The DPC is under pressure from critics with varied agendas. The backdrop for all of this has to be criticism from late last year, especially the criticism of the handling of some cases investigated by the DPC . Much of this criticism, perhaps unexpectedly, came from other EU Data Protection authorities, and more from journalists, commentators, interested actors ( some perhaps with questionable motives) and data protection practitioners. In the foreground will be the DPC’s recently announced 2022-2027 regulatory strategy, which is timely in light of all the criticism levelled at the DPC of late. An annual report from the DPC is also informative and its timing is helpful to the public and for the morale of staff at the DPC. It is available here for your convenience.
In some opening remarks to the new regulatory strategy the DPC acknowledges that some “challenges, against a backdrop of hugely increased public consciousness of data protection, have given rise to ambiguities of interpretation and application of the law that the DPC – along with its peer data protection authorities – must work to clarify”. The regulatory strategy is also “being implemented in the very early years of radically reformed data protection legislation – in the form of the GDPR and ancillary Law Enforcement Directive – along with all the attendant interpretative challenges that such immense regulatory change usually produces”.
The DPC “recognises that it cannot achieve its ambitions alone – new partnerships and new ways of engaging will be necessary as we look towards a future of closer convergence. Nonetheless, the DPC builds from a position of confidence: we are a Regulatory office with ambition, a clear sense of purpose, a history of achievement, and a future of considerable promise”. This last sentence will be questioned by many and it will irritate even more. It can hardly be stated with any conviction that the DPC builds from a position of confidence and a history of achievement. If anything, maybe it has underachieved, but that is for another time and forum.
Another sentence, “The DPC is of the belief that compliance in general will be greatly improved when stakeholders are clear in their understanding of how the law is enforced”, holds the essence of much of the criticism levelled at the DPC. Stakeholders are not clear in their understanding of how the law is enforced and many of these stakeholders are other EU Data Protection authorities who have their own expertise in knowing and applying the GDPR, in particular. A stated goal in the new strategy is to bring clarity to stakeholders. This is easily stated as a goal to aim for, but again, sure to irritate many . Data protection law experts GDPRXPERT .ie take the view that the direct and primary strategy to achieve this goal will not be stated as easily. Two aspects will be key: having a clear goal, and knowing the most effective route to get to that goal. Compromises will be needed along the way as there are so many stakeholders involved. Ultimately, although the most effective route may well be signposted, there will be necessary diversions along the way in the interest of overall stakeholder consensus. Pragmatism has to guide any strategy where there are legitimate and valid competing interpretations of any regulation. In this context, the co-operation and consistency mechanism under GDPR is a clear example of necessary deviation from a legitimate route to a destination.
GDPRXPERT previously looked at issues in relation to the workings of the office of the DPC ( see https://www.gdprxpert.ie/the-dpc-is-not-infallible/). We can say that some of the more recent criticism levelled at the office of the DPC is unjustified, some is justified, and more is premature. There is premature criticism because the CJEU still is going to have to interpret some aspects of the GDPR so that at least there is more clarity ,if not 100% certainty, in relation to some contentious aspects of the GDPR. It is not surprising that some of the criticism of the DPC consistently emanates from the same sources, and one has to consider the possibility that some of these sources have their own particular agendas. Some of these agendas have very little to do with bolstering the data protection environment for any data subject. These agendas are more to do with using supposed concerns about data protection as a shallow conduit to increase their own profiles. Repetitive sources that spring to mind include Max Schrems and his NOYB organisation, The Irish Council for Civil Liberties , and some Euro MEPs who are sceptical about everything, including their own fellow sceptics.
From the inception of the GDPR it became clear that the role of the Irish DPC would be central in the overall enforcement of the Regulation. There was no way it could be other than central, having so many global tech companies head quartered here. Indeed, there is much anecdotal evidence of regulators in other jurisdictions not exactly wishing the office of the DPC the best in their GDPR enforcement endeavours. Unquestionably, some regulators in more populous countries felt slighted by the stronger role the DPC here was destined to play. This was shared by many MEPs with nationalistic fervour, as opposed to European commitment . There was a similar sentiment expressed for years in relation to Ireland’s corporation tax regime.
It may be that criticisms that gained media attention at the end of 2021 had their origins in similar nationalistic contexts. For example, several members of the European Parliament (MEPs) recently wrote to the EU authorities and Minister for Justice Helen McEntee accusing the Irish DPC of lobbying for lower standards for big tech. This was vehemently denied by the DPC. It seems to expert data protection consultants, GDPRXPERT, that these criticisms were outlandish. At the core is an allegation that the DPC was acting in bad faith and devoid of objectivity. This was particularly the case in relation to the criticism directed at the DPC concerning some of its interactions with Facebook.
