European Union lawmakers are facing further pressure to step in and do something about lackadaisical enforcement of the bloc’s flagship data protection regime after the European Parliament voted yesterday to back a call urging the Commission to start an infringement proceeding against Ireland’s Data Protection Commission (DPC) for not “properly enforcing” the regulation. The Commission and the DPC have been contacted for comment on the parliament’s call. Last summer, the Commission’s two-year review of the General Data Protection Regulation (GDPR) highlighted a lack of uniformly vigorous enforcement — but commissioners were keener to point out the positives, lauding the regulation as a “global reference point”.
But it’s nearly three years since the regulation began being applied, and criticism over weak enforcement is getting harder for the E.U.’s executive to ignore. The parliament’s resolution — which, while non-legally binding, fires a strong political message across the Commission’s bow — singles out the DPC for specific criticism given its outsized role in enforcing the General Data Protection Regulation (GDPR). It’s the lead supervisory authority for complaints brought against the many big tech companies that choose to site their regional headquarters in the country (on account of its corporate-friendly tax system).
The text of the resolution expresses “deep concern” over the DPC’s failure to decide on several complaints against breaches of the GDPR filed the day it came into an application on May 25, 2018 — including against Facebook and Google — and criticizes the Irish data watchdog for interpreting “without delay” in Article 60(3) of the GDPR “contrary to the legislators’ intention – as longer than a matter of months”, as they put it. The DPC has only decided on one cross-border GDPR case — against Twitter.
The parliament also says it’s “concerned about the lack of tech specialists working for the DPC and their use of outdated systems” (which Brave also flagged last year) — as well as criticizing the watchdog’s handling of a complaint brought initially by privacy campaigner Max Schrems years before the GDPR came into the application, which relates to the clash between E.U. privacy rights and U.S. surveillance laws, and which still hasn’t resulted in a decision. The DPC’s approach to handling Schrems’ 2013 complaint led to a 2018 referral to the CJEU, which led to the landmark Schrems II judgment last summer invalidating the flagship EU-U.S. data transfer arrangement, Privacy Shield.
That ruling did not outlaw alternative data transfer mechanisms. Still, it made it clear that EU DPAs must step in and suspend data transfers if Europeans’ information is being taken to a third country that does not have essentially equivalent protections to those they have under E.U. law — thereby putting the ball back in the DPC’s court on the Schrems complaint. The Irish regulator then sent a preliminary order to Facebook to suspend its data transfers, and the tech giant responded by filing for a judicial review of the DPC’s processes. However, the Irish High Court rejected Facebook’s petition last week. A stay on the DPC’s investigation was lifted yesterday — so the DPC’s process of deciding on the Facebook data flows complaint has started moving again. A final decision could still take several months more, though — as we’ve reported before — as the DPC’s draft decision will also need to be put to the other EU DPAs for review and the chance to object.
Update: The DPC said today that it’s now written to Facebook following the lifting of the stay — giving the company six weeks to provide submissions on the preliminary order. The parliament’s resolution states that it “is worried that supervisory authorities have not taken proactive steps under Article 61 and 66 of the GDPR to force the DPC to comply with its obligations under the GDPR” and — in more general remarks on the enforcement of GDPR around international data transfers — it states that it:
The knotty, multi-year saga of Schrems’ Facebook data-flows complaint, as played out via the procedural twists of the DPC and Facebook’s lawyers’ delaying tactics, illustrates the multi-layered legal, political, and commercial complexities bound up with data flows out of the E.U. (post-Snowden’s 2013 revelations of U.S. mass surveillance programs) — not to mention the staggering challenge for E.U. data subjects actually to exercise the rights they have on paper. But these intersecting issues around international data flows seem to finally be coming to a head in the wake of the Schrems II CJEU ruling.
The clock is now ticking for issuing major data suspension orders by E.U. data protection agencies, with Facebook’s business first in the firing line. Other U.S.-based services that are — similarly — subject to the U.S.’ FISA regime (and also move E.U. users’ data over the pond for processing, and whose businesses are such they cannot shield user data via “zero access” encryption architecture) are equally at risk of receiving an order to shut down their EU-U.S. data-pipes. Or else having to shift data processing for these users inside the E.U.
