The EU is supposed to have the most rigorous data protection laws in the world. With the EU General Data Protection Regulation, ePrivacy Directive (and the proposed ePrivacy Regulation), Police and Criminal Justice Directive, and Network and Information Security Directive, all new or recently revised, these comprehensive and modern statutes compare favorably with the U.S. federal privacy regime based on laws passed 20 to 30 years ago, each targeting a different area of privacy or security. Although the totality of the U.S. data protection is better than it appears when the numerous state privacy laws are factored in and the role of litigation including class actions is given its due weight, the EU appears to have set a better table for privacy than the U.S.

Because EU cultures are generally less litigious than the U.S., the effectiveness of privacy laws really comes down to the ability and desire of the data protection authorities in each member state to enforce the law. The importance of their role cannot be overstated, despite the ability of the data subjects to bring legal proceedings in court and to collect damages for violation of the GDPR under articles 79/82. This judicial avenue will certainly bring a few headline cases, but with the U.K. leaving the EU, the most litigious member state drops out. Most EU residents will then continue to look to their DPA to enforce their data protection rights, for cost if not cultural reasons.

So, what is the enforcement effectiveness of the DPA many EU data subjects are forced to rely on, the Irish Data Protection Commission?

In contrast to the purportedly tougher enforcement postures undertaken by DPAs on the European continent, the Irish DPC has a reputation for working with parties to try and reach a consensual solution. Many very large American high-tech firms locate their EU global headquarters in Ireland, both for the low corporate tax rates and the engagement willingness of the DPC (it ain’t for the weather!). According to its own audit guidelines, the DPC does not levy administrative fines on data controllers. The commissioner believes a cooperative tone to be more fruitful in obtaining results and allows the DPC to work within a limited budget.

While this type of engagement approach seems to work well for attracting business and jobs, is it optimal for protecting the rights of data subjects? The role of supervisory authorities under the GDPR is enforcement to “protect the fundamental rights and freedoms of natural persons in relation to processing.” However, the DPC has been on the non-data subject side of several public court decisions in recent years, which are reviewed below.

So, from the perspective of the average EU data subject relying upon it, is the Irish DPC fit for purpose?

Public cases

The most far-reaching result of the Schrems I case is well known, the invalidation by the Court of Justice of the EU of the Safe Harbor Agreement between the EU and U.S. What is less discussed is the legal process leading up to that judgment. Schrems had originally filed his complaint with the DPC in Ireland, where Facebook has its EU headquarters. Unlike the previous 22 complaints he had filed with the DPC about Facebook, this complaint focused on allowing U.S. security services access to his personal data under the PRISM program, so he wanted his data to not be sent to the U.S.

Among other points, the Irish High Court reviewed the contention by the DPC that Schrems could not bring a complaint about the PRISM program because he could not prove his data had been accessed by U.S. security services like the NSA. The High Court ruled that transfer of his personal data to a country without adequate restraints on access by its security services was itself a violation of the fundamental right of data protection under the EU Charter of Fundamental Rights. Rejecting the DPC’s position, the court ruled it a violation of those data protection rights if a data subject “had reason to believe that it could be routinely accessed by security authorities on a mass and undifferentiated basis.”

Schrems II eventually concerned standard contractual clauses. The original complaint was reformulated by the complainant to no longer target the Safe Harbor. Complainant Schrems asked that the flows of personal data from Facebook Ireland to Facebook in the U.S. be stopped by the DPC, as they have that power under the Data Protection Acts and had the power under the SCC decision used by Facebook. The revised SCC decision states this power in part as: “Whenever the competent authorities in Member States exercise their powers pursuant to Article 28(3) of Directive 95/46/EC leading to the suspension or definitive ban of data flows to third countries in order to protect individuals with regard to the processing of their personal data.”

Instead of simply agreeing to this request and siding with the data subject against a powerful controller, the DPC opted for litigation it could scarcely afford.

Instead of simply agreeing to this request and siding with the data subject against a powerful controller, the DPC opted for litigation it could scarcely afford. This despite the DPC’s view that the rights of data subjects were being violated by the “mass surveillance” activities undertaken by U.S. intelligence agencies. This also was contrary to what was requested by the complainant, with the DPC deciding that they would instead question the validity of the EC’s decision on the SCCs involved. Purportedly the cost of this one complaint and resulting voluntary litigation used up about half of the original annual budget of the DPC. That does not include the future cost of CJEU litigation for the referred questions. Was this approach the one best serving the needs of all other Irish and EU data subjects, not to mention the desires of the original complainant data subject?

In Nowak, the data subject had sat for an accountancy exam without success four times. He then issued a data subject access request to receive his personal data including his exam script and grading comments. The request was refused by the accountancy institute believing this was not his personal data. On appeal, the DPC agreed with the data controller that what was requested was not personal data and so not a material breach of the Irish Data Protection Acts. The DPC refused to investigate the data subject’s complaint, considering it “frivolous or vexatious.” The DPC argued before the Supreme Court of Ireland that its decision that a complaint was frivolous or vexatious could not be reviewed by a court, but the Supreme Court of Ireland rejected this procedural argument.

The substantive argument made by Nowak was that his exam script was personal data, either because it was in his handwriting or because the Irish Data Protection Acts referred to exam results as personal data so therefore the raw materials of that score should also be his personal data. The Supreme Court referred this second question to the CJEU. The Advocate General’s opinion stated that a handwritten exam script and the corrections made on it by reviewers constituted personal data, thereby supporting the data subject and rejecting the position of the DPC. The CJEU’s judgment concurred that this was indeed personal data, supporting the data subject’s contention contrary to the position of the DPC and the controller.

In Savage, a data subject turned to the DPC when Google refused to honor his right to be forgotten. The data subject had run for local political office with one objective being to curb open homosexual activity in public places. Consequently, a Google search on his name would return a Reddit URL post describing him as a homophobe. The DPC ruled against the data subject, believing that as this post was merely an opinion, it could not be inaccurate leading to an exercise of the right to be forgotten. Further, internet users would not look to online discussion forums for facts.

The Irish circuit court overturned the DPC’s decision, as it could not conclude that describing him as a homophobe without quotation marks in the title of the URL would clearly be taken as an opinion without more, such as reading the entire thread. The court sided with the data subject, rejecting the DPC’s position that internet users would not consider online forums to be “a source of verified facts.” The DPC appealed, again using up chunks of their limited budget, against the data subject and in conjunction with controller Google. While the high court reversed due to a lack of deference, is it the proper role of the DPC to be making life easy for cash-rich controllers like Google to the detriment of the rights of data subjects?  

Four recent public court cases and in all the DPC supported the data controller against the needs or wishes of the data subject.

Four recent public court cases and in all the DPC supported the data controller against the needs or wishes of the data subject. To the credit of the DPC, they are not hiding these cases, all are listed on their website. However, the role of the DPC per its website is to ensure data subjects' “legal rights are fully upheld, and that organisations meet their obligations under the Data Protection Acts."

Is the notion that it aids controllers against data subjects really the image that the DPC wants to portray?

photo credit: Dublin (46) via photopin (license)