The finding is overwhelming. Almost 99.93% of complaints lodged with the Data Protection Commission (DPC), the equivalent of the National Commission for Computing and Liberties in Ireland, are unsuccessful, according to the rights protection association digital NOYB.
0.07% of complaints are successful
In 2020, 10,000 complaints were lodged with the personal data protection authority. Only six to seven formal decisions should be rendered in 2021, according to the DPC, or 0.07% of complaints registered. However, it received additional funding of 19.1 million euros.
Faced with this “disappearance“, the president of NOYB Maximilian Schrems mentions a”Bermuda Triangle“. He accuses the DPC of confusing the fact of”treat“a case and deciding it. However, “the law of 2018 (the General Data Protection Regulation, editor’s note) does not oblige the DPC to produce a decision in the event of a complaint“, replied Helen Dixon, who is at the head of the authority, quoted by the Austrian association.
However, NOYB recalls that Article 8 of the Charter of Fundamental Rights of the European Union deals with the right to the protection of personal data. The national data protection authorities (DPAs) of each country are responsible for enforcing this right for each user, free of charge and within a reasonable time. “European law requires an easy and free way to assert your rights. The DPC now openly denies this right to all European citizens“, protested Maximilian Schrems.
The DPC, the main authority for the Gafam
Even within the protection authorities, voices are beginning to rise on the passivity of the Irish CNIL, which would prevent the correct repression of the behavior of large technology companies. As a reminder, the DPC is the watchdog of these companies since the majority of the European headquarters of these companies are located in Dublin.
The only sanction taken by the Irish CNIL is that imposed on Twitter of 450,000 euros for incorrectly reporting a data breach in 2018, which made protected tweets public. She is also expected to make a much-anticipated decision on WhatsApp in the coming months.
Faced with these accusations, Helen Dixon tries to defend her institution. For example, she highlighted the fact that the DPC was the only authority to take measures following the invalidation of the Privacy Shield by the European judge last July. She called on Facebook to immediately stop transferring data from European users to the United States. The procedure is still ongoing.
Countries call for the end of the “one-stop-shop”
The DPC has also accused its counterparts of invoking political reasons to question its effectiveness. Those are “the same data protection authorities who are now criticizing Ireland and the One Stop Shop ” than “those who have officially rejected the concept of one-stop-shop (…) it is not surprising that there is a political element in the criticisms which are made“, -she explained.
As a reminder, it is the GDPR which has given the DPC a watchdog role under the “one-stop-shop” principle. Indeed, this text provides that a body established in the EU must have as its sole interlocutor the authority of the country where its “main establishment” is located. And quite naturally Ireland was chosen as a “one stop shop” to manage all the litigation of personal data.
France is one of the countries which pleads for the abolition of this system. But European officials fear that this will erode the principle of a common market. “This would remove one of the first pillars of European law and mean that a company, instead of being subject to a single authority, would be subject to 27 authorities“said a source quoted by the Financial Times.