Data watchdog refutes ‘false’ criticism
■ EU committee ‘concerned’ over handling of Schrems’ complaints
The Irish Data Protection Commission (DPC) has strongly refuted criticism of its processes by a European Parliament committee as “false”.
The DPC had been dealt a stinging rebuke by the EU’s parliamentary committee on civil liberties, justice, and home affairs (known as the LIBE committee) over its handling of the complaints of Austrian privacy activist Max Schrems.
The committee had called on the European Commission to begin infringement proceedings against the DPC regarding its management of data rights.
In a draft resolution regarding last year’s judgment on Mr Schrems, which saw the data-transfer agreement between the EU and US, known as Privacy Shield, struck down, the LIBE committee stated it was “concerned” the DPC, in the case of Mr Schrems, had taken the decision to move his complaint to the EU rather than rule on it within Ireland.
Responding to the resolution, DPC deputy commissioner Graham Doyle said: “The premise of the criticism directed at the DPC in the draft motion in relation to transfers is false.”
He said that those “familiar” with the EU’s initial ruling in 2015 would know it “obliged the DPC to act as it did in 2016” by bringing Mr Schrems’ complaint, which concerned data transfers carried out by Facebook between Europe and the US, to the High Court, which in turn referred it to Europe.
Meanwhile, it is believed there is disquiet within the DPC regarding the resolution’s statement that the DPC, in referring the Schrems case to Europe, had ignored its powers under GDPR, given that the decision was taken two years before the marquee privacy regulation was first enacted.
The LIBE committee, which is composed of more than 50 MEPs, including former Independent4Change TD Clare Daly and Fine Gael’s Maria Walsh, said that infringement procedures are warranted against the DPC due to Ireland “not properly enforcing the GDPR”.
The DPC is in an extremely prominent position with regard to EU data protection given its status as the ‘one-stop shop’ for data regulation involving tech giants such as Facebook and Google, which are headquartered in Ireland.
The LIBE committee further stated its “deep concern” that multiple alleged breaches of the GDPR have not yet been ruled upon by the DPC, and said it “strongly condemns” the DPC for indicating that Mr Schrems should pay all legal costs attributed to the action.
Last October, the Irish High Court ruled that Mr Schrems is entitled to all costs stemming from his six-year action, which are likely to be in the region of €3m, a figure equivalent to 15% of the DPC’s annual budget.
Commenting on the resolution, Johnny Ryan, senior fellow with the Irish Council for Civil Liberties, said the move “echoes what we’ve been saying for some time, namely that the continuing inaction by the DPC jeopardises data rights across the EU bloc, and indeed risks making a mockery of the EU’s world-leading data protection legislation”.
He said it is now “crucial” that the Irish Government “allocate more staff and resources to the DPC”.
The DPC has been the subject of some criticism from within other EU countries over its perceived slow pace of processing privacy complaints and its alleged unwillingness to punish the larger tech companies with large fines.