Critics are raining down on the Data Protection Commission (DPC), the Irish data protection authority, accused of a lack of rigor vis-à-vis Gafam with regard to European regulations in force for three years now. MEPs voted at the end of last week in favor of a resolution calling on the European Commission to open an infringement procedure against the DPC for not having correctly applied the GDPR.
As TechCrunch reports, the European Commission highlighted the lack of uniformly rigorous implementation last summer during its biennial GDPR review. But after three years, what are the data protection authorities doing? The strongest sanction pronounced against a technological giant emanates to date from the French Cnil in April 2019, against Google, for an amount of 50 million euros.
The Parliament resolution targets the Irish authority, the country where the majority of the major technology firms have established their regional headquarters, including Facebook, Apple, Google or Microsoft, and which is considered the main supervisory authority under the principle the one-stop-shop for cross-border affairs.
Parliament criticizes the inaction of the competent authorities
In its statement, the Parliament says it is “concerned” by the insufficient level of application of the GDPR, in particular in the area of international transfers. He deplores the lack of “meaningful” decisions and corrective measures in this regard. He also underlines the fact that the supervisory authorities have not taken proactive measures to “force the DPC to comply with its obligations under the GDPR”.
MEPs are also worried about “the lack of technology specialists working for the CPD and the use of obsolete systems”.
Following its observations, Parliament asks the Commission “to initiate infringement proceedings against Ireland for not having correctly applied the GDPR”. It also “urges the EDPS and national supervisory authorities to include transfers of personal data in their audit, compliance and enforcement strategies”.
A meager record
“At least 99.93% do not see a decision, despite funding of 19.1 million euros” quipped last month Noyb, the association by Maximilian Schrems. As we mentioned previously, the Irish DPC has rendered two decisions in 2020 and hopes to render “between 6 and 7” in 2021.
In its annual report for 2020, the DPC reports 10,151 cases handled last year, a figure up 9% compared to 2019. As of December 31, 2020, the Irish commission declared 83 statutory investigations in progress, including 56 national investigations and 27 cross-border investigations. In total, the authority claims that just over 350 complaints relating to cross-border processing were received by the Irish commission through the one-stop-shop mechanism over the year.
As a reminder, the CNIL, for its part, imposed 14 penalties, including 11 fines totaling 138,489,300 euros, against breaches of the law over the past year.