The DPC responded by stating, “ There has been considerable media coverage in recent days, alleging that the Data Protection Commission (DPC), acting in bad faith on foot of meetings it held with Facebook as part of its regulatory role, “lobbied” the European Data Protection Board (EDPB) with a view to achieving the adoption of guidelines by the EDPB on Article 6(1)(b) GDPR (‘necessity for the performance of a contract’), in the best interests of the company. These allegations are utterly untrue. Issuesrelating to the proper legal interpretation of the necessity for the performance of a contract are presently the subject of an ongoing regulatory procedure. That procedure is currently being conducted under Article 60 of the GDPR. (Art. 60 GDPR sets out the scenarios for co-operation between the lead supervisory authority and other supervisory authorities concerned over the same issue.) More significantly and separately, Article 6(1)(b) is the subject of proceedings before the Court of Justice of the European Union.”
As referenced earlier, the objective in going to the CJEU is to get clarity on an issue where it may not be possible to get certainty. There is not always going to be ‘a one size fits all’ decision. From a pragmatic perspective, often the best that can be expected is clarity, as opposed to certainty. Circumstances change from case to case and so much within the GDPR has valid differing interpretations. Differing interpretations are consistent with a regulation that has to be interpreted and applied in light of other competing rights. It has also been alleged that the DPC approved/ negotiated/ jointly developed Facebook’s position in relation to the legal basis for its processing operations. “This is absolutely incorrect and without basis in fact. To be clear, the DPC does not and never has, endorsed, jointly developed, approved or in any other way assented or consented to a controller’s or processor’s policies or position in relation to compliance with its data protection obligations”( DPC statement, 7th December, 2021).
Form of the criticism
A central tenet of the criticism in relation to the DPC’s dealings with Facebook on the issue of contract as a lawful basis for processing is that the DPC sought to subvert the procedures of the EDPB with a view to achieving the adoption of guidelines by the EDPB on Article 6(1)(b), favourable to the interests of a particular controller. As a long established data protection advisory service, GDPRXpert.ie would reject that immediately. What can be accepted is that issues relating to the proper legal interpretation of the necessity for the performance of a contract are presently the subject of an ongoing regulatory procedure. The outcome of the procedures to which reference is made above will of course bind controllers and regulators alike, and may determine whether, when, and in what circumstances Article 6(1)(b) may be relied on by controllers as providing a legal basis for certain of their personal data processing operations.
Some critics of the DPC seem unaware themselves of the process that precedes the issuance of any guidelines from the European Data Protection Board on the interpretation of any concepts inherent in the GDPR. Amongst other things, according to the DPC, the criticism also “reveals a lack of any kind of basic understanding of the workings of the EDPB, and how, through an iterative process, divergent views relating to complex issues of principle are typically reconciled through dialogue, and through respectful and mature engagement”. ( DPC statement, 7 December, 2021)
It is a common sense expectation that stakeholders’ compliance level will improve when they are clearer in their understanding of how the law is enforced. This is especially so when regulations such as the GDPR are based on some very broad principles, ( See Art.5 GDPR) rather than specifics, thus making regulations more open to interpretation than, for example , road traffic legislation. No wonder then that the DPC is involved in so much discussion with other Supervisory Authorities in other EU countries, and other stakeholders, with the goal of increasing certainty and stability in how data protection law is to be applied. If the DPC is doing this in good faith, then can any criticism be justified? Increased certainty and stability is to the benefit of all stakeholders.
This has been a consistent prong of attack for critics of the DPC but what is often ignored or denied is the complex nature of many of the issues involved. As with all EU regulations the CJEU is the final arbiter in the case of dispute, and the journey to that final point is long and arduous. Along the way, many opinion writers are guilty of unprofessionalism in simply repeating the same sources and quoting incorrect statistics. One of the most vocal critics of the DPC before and since the GDPR has been Max Schrems. Schrems No:1 and No: 2 dragged on for years, but through no fault of the DPC. A closer look at these cases may enable a clearer understanding of the legal obstacles to be overcome in order to avoid the procedural pitfalls embodied in much of the GDPR. They also should demonstrate the complicated nature of the legal and regulatory remit of the office of the DPC.