U.S.-based services aren’t the only ones facing increasing legal uncertainty, either. The U.K., post-Brexit, is also classed as a third country (in E.U. law terms). In a separate resolution today, the parliament adopted a text on the U.K. adequacy agreement, granted earlier this year by the Commission, which raises objections to the arrangement — including by flagging a lack of GDPR enforcement in the U.K. as problematic. On that front, the parliament highlights how adtech complaints filed with the ICO have failed to yield a decision. (It writes that it’s concerned “non-enforcement is a structural problem” in the U.K. — which it suggests has left “a large number of data protection law breaches… [un]remedied”.)
It also calls out the U.K.’s surveillance regime, questioning its compatibility with the CJEU’s requirements for essential equivalence — while also raising concerns about the risk that the U.K. could undermine protections on E.U. citizen’s data via onward transfers to jurisdictions the E.U. does not have an adequacy agreement with, among other objections. The Commission put a four-year lifespan on the U.K.’s adequacy deal — meaning there will be another major review ahead of any continuation of the arrangement in 2025. It’s a far cry from the “hands-off” 15 years the E.U.-U.S. “Safe Harbor” agreement stood for before a Schrems challenge finally led to the CJEU striking it down back in 2015. So the takeaway is that data deals allowing people’s information to leave Europe aren’t allowed to stand unchecked for years; scrutiny and legal accountability are now firmly up front — and will remain in the future.
The global nature of the internet and the ease with which data can digitally flow across borders, of course, brings huge benefits for businesses — but the resulting interplay between different legal regimes is leading to increasing levels of legal uncertainty for companies seeking to take people’s data across borders. In the E.U.’s case, the issue is that data protection is regulated within the bloc, and these laws require that protection stays with people’s information, no matter where it goes. So if the data flows to countries that do not offer the same safeguards — the U.S., China, India (or even the U.K.) — then that risk is that it can’t legally be taken there.
There are no easy answers to how to resolve this clash between data protection laws based on individual privacy rights and data access mandates driven by national security priorities. For the U.S. and the transatlantic data flows between the E.U. and the U.S., the Commission had warned there would be no quick fix this time — as happened when it slapped a sticking plaster atop the invalidated Safe Harbor, hailing a new “Privacy Shield” regime; only for the CJEU to blast that out of the water for much the same reasons a few years later. (The parliament resolution is particularly withering in assessing the Commission’s historic missteps there.)
A major reform of U.S. surveillance law will be needed for a fix to stick. And the Commission appears to have accepted that’s not going to come overnight, so it seems to be trying to brace businesses for turbulence… The parliament’s resolution on Schrems II also makes it clear that it expects DPAs to step in and cut off risky data flows — with MEPs writing that “if no arrangement with the U.S. is swiftly found which guarantees an essentially equivalent and therefore adequate level of protection to that provided by the GDPR and the Charter, that these transfers will be suspended until the situation is resolved”.
So if DPAs fail to do this — and if Ireland keeps dragging its feet on closing out the Schrems complaint — they should expect more resolutions from the parliament to be blasted at them. MEPs emphasize the need for any future EU-U.S. data transfer agreement “to address the problems sustainably identified by the Court ruling” — pointing out that “no contract between companies can provide protection from indiscriminate access by intelligence authorities to the content of electronic communications, nor can any contract between companies provide sufficient legal remedies against mass surveillance”.
“This requires a reform of U.S. surveillance laws and practices to ensure that access of U.S. security authorities to data transferred from the E.U. is limited to what is necessary and proportionate and that European data subjects have access to effective judicial redress before U.S. courts”, the parliament adds. It’s still true that businesses can legally move E.U. personal data out of the bloc. Even potentially to the U.S. — depending on the type of business, the data itself, and additional safeguards that could be applied. However, achieving essential equivalence with E.U. privacy protections is impossible for data-mining companies like Facebook — which are subject to FISA and whose businesses rely on accessing people’s data.
And while the parliament hasn’t made an explicit call in the resolution for Facebook’s E.U. data flows to be cut off, that is the clear implication of it urging infringement proceedings against the DPC (and lamenting “the absence of meaningful decisions and corrective measures” in the area of international transfers). The parliament also states in the resolution that it wants to see “solid mechanisms compliant with the CJEU judgment” set out — for the benefit of businesses with the chance to legally move data out of the E.U. — saying, for example, that the Commission’s proposal for a template for Standard Contractual Clauses (SCCs) should “duly take into account all the relevant recommendations of the EDPB “.
Leave a Reply