Imagine you're a school teacher and the most disruptive children in the school have all been put in your class. At the beginning of the school year, you are only given one teaching assistant to help you which clearly isn't enough. By the end of the second term, you're able to increase this to two teaching assistants. But looking after so much disruption is exhausting and a number of the other teachers complain that the noise from your classroom is a distraction. They want the headteacher to intervene and insist you take a more disciplined line. This is a taste of what it must be like for the Irish Data Protection Commission (DPC) regulating some of the most disruptive companies in the world which have chosen Ireland as their EU headquarters.
Facing criticism for a number of years over its enforcement record, the DPC has to deal not only with the views of the other data protection authorities, but ultimately with the European Data Protection Board (EDPB). Since Ireland is the EU base for a number of the most powerful companies in the world, it is Ireland which has become an EU data privacy regulatory enforcement flashpoint.
Meta, Meta everywhere
A seismic illustration of just how central the DPC's role is, came in early January 2023 involving Meta. The DPC announced that a complaint made in 2018 had now run its course resulting in two fines for Facebook and Instagram of a total of €390m. More significantly than the fines, the DPC confirmed that Meta could not rely on the 'necessary for performance of a contract' legal basis to process personal data for personalised advertising. This was not, however, the DPC's initial view. In fact, the DPC had initially considered that Meta could rely on contractual necessity as a lawful basis since the Facebook and Instagram services are premised on the provision of personalised services including advertising. The DPC originally issued draft decisions with a fine of up to €36m (mostly for lack of transparency) to other concerned supervisory authorities.
While these supervisory authorities agreed with certain aspects of the DPC's decisions, a number disagreed that Meta could rely on contractual necessity as a lawful basis for personalised advertising so the decisions were referred to the EDPB for dispute resolution under the Article 65 GDPR procedure. The EDPB subsequently required the DPC to issue revised decisions to indicate that contractual necessity is not, after all, available to Meta for personalised advertising purposes.
A few weeks after the Instagram and Facebook decisions, a similar process was revealed to have taken place regarding another Meta company, WhatsApp. Again, the EDPB effectively overruled the DPC on the issue of reliance on contractual necessity, this time for the delivery of services and security (excluding IT security).
Article 65 GDPR confirms that the decision of the EDPB is binding, whatever the views of the lead regulator issuing the final decision. So the DPC has had to fall into line and follow the EDPB's interpretation of the limitations of the contractual necessity lawful basis in these situations. Arguably this is how the GDPR is designed to work. Article 70 specifically indicates that the EDPB shall "monitor and ensure the correct application of" the GDPR. The consistency mechanism and dispute resolution process are set out to do precisely that.
The actual impact of the Facebook and Instagram decisions could be lethal for the online advertising industry if the only lawful basis available to them for this practice is consent (and GDPR consent is a tough standard to meet), although legitimate interests may also be available. Meta is required to make changes to its processing within three months. It's little surprise that in response to the final Instagram and Facebook decisions, Meta has said it will appeal.
More broadly though, these Meta decisions illustrate a number of factors which are perhaps felt especially acutely by the DPC – the complexity of the GDPR investigation process, the pressures on regulator resources, the role of the consistency mechanism process and influence of the EDPB, and despite the GDPR's attempts at harmonisation, the extent to which individual supervisory authorities differ on how the GDPR should be interpreted.
The DPC's enforcement track record
The DPC's heavy workload is not to say that it hasn't been enforcing the GDPR. It has issued several substantial fines and launched multiple investigations whether into complaints made or of its own volition following media reports.
For instance, the DPC fined Twitter €450,000 in December 2020 for failing to meet its data breach notification obligations. The DPC has also been actively engaged in reminding Twitter of its privacy compliance obligations while dealing with its recent layoffs under Elon Musk's ownership, and the DPC launched an enquiry in late December 2022 following reports that Twitter datasets had been made available online.
When it comes to Meta, in addition to the January 2023 fines, the DPC has fined Meta, Instagram and WhatsApp for various acts of non-compliance. These include Meta Platforms Ireland Ltd receiving a fine of €17m in March 2022 for security weaknesses, and a further €265m in November 2022 for breach of the requirement for data protection by design. In September 2021, WhatsApp was fined €225m for transparency failings following an EDPB binding decision, and Instagram was fined €405m in September 2022 for breaches relating to children's privacy (the highest fine issued by the DPC at the time and again, likely to be appealed).
For some of these more significant fines, the companies have indicated they will appeal. Certainly the global giants have deeper pockets to mount an appeal and seek a reduction or cancelation of a fine. But such tactics may only stave off the gavel for tech companies as Meta has recently found out.
Meta (WhatsApp) appealed to the Court of Justice of the EU to seek annulment of the September 2021 decision by the DPC to fine WhatsApp €225m. However, in December 2022, the CJEU (General Court) ruled that the fine would be upheld (Case T-709/21, WhatsApp Ireland v EDPB). This was the first time that the CJEU ruled on an application to annul a binding decision by the EDPB. One of the reasons the Court declined to intervene is that the action would create a situation of two judicial proceedings which overlapped running in parallel given that Meta also appealed the fine in Ireland. This ruling will give organisations pause for thought on whether to challenge the fines issued by data protection regulators but does not, so far, seem to have deterred Meta from continuing to challenge the DPC's decisions.
Of course there have been other fines from the DPC away from the tech sector. In April 2022, for example, the Bank of Ireland was fined €463,000 due to its incorrect use of customer details which could impact customer's credit ratings and for not being transparent with customers. But the tech sector appears to constitute the lion's share of the DPC's work with reportedly around 40 open enquiries into tech companies (as at end 2022).
