Ireland’s Data Protection Commissioner (DPC) faces a judicial review over its handling of GPDR cases against WhatsApp and Instagram. Ireland’s High Court granted the review after noyb (none of your business) brought two complaints against the DPC. What is not clear is what penalties the DPC may face if it loses the judicial review.
Gerard Rudden of ARQ Solicitors, representing noyb.eu: “In these proceedings, noyb.eu is seeking a Declaration that the DPC has failed to carry out an investigation into the complaints within a reasonable period, as they are obliged to do. The DPC have adopted, in noyb.eu’s view, an unnecessary and cumbersome six step procedure in relation to these complaints. In the two years since the complaints were filed, they have only completed the first step.”
What is this about?
When GDPR came into force, noyb filed several complaints with regulators over forced consent. The complaints were against Google LLC, Facebook, WhatsApp and Instagram. The case against Google was dealt with by the CNIL. The others were forwarded to the Irish DPC under the one-stop-shop mechanism. It allows a company to have GDPR cases against it heard by the DPC in the country where the company is headquartered. In the case of Facebook, WhatsApp and Instagram, that is Ireland.
To deal with the cases against Facebook, WhatsApp and Instagram, the Irish DPC created a new six-step process. That process, described as Kafkaesque by Max Schrems, honorary chairperson of noyb.eu, has proven to be slow and cumbersome.
As the table above shows, the case against Facebook has progressed two steps in two years. Meanwhile, the cases against WhatsApp and Instagram have managed just a single step. At the current rate, allowing for the 3+ years of appeals, none of these cases seems likely to be concluded before 2027.
What will a judicial review of the DPC achieve?
The judicial review that noyb sought, and has been granted, seeks to force the Irish DPC to speed up the process and complete its investigation in a reasonable time. The complaint cites Article 57 of the GDPR where 1(f) requires each supervisory authority to: “handle complaints lodged by a data subject, or by a body, organisation or association in accordance with Article 80, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period.”
It is also seeking a judgement that the Irish DPC has breached its obligations under the GDPR. Article 60 of the GDPR requires that: “The lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views.”
To date, noyb claims that the Irish DPC has failed to provide translations of its documents to the authorities in Germany and Belgium where the complaints were originally raised. It has also withheld other documents, delaying further cooperation with other data protection authorities.
Articles 61 (mutual assistance) and Article 62 (joint operations of supervisory authorities) of the GPDR allow the Irish DPC to seek help. So far, however, it seems that this is something it is unwilling to do.
Another request from noyb is that the case is referred to the Court of Justice of the European Union (ECJ). It is unclear of what relief that court could impose.
Enterprise Times: What does this mean?
In part, this is a problem created by the Irish Government. It set very low tax rates to attract high tech companies such as Apple, Google, Twitter and Facebook. Last year, Apple paid €14 billion in back taxes to the Irish Government after the European Commission said it received illegal tax breaks.
That rush of companies into Ireland has put excessive stress on the DPC. Despite the number of cases being brought, it has failed to fine any US tech company for GDPR breaches. The question is whether this failure is due to a lack of resources or a lack of political will to act.
Other DPAs are worried about the lack of progress. In May, noyb published an open letter to the European Data Protection Board. It brought up the issue of GDPR cases dragging on for several years. The EDPB responded, acknowledging the issue and saying it had: “identified a number of issues requiring improvement.” However, that does not address the current issue with the Irish DPC and its failure to act.
Will the judicial review force the Irish DPC to act faster? Will the cases against Facebook, WhatsApp and Instagram ever be resolved? Are the delays designed to frustrate complaints or just evidence of an under-resourced DPC drowning in legal complexity? We won’t know the answer to any of these questions until the judicial review takes place.