, the European Commission will now request bimonthly reports from all national regulators on the progress of all “large-scale” GDPR cases. Which is helpful, but doesn’t remove the enduring obstacle: the one-stop shop.
The prompt for the European Commission’s additional reporting and accountability demands arose out of complaints made initially in September 2021 by the Irish Council for Civil Liberties (ICCL) to the European Commission about the tediously slow progress of some globally important investigations progressing (or not) through the Irish DPC. Two months later, the ICCL filed a formal complaint about the issue with EU Ombudsman Emily O’Reilly (another Irish connection, if entirely incidental) arguing that the European Commission was in breach of EU law by failing to sufficiently monitor how Ireland applies the GDPR.
[ Opinion: Ireland’s data commissioner out of step with European peers ]
Last December O’Reilly produced her opinion, concluding that the European Commission’s approach in examining the Irish DPC’s big tech company cases was “appropriate and in line with good administration” but needed additional improvements (the ICCL has challenged the “appropriate and in line” bit). O’Reilly recommended the European Commission more closely monitor all of the Irish DPC’s big tech cases – embarrassing extra scrutiny.
A month later the European Commission has made closer scrutiny of such cases a general EU-wide requirement, a politic approach that avoids finger-pointing at any one DPC. But of course, this isn’t about all the data protection regulators. It’s about Ireland’s. And there’s clearly long-standing concern across Europe’s data regulatory landscape – from other national regulators, from activists, and digital and privacy rights organisations – with Irish decisions, or the lack of them, and the slow progress of complaints.
The DPC has argued that cases cannot be rushed when they are complex and are important first interpretations of a relatively new law. As a general point, this take has some merit, but the DPC’s pace too often is more like a go-slow protest, and critics argue there are different approaches that would expedite cases. The regulator has also (rightly) pointed out that inadequate funding means it doesn’t have the staffing or resources it needs. Fair enough: since its inception (well before the GDPR) the office has never received adequate funding, and the obligations of GDPR’s one-stop shop – which meant most of the largest cases would arrive on its doorstep – have only made this worse. The Government has much to answer for here.
But there are indeed perplexing problems with how interminably slowly the Irish DPC resolves cases. Add to that, the exacerbations of its issuing several inadequate punishments in high-profile cases that – again, embarrassingly – have been substantially revised by the EU’s highest data protection oversight body, the European Date Protection Board.
The European Commission’s decision this week is a process mitigation but not a problem resolution, merely slapping a fix on to the broken mechanism of the one-stop shop in its application to big tech. Or more precisely, to big tech in a small country. Burdening any one EU member state with the cost and responsibility of regulating companies worth more than the GDP of many countries is grossly inequitable. Federal regulators in the US, as well as its Justice Department, have struggled to find adequate solutions to big tech’s data slipperiness. What chance has a small regulator in a country whose entire population is smaller than Silicon Valley’s?
[ Analysis: Europe’s verdict on Ireland’s Data Protection Commission is damning ]
The genesis of the one-stop shop is murky, too. According to the GDPR’s main architect, the former EU minister Vivienne Reding, it wasn’t in the GDPR’s initial drafts. During a Dublin City University webinar in 2021 (I was moderator), she said it was lobbied for by various EU states (if by Ireland, what a monumental self-own). She said she had opposed it at the time, preferring that complaints against large companies be handled by an EU-wide body. But it was swiftly proffered as a key GDPR feature.
I’ve long argued some other approach than the one-stop shop was needed for big tech cases that require considerable resourcing and may carry political and economic reverberations at member state level.
For now, the European Commission has signalled we will limp on with the one-stop shop. But I hope clearer thinking will ultimately prevail, and the one-stop shop will be replaced with a better, fairer mechanism.