European Union lawmakers are facing further pressure to step in and do something about lackadaisical enforcement of the bloc’s flagship data protection regime after the European Parliament voted yesterday to back a call urging the Commission to start an infringement proceeding against Ireland’s Data Protection Commission (DPC) for not “properly enforcing” the regulation.
The Commission and the DPC have been contacted for comment on the parliament’s call.
Last summer, the Commission’s own two-year review of the General Data Protection Regulation (GDPR) highlighted a lack of uniformly vigorous enforcement — but commissioners were keener to point out the positives, lauding the regulation as a “global reference point”.
But it’s now nearly three years since the regulation began being applied, and criticism over weak enforcement is getting harder for the E.U.’s executive to ignore.
The parliament’s resolution — which, while non-legally binding, fires a solid political message across the Commission’s bow — singles out the DPC for specific criticism given its outsized role in enforcing the General Data Protection Regulation (GDPR). It’s the lead supervisory authority for complaints brought against the many big tech companies which choose to site their regional headquarters in the country (on account of its corporate-friendly tax system).
The text of the resolution expresses “deep concern” over the DPC’s failure to reach a decision on several complaints against breaches of the GDPR filed the day it came into the application, on May 25, 2018 — including against Facebook and Google — and criticizes the Irish data watchdog for interpreting “without delay” in Article 60(3) of the GDPR “contrary to the legislators’ intention – as longer than a matter of months”, as they put it.
To date, the DPC has only reached a final decision on one cross-border GDPR case — against Twitter.
The parliament also says it’s “concerned about the lack of tech specialists working for the DPC and their use of outdated systems” (which Brave also flagged last year) — as well as criticizing the watchdog’s handling of a complaint brought initially by privacy campaigner Max Schrems years before the GDPR came into the application, which relates to the clash between E.U. privacy rights and U.S. surveillance laws, and which still hasn’t resulted in a decision.
The DPC’s approach to handling Schrems’ 2013 complaint led to a 2018 referral to the CJEU — which in turn led to the landmark Schrems II judgment last summer invalidating the flagship EU-U.S. data transfer arrangement Privacy Shield.
That ruling did not outlaw alternative data transfer mechanisms. Still, it made it clear that EU DPAs must step in and suspend data transfers if Europeans’ information is being taken to a third country that does not have essentially equivalent protections to those they have under E.U. law — thereby putting the ball back in the DPC’s court on the Schrems complaint.
The Irish regulator then sent a preliminary order to Facebook to suspend its data transfers, and the tech giant responded by filing for a judicial review of the DPC’s processes. However, the Irish High Court rejected Facebook’s petition last week. And a stay on the DPC’s investigation was lifted yesterday — so the DPC’s process of reaching a decision on the Facebook data flows complaint has started moving again.
A final decision could still take several months more, though — as we’ve reported before — as the DPC’s draft decision will also need to be put to the other EU DPAs for review and the chance to object.
Update: The DPC said today that it’s now written to Facebook following the lifting of the stay — giving the company six weeks to provide submissions on the preliminary order.
The parliament’s resolution states that it “is worried that supervisory authorities have not taken proactive steps under Article 61 and 66 of the GDPR to force the DPC to comply with its obligations under the GDPR”, and — in more general remarks on the enforcement of GDPR around international data transfers — it states that it:
Is concerned about the insufficient level of enforcement of the GDPR, particularly in the area of international transfers; expresses concerns at the lack of prioritization and overall scrutiny by national supervisory authorities about personal data transfers to third countries, despite the significant CJEU case law developments over the past five years; deplores the absence of meaningful decisions and corrective measures in this regard, and urges the EDPB [European Data Protection Board] and national supervisory authorities to include personal data transfers as part of their audit, compliance and enforcement strategies; points out that harmonized binding administrative procedures on the representation of data subjects and admissibility are needed to provide legal certainty and deal with cross-border complaints;
The knotty, multi-year saga of Schrems’ Facebook data-flows complaint, as played out via the procedural twists of the DPC and Facebook’s lawyers’ delaying tactics, illustrates the multi-layered legal, political, and commercial complexities bound up with data flows out of the E.U. (post-Snowden’s 2013 revelations of U.S. mass surveillance programs) — not to mention the staggering challenge for E.U. data subjects to actually exercise the rights they have on paper. But these intersecting issues around international data flows seem to be finally coming to a head in the wake of the Schrems II CJEU ruling.
The clock is now ticking to issue major data suspension orders by E.U. data protection agencies, with Facebook’s business first in the firing line.
