With GDPR going into force in two weeks, many eyes are turned to European data protection authorities, whose mandate and powers will be greatly expanded. In a Privacy Perspectives piece yesterday, Thomas Shaw questioned the credibility and competence of the Irish Data Protection Commissioner. While we frequently host content that we don’t necessarily agree with in our publications and conferences at the IAPP, this time I would like to respond to Shaw’s piece, since I read it as an unnecessary and inaccurate attack on a central piece of the European regulatory puzzle.
Shaw’s piece is laden with internal contradictions: He criticizes the Irish DPC for its “reputation for working with parties to try and reach a consensual solution,” lamenting the fact that soon the U.K., the “most litigious member state drops out,” while at the same time arguing the Irish DPC “opted for litigation it could scarcely afford.” Which is it then, does the Irish DPC litigate too little or too much? And why is it that, even if true, a reputation for working with parties is a bad thing? Shouldn’t regulators, lawyers and judges — anyone really — aim to settle disagreements amicably? In fact, advising controllers and conducting prior consultations is a central pillar of a DPA’s role under the express language of GDPR (GDPR Articles 36, 51(3)(a)).
Importantly, Shaw demonstrates a fundamental misunderstanding of the Irish DPC’s role, which isn’t just to enforce against and punish companies, but rather “monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union” (GDPR Article 51(1)). This careful balance of the twin goals — protecting privacy while facilitating data flows — has been the cornerstone of the data protection framework since the 1980s. Shaw’s claim that high-tech multinationals locate their EU headquarters in Ireland for “the engagement willingness of the Irish DPC” is baseless. Dublin’s attractiveness for tax, language and geographic reasons predated GDPR by many years and has little if anything to do with the Irish DPC’s open door policy, if there even is one.
Shaw gives the impression that the Irish DPC has recently handled just four complaints, and in all of them taken a stand against data subject rights and interests. This claim is unfounded and misleading. The Irish DPC is different from most other European DPAs in that it is required by law to investigate and resolve all complaints submitted to it and to issue decisions that then become subject to a statutory right to appeal. In fact, according to its latest annual report, the Irish DPC last year handled 2,642 complaints and resolved 2,594 of them. Compare that, for example, to the Dutch DPA’s annual report, which states that it investigated “approximately 50” complaints in 2015.
In its latest annual report, the Irish DPC writes:
“It is the statutory obligation of the DPC to strive to amicably resolve any complaints we receive from members of the public. Throughout 2017, the vast majority of complaints were concluded amicably between the parties to the complaint without the necessity for issuing a formal decision under Section 10 of the Acts. In 2017, the Commissioner issued 34 decisions of which 30 fully upheld the complaint and four rejected the complaint. A total of 2,594 complaints were concluded in 2017, which is an 80% increase on the 1,438 complaints closed in 2016.”
These facts show that, in stark contrast to Shaw’s assertions, the Irish DPC upholds the majority of complaints. Where it doesn’t, the complainant has the right to appeal to a court. And in the vast majority of those cases, Irish courts uphold the Irish DPC decisions.
Shaw’s analysis of an anecdotal collection of cases is superficial and based on either a misunderstanding or, worse, misrepresentation of the legal landscape. It’s also beside the point, but the central cases he invokes, Schrems and Nowak, date back six or more years.
Unlike Shaw’s misrepresentation, in Schrems I, the Irish DPC didn’t blithely dispose of the complaint because Schrems “could not prove his data had been accessed by U.S.”; rather, the Irish DPC deferred to a decision of the European Commission, which it perceived to be binding on it, as was probably indeed the case under the constitutional and legislative framework predating the Charter of Fundamental Rights. Shaw’s faulty description of Schrems II depicts the role of the DPA as a modern-day Robin Hood who should be “simply agreeing to [Schrems’] request and siding with the data subject against a powerful controller.” Alas, the CJEU holding in Schrems I clarified that annulling a decision of the European Commission is the sole prerogative of the European high court, requiring the Irish DPC to do exactly as it had done, that is, to refer the case to Luxembourg via the national high court.
In contrast to Shaw’s assertions, a prudent DPA should not shy away from litigation, regardless of whether the law is on the complainant’s or defendant’s side. It is high time that Europe develop a body of jurisprudence to begin clarifying the plethora of ambiguities and interpretative questions under the GDPR. For example, referring to the Savage case, Shaw sanctimoniously criticizes the Irish DPC for “using up chunks of their limited budget, against the data subject and in conjunction with controller Google,” and asking, “is it the proper role of the Irish DPC to be making life easy for cash-rich controllers like Google to the detriment of the rights of data subjects?” In fact, in that case, the Irish DPC, in one of the first court cases addressing the intricacies of the right to be forgotten, challenged a circuit court’s holding that threatened to limit Reddit users’ freedom of expression. In one place, for example, the circuit court held that the plaintiff’s depiction as “homophobic” might be viewed as a statement of fact rather than an expression of opinion since the URL heading that linked to the Reddit stream didn't appear in inverted commas. This assertion reflects a lack of understanding of the search function and medium, which, unlike traditional media, doesn’t frame opinions in a box. The decision was reversed upon appeal by the Irish DPC.
In response to Shaw’s piece, I suggest we put aside such attempts to lash out and focus on what unites our profession. In the short time we have until GDPR comes into force, and the long process of preparing our organizations for compliance after it, let us settle our differences cordially, debating the merits in a style and tone that for many years has characterized our community.
If you want to comment on this post, you need to login.