Relationship with the EDPB and other data protection authorities
The DPC is one of the supervisory authorities that has had the most interaction with the Article 65 process triggered when there is a dispute between competent supervisory authorities on the enforcement action to be taken by the lead regulator. In the last few days of January 2023, we learnt that the DPC has triggered the Article 65 process yet again for the greatly anticipated decision on Meta's data transfers to the US (connected with the Schrems II saga). This is therefore becoming a fairly standard pattern i.e. the DPC makes a decision which is then referred to the EDPB under Article 65. It then transpires that, more likely than not, the resulting decision by the EDPB overrules what the DPC has decided. For instance, where the DPC triggered the Article 65 process following its original proposal to fine WhatsApp's up to €50m for contraventions of the GDPR transparency requirements, the EDPB's response found more violations by WhatsApp, identified where the DPC had not calculated the level of the proposed fine correctly and also reduced the time period for WhatsApp to implement corrective measures. It's not difficult to imagine that there could be friction between the EDPB and DPC on the approach to regulatory enforcement.
Of the binding decisions published currently on the EDPB's website (as of February 2023), six of the eight decisions concern the DPC which is an indication that the DPC is squarely at the heart of this developing area of law and practice.
A striking insight into the relationship between the EDPB and DPC is glimpsed in the DPC's announcement of the Meta decisions in early January 2023 which included a statement at the end criticising the EDPB's overreach in directing the DPC "to conduct a fresh investigation that would span all of Facebook and Instagram's data processing operations". The DPC observed that the EDPB "does not have a general supervision role akin to national courts… and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation". This is an example of the inbuilt tensions within the GDPR between the independence of a supervisory authority and the role of the EDPB. The DPC has indicated that it will take the EDPB to court to annul this aspect of the EDPB's direction. This difference of view could lead to significant fallout among the data protection regulatory community if both sides dig in for any judicial contest. It's important to remember that the DPC is itself part of the EDPB!
Criticism of the DPC
The DPC has been subject to a variety of criticism in recent years and has felt the heat from a number of places. With a lively privacy activist environment in Ireland, the DPC is under a high degree of scrutiny. Back in 2021, the Irish Council for Civil Liberties (ICCL) criticised the slow enforcement progress of the DPC calling Ireland "the GDPR's worst bottleneck". In particular, the ICCL pointed to the failure of the DPC to promptly send draft decisions to the EDPB. The report prepared by the ICCL also indicated that the DPC needs structural reforms to improve its regulatory enforcement, pointing to the fact that the Spanish data protection authority (the AEPD) produced more draft decisions than the DPC despite having a smaller budget (see here for more on AEPD enforcement).
Additionally, the ICCL wrote to the European Commission in September 2021, alleging that the DPC was not properly enforcing the GDPR against big tech firms and asking the Commission to start infringement proceedings against Ireland. This complaint ultimately led to the involvement of the European Ombudsman who decided to open an enquiry in February 2022 into the collection of the information by the Commission to inform itself on the application of the GDPR in Ireland. The Ombudsman concluded her investigation into this matter and found the EU monitoring of Ireland's compliance with the GDPR to be appropriate. The Commission currently receives a bi-monthly overview from the DPC of its handling of big tech cases and the Ombudsman made a number of suggestions on how to improve the process but did not consider it to be deficient. The Commission did, however, subsequently decide it would require bi-monthly regulator reports on all largescale cross-border investigations, and not just from the DPC.
Response to the criticism
While the DPC has received an increase in its budget over recent years, it has long been criticised for not taking sufficient action in response to complaints and incidents concerning principally global technology companies with their EU headquarters in Ireland. The DPC is not ignorant of the complaints it has faced in these early years of GDPR enforcement and has issued responses in various ways. The demands on the DPC were highlighted in an independent Resource Allocation Audit published in March 2022 (and carried out by KOSI Corporation) examining the resource allocation within the DPC. It includes a clear acknowledgement from the DPC that it faces challenges due to its work load and is not meeting its customer service objectives, suffering from a strain on internal resources, reputational damage and an increasing number of cases being subject to judicial review or other legal action. Consequently, the DPC itself has recognised that its current structures are under pressure due to the casework it is dealing with.
In December 2021, the DPC published its regulatory strategy for 2022–2027. This highlighted five key areas:
- regulate consistently and effectively
- safeguard individuals and promote data protection awareness
- prioritise the protection of children and other vulnerable groups
- bring clarity to stakeholders
- support organisations and drive compliance.
The DPC commented under 'Support organisations and drive compliance' that, although the GDPR has introduced harmonised data protection law, there is no harmonised enforcement framework which has led to "some inconsistencies of understanding as to what impactful regulation means". In particular, the DPC notes that there "is sometimes a tendency to conflate fining with regulatory success". The DPC emphasised that it was committed to using the full range of its regulatory tools and indicated that there is value beyond the application of penalties to "include changing cultural approaches to data protection for the benefit of society as a whole". Essentially, the carrot can be as powerful at effecting long-term change as the stick.
The future
The recent GDPR fines from the DPC do not appear to be prompting global big tech companies to move their EU headquarters out of Ireland. Ireland continues to be a favourite destination, mainly due to its tax laws. As such, the DPC will continue to be one of the most important regulators grappling with the GDPR in a country which has an active privacy campaigning community. Additionally, given many of these businesses span the EU, it appears that, at least in the short term, the DPC will frequently engage with the Article 65 process and therefore with the EDPB when agreement cannot be reached with fellow regulators. In order to carry out this role effectively, the DPC needs proper resources and expertise, aspects that it is hoped it will be able to develop further in the years ahead given the size of the task.
