European Commission accused of maladministration over GDPR enforcement – EURACTIV.com

The Irish Council for Civil Liberties (ICCL) filed a formal complaint against the European Commission before the European Ombudsman on Monday (29 November) for failing to monitor enforcement of the EU’s data protection law, known as the GDPR, and for not holding Ireland accountable.

ICCL’s complaint is unusual as it is divided into two components. The first part might have stronger resonance, as it highlights the fact that the EU executive has not put in place a monitoring mechanism to keep track of the implementation of the General Data Protection Regulation.

The second part refers to the fact the Commission has not held Ireland accountable for allegedly failing to apply GDPR. In September, the ICCL published a report indicating that the Irish Data Protection Commissioner (DPC) only reached a decision on 2% of the cross-border cases it is leading on.

“Not only has the European Commission not acted, but it also has not even gathered information to know whether to act,” Johnny Ryan, a senior fellow at ICCL, told EURACTIV.

“We are pointing to a deep problem with the GDPR. And that problem seems to be that this Commission has no interest in the data protection agenda of the previous Commission,” he added.

Ireland’s privacy watchdog accused of paralysing GDPR enforcement

A new report from the Irish Council for Civil Liberties (ICCL) has accused Ireland’s data protection watchdog of pulling the breaks on the enforcement of the EU’s data protection regulation (GDPR) in Europe and called on the European Commission to intervene, warning that the GDPR was “silently falling”.

Guardian of the treaties

The Irish NGO acknowledged that the Commission, as the guardian of the treaties, has significant room for discretion in deciding whether or not to launch an infringement procedure against member states that go openly against or fail to uphold EU law.

However, the complaint noted that the EU executive has a duty to monitor whether EU rules are properly applied. While the NGO urged Justice Commissioner Didier Reynders in September to take action against Ireland, it is now reporting the EU executive for maladministration.

Ryan tracked the origin of the complaint to the research behind the report published in September, for which ICCL interviewed virtually all EU data protection authorities and analysed the data provided by the European Data Protection Board (EDPB), the body that gathers them.

“What we learned is that the statistics that were given to the European Commission were completely inadequate,” Ryan added.

He gave examples of how many cases each privacy watchdog is the lead for, how many times authorities have used their investigative or sanctioning powers and the number of days needed to move from a complaint to a draft decision and hereby to a final decision. None of this data is currently available.

The European Ombudsman will now review the complaint and decide whether to open an inquiry. In 2019, 79% of the EU Ombudsman’s recommendations were taken on board by the European Commission.

MEPs call for infringement procedure against Ireland

The European Parliament voted on Thursday (20 May) in favour of a resolution calling on the European Commission to open an infringement procedure against Ireland for failing to enforce the General Data Protection Regulation (GDPR).

The spotlight on Ireland

The ICCL is not the only one to have pointed the finger at Ireland’s DPC. Other data protection authorities in the EU have also accused the Irish regulator of falling short of its obligations. The overwhelming majority of very large tech companies have their legal basis in Ireland, which therefore has the lead on most cross-border cases.

The European Parliament also joined in the debate in May, as EU lawmakers adopted a non-binding resolution calling on the European Commission to open an infringement procedure against Ireland precisely for allegedly failing to apply the EU data protection law.

“There is no denying that the system now has some distortions, but these could be corrected by greater cooperation and delegation to other authorities for cases raised in individual member states,” noted Vincenzo Tiani, a partner at Panetta law firm. However, Tiani stressed that doing so would require the will of all authorities, including the Irish one.

The European Data Protection Supervisor (EDPS) has recently announced a conference in June next year to reconsider the GDPR enforcement architecture. Ongoing inefficiencies in the GDPR enforcement have also influenced the policy discussions on the Digital Services Act (DSA).

For ICCL’s Ryan, the Commission’s lack of action has unintended consequences also for disinformation and market power, two issues the EU executive has been trying to address through new legislative proposals.

“What this Commission needs to do is return again to the GDPR and see that that piece of law is enforced, because if it is not, what is the point in having a new generation of digital law?” Ryan said.

The Commission was not readily available for comment by the time of publication.

EDPS on the future of privacy

We have asked the European Data Protection Supervisor Wojciech Wiewiorowski about its recent proposal to organise a conference to review the enforcement of GDPR, the EU privacy law.


[Edited by Zoran Radosavljevic]

Source link

Leave a Reply

Your email address will not be published.