The Irish Data Protection Commission (“DPC”), having last month released its annual report (see our blog post here), has now also issued two additional reports detailing statistics on its handling of cross-border cases (see here) and a recently completed Resource Allocation Audit conducted by independent consultants (see here). Each is important in its own right for the reputation and development of this regulator, the lead EU supervisory authority for many of the large technology companies.
A key thread in the reports is the slaying of the criticisms made against the DPC’s handling of significant cross-border inquiries by lobbyists and other regulators, which, the DPC asserts, has been “regrettably based on information that is incomplete and lacking context”. While there has been support for the DPC from the European Commission, the criticisms have nevertheless echoed in several fora including, recently, by the whistleblower Frances Haugen. Both reports tackle those criticisms by explaining and detailing the DPC’s processes, constraints, successes and plans to deal with cross-border issues going forward. The reports paint a complicated and difficult regulatory ecosystem, which does not lend itself to a media soundbite effective enough to rebalance the negativity built up against the DPC.
The Irish Council of Civil Liberties attracted significant media attention last year when they reported that:
“The Irish Data Protection Commission is the bottleneck of GDPR enforcement against Big Tech across the EU. Almost all (98%) major GDPR cases referred to Ireland remain unresolved.”
“The Irish DPC is the lead supervisory authority for 164 cases of Europe-wide significance. But 98% of these cross-border cases remain unresolved. In the three years from May 2018 to May 2021, Ireland has sent only 4 draft decisions to the EDPB.”
“No other GDPR enforcer in the EU can intervene if the Irish DPC asserts its lead role in cases against big tech firms headquartered in Ireland. As a result, EU GDPR enforcement against Big Tech is paralysed by Ireland’s failure to deliver draft decisions on cross-border cases.”
These were big and bold criticisms, and they reverberated.
The One-Stop Shop Cross-Border Complaint Statistics in the DPC’s report detail the agency’s activity in this area from the inception of the GDPR in May 2018 to the end of December 2021. The statistics show that the DPC has handled a significant number of cross-border complaints (1,150), of which 65% have been concluded by the end of 2021, substantially more than was suggested by the ICCL 2021 report. The vast majority of those concluded (86%) were resolved through “amicable resolution”, a mechanism provided for by Irish law under the Data Protection Act 2018.
Contextualizing the One-Stop Shop
The One-Stop Shop (OSS) is a GDPR mechanism that allows EU-based organisations processing personal data across multiple EU countries to deal with just one lead European data protection authority rather than having to deal with different authorities for issues in each of the different countries where they operate. It is thus intended to streamline data protection regulation, particularly for larger companies operating across borders. However, the OSS, which came into operation in May 2008, has had its teething problems. At the core of these problems has been the approach taken by different authorities to the regulation of large technology companies. These differing approaches emanate largely from different cultures and legal traditions, both in themselves a valuable part of the EU’s rich tapestry of differences. The European Data Protection Board (“EDPB”) is the regulatory oversight body for the data protection authorities across Europe, and operates through a complex and often time-absorbing system for collaboration, dispute resolution and decision consultation between lead and other peer data protection authorities operating in Europe.
The Irish DPC is the lead supervisory authority for many of the large technology companies. According to recently published DPC statistics, of the large number of cross-border complaints it has handled as lead supervisory authority since 2018, 86% have related to just 10 companies.
Moreover, 84% of the 1,150 cross border GDPR complaints received by the DPC by the end of 2021 have been received by the DPC in its role as lead supervisory authority, where the data controller, which is the target of the complaint, has its main establishment in Ireland. The remaining 16% of those cross-border complaints related to a controller established in another EU Member State, but where the complaints had an Irish nexus, and as such, were of interest to the DPC as a concerned supervisory authority.
The vast majority of complaints are settled through an amicable resolution process laid down in Irish law under the Data Protection Act 2018. The legislation authorizes amicable resolution of a complaint where the DPC considers there is a reasonable likelihood of resolution within a reasonable timeframe. It is left open to the DPC to take such steps as it considers appropriate to arrange or facilitate that amicable resolution, but once an agreement is reached, the complaint is then deemed to have been withdrawn by the complainant.
The process of amicable resolution divides into two – a fast track and a more engaged version. The fast-track option arises where the DPC identifies a quick fix, which is then agreed to by the complainant. An example would be a complaint that a data access request was not responded to and the quick fix would be that the data controller would respond. The more engaged amicable resolution process typically involves correspondence between the DPC and the parties to examine the complaint and the response in more detail, with the DPC ultimately suggesting a resolution. There is no obligation on the complainant to agree to the process or to accept the proposed resolution, and in some cases, it can take a while for the DPC to find a suitably acceptable solution.
There are several other options available to the DPC in dealing with a complaint. It may, for instance, dismiss or reject it, advise the complainant, serve a notice, launch an inquiry or take such other action as it considers appropriate.
Where a cross-border complaint is not amicably resolved, then the lead supervisory authority will consult its peers on its draft decision under Article 60 of the GDPR co-operation procedure between the lead and other EU concerned supervisory authorities. This can take time.
Thirty-five cross-border inquiries have been undertaken by the DPC since May 2018. By the end of 2021, thirty-one of the cross border inquiries were still ongoing, with 9 draft decisions referred by the DPC under the Article 60 co-operation procedure between lead and other concerned EU supervisory authorities.
DPC staffing levels.
The Resource Allocation Audit, conducted by independent consultants for the DPC, shows that there are 195 staff in the DPC, with approval in place to recruit another 30 and an expected staffing of 258 by the end of 2022. There were just 90 in 2018 when the GDPR became operative, so it is clear that the organization is undergoing significant and continuous growth over the last four years.
The report suggests that there are too many Deputy Commissioners reporting to the Data Protection Commissioner (currently 7, but soon to be 8) and that similarly, the number of Assistant Commissioners is also too high to optimize chain-of-command effectiveness. The report recommends a regrading upwards of senior posts, with 3 senior deputy commissioners, one of which will have responsibility for ‘International, Cross Border Regulatory Activity’, reporting directly to the Data Protection Commissioner. The report also states that the current structure of one leader is the most appropriate model for the DPC.
The DPC’s budget continues to expand year by year with €22.23m allocated for 2022, up from €19.1m last year. The increased allocation correlates, according to the report, to a 53% reduction in the average time taken to conclude a case or query over the first 24 months since the GDPR took effect. With its growing experience in statutory inquiries, the DPC expects to better plan and budget for the resources it needs in this area going forward. The report notes a growing reliance on the support of external legal resources, given the volume and complexity of issues arising in the inquiries.
The Resource Allocation Report also makes a number of other recommendations, including an encouragement of further outsourcing where it can deliver improved efficiency, a review of business processes, the setting of performance targets and enhancing information systems. It is clear from both reports that the DPC is proactively working to address the criticisms levelled against it, while operating in a challenging and continually evolving regulatory ecosystem, and while facing a tight skills market.
The proposed reconfiguration of an organization that has outgrown its original structure and taken on significant new responsibilities in the last four years is recommended for implementation during 2022/2023.