Other U.S.-based services that are — similarly — subject to the U.S.’ FISA regime (and also move E.U. users data over the pond for processing, and whose businesses are such they cannot shield user data via “zero access” encryption architecture) are equally at risk of receiving an order to shut down their EU-U.S. data-pipes. Or else having to shift data processing for these users inside the E.U.
U.S.-based services aren’t the only ones facing increasing legal uncertainty, either.
The U.K., post-Brexit, is also classed as a third country (in E.U. law terms). And in a separate resolution today, the parliament adopted a text on the U.K. adequacy agreement, granted earlier this year by the Commission, which raises objections to the arrangement — including by flagging a lack of GDPR enforcement in the U.K. as problematic.
The parliament highlights how adtech complaints filed with the ICO have failed to yield a decision on that front. (It writes that it’s concerned “non-enforcement is a structural problem” in the U.K. — which it suggests has left “a large number of data protection law breaches… [un]remedied”.)
It also calls out the U.K.’s surveillance regime, questioning its compatibility with the CJEU’s requirements for essential equivalence — while also raising concerns about the risk that the U.K. could undermine protections on E.U. citizens data via onward transfers to jurisdictions the E.U. does not have an adequacy agreement with, among other objections.
The Commission put a four-year lifespan on the U.K.’s adequacy deal — meaning there will be another significant review ahead of any continuation of the arrangement in 2025.
It’s a far cry from the “hands-off” 15 years the EU-U.S. “Safe Harbor” agreement stood for before a Schrems challenge finally led to the CJEU striking it down in 2015. So the takeaway here is that data deals that allow for people’s information to leave Europe aren’t going to be allowed to stand unchecked for years; close scrutiny and legal accountability are now firmly upfront — and will remain in the frame going forward.
The global nature of the internet and the ease with which data can digitally flow across borders, of course, brings enormous benefits for businesses — but the resulting interplay between different legal regimes leads to increasing levels of legal uncertainty for companies seeking to take people’s data across borders.
In the E.U.’s case, the issue is that data protection is regulated within the bloc, and these laws require that protection stays with people’s information, no matter where it goes. So if the data flows to countries that do not offer the same safeguards — be that the U.S. or indeed China or India (or even the U.K.) — then that risk is that it can’t, legally, be taken there.
How to resolve this clash between data protection laws based on individual privacy rights and data access mandates driven by national security priorities.
For the U.S., and for the transatlantic data flows between the E.U. and the U.S., the Commission had warned there will be no quick fix this time — as happened when it slapped a sticking plaster atop the invalidated Safe Harbor, hailing a new “Privacy Shield” regime; only for the CJEU to blast that out of the water for much the same reasons a few years later. (The parliament resolution is particularly withering in its assessment of the Commission’s historic missteps there.)
For a fix to stick, significant reform of U.S. surveillance law is going to be needed. And the Commission appears to have accepted that’s not going to come overnight, so it seems to be trying to brace businesses for turbulence.
The parliament’s resolution on Schrems II also makes it clear that it expects DPAs to step in and cut off risky data flows — with MEPs writing that “if no arrangement with the U.S. is swiftly found which guarantees an essentially equivalent and therefore adequate level of protection to that provided by the GDPR and the Charter, that these transfers will be suspended until the situation is resolved”.
So if DPAs fail to do this — and if Ireland keeps dragging its feet on closing out the Schrems complaint — they should expect more resolutions to be blasted at them from the parliament.
MEPs emphasize the need for any future EU-U.S. data transfer agreement “to address the problems identified by the Court ruling in a sustainable manner” — pointing out that “no contract between companies can provide protection from indiscriminate access by intelligence authorities to the content of electronic communications, nor can any contract between companies provide sufficient legal remedies against mass surveillance”.
“This requires a reform of U.S. surveillance laws and practices to ensure that access of U.S. security authorities to data transferred from the E.U. is limited to what is necessary and proportionate and that European data subjects have access to effective judicial redress before U.S. courts” the parliament adds.
It’s still true that businesses may be able to legally move E.U. personal data out of the bloc. Even, potentially, to the U.S. — depending on the type of business; the data itself; and additional safeguards that could be applied.
However, for data-mining companies like Facebook — which are subject to FISA and whose businesses rely on accessing people’s data — then achieving essential equivalence with E.U. privacy protections looks, well, essentially impossible.
And while the parliament hasn’t made an explicit call in the resolution for Facebook’s E.U. data flows to be cut off, that is the clear implication of it urging infringement proceedings against the DPC (and deploring “the absence of meaningful decisions and corrective measures” in the area of international transfers).