The painstaking nature of the legal processes that must be gone through to make prudent adjudications on data protection law issues leads to unfair criticism being directed at the DPC. Such criticism usually takes the form of hastily made statements to the press citing inaction by the DPC. These statements are often perceived as facts by some journalists who lack an understanding of both the depth of data protection issues involved and the consequences of a misapplication of the facts. Criticism is often then repeated without any objective analysis. Some analysis that is carried out is done by those least qualified to do it. Again, data protection law advisers GDPRXPERT.IE would reject such criticism as ill-informed at best and strategically devised at worst. If one takes the High Court judicial review taken by FBI, [2020 No. 617 JR.] [2020 No. 126 COM.] , the judgment runs to 200 pages and is deserving of more than a cursory perusal by some commentators who later claimed to be expertly knowledgeable. What was clear from their comments was that, in all likelihood , they had hurriedly skimmed through a few pages.
Schrems seems to have taken matters somewhat personally and accused the DPC of failing to make a decision. In fact, much of his criticism seems to take the form of personality based attacks rather than legal or principles based formats. He seems to never have forgotten that his original complaint was dismissed on grounds of frivolity by the DPC. This seemed a reasonable view at the time, and it was only in the aftermath of the full revelations by Edward Snowden that the scenarios took on a different texture. However, what was lost on Schrems, who is himself a lawyer, was that, as pointed out by Bermingham J in O’N v McD  IEHC 135, “the words frivolous and vexatious are terms of the Article, they are legal terms and they are not used in a pejorative sense. They merely mean the plaintiff has no reasonable chance of succeeding, and that , because there is no reasonable chance of success, it is frivolous to bring the case”.
A position taken by the DPC was that once an adequacy decision (here, the Safe Harbours Agreement) had been issued, the office had no part in investigating a complaint. This has always been the accepted view in relation to Commission decisions . For example, in Schrems No. 1 the CJEU stressed that while national authorities retained the ability to examine EU decisions, the CJEU alone retained the authority to declare an EU act (such as a Commission decision) invalid. It was clearly not within any legal remit of the DPC to act as a quasi court of last resort. Safe Harbours itself stood as testament to the adequacy of the protection of transfers of personal data to the US. Mr Justice Hogan in the High Court thought Schrems was objecting more ‘to the terms of the Safe Harbour regime itself’, than to the DPC’s application of it. (Schrems v DPC  IEHC 310 (18 June 2014) Para.69). Another position taken by the DPC was that the complaint ( the original) was essentially speculative and hypothetical in nature. However, Mr. Justice Hogan took the view that there was no need to establish that the applicant had even grounds to suspect such a breach had occurred. It was enough to believe the mere absence of controls might lead to a breach of the applicant’s rights. If the matter was solely governed by Irish law significant issues would have arisen under the constitutional right to privacy.
Mr Justice Hogan referred the case to the CJEU partly on the basis that, ‘in reality, on that key issue Irish law has been pre-empted by general EU law in the area…’ Facebook appealed this referral to the CJEU but the Supreme Court did not find reason to block it. The Court held it could not entertain an appeal over the fact of a referral itself. There had to be inconsistencies with the ‘facts’ found by the High Court . The Court held (through Clarke J.) it could only overturn those if it could be established they were not sustainable in accordance with the relevant Irish jurisprudence. Having reached the CJEU ,the decision known as Schrems I, was finally made in Oct. 2015. In that ruling, the CJEU quashed the Commission’s Decision, meaning that the US Safe Harbours could no longer be relied on as providing a legal basis for transfers of personal data to the US. It was in fact to enable a decision to be made that the DPC referred the case to the High Court in the first place. The idea was to get a decision for once and for all from the CJEU. This course of action has been assessed as rational, prudent and proper by EU Justice Commissioner Didier Reynders. Indeed, the action was widely praised although some ( including some MEPs) did not agree but Commissioner Reynders was categorical in stating, “the DPC faces “complex” matters, including in an issue over the targeting of ads by social media companies.
Support for DPC
The Irish regulator has supported the idea of allowing social media companies to target users with adverts without their consent, on the basis of rules governing the performance of a contract. Many other European national data regulators oppose this stance and some have criticised the DPC’s position. However, Mr Reynders reminded the MEPs that the issue of advert targeting as it pertains to Facebook has already been referred to the EU’s court of justice in the context of contract law, essentially backing the Irish regulator’s decision to weigh the issue carefully. Remember this; at the very start Hogan J in the High Court had stated that the DPC had “demonstrated scrupulous steadfastness to the letter of the 1995 Directive and the 2000 Decision”. Commissioner Reynders also backed the DPC by dismissing criticism that it is running late in its handling of 98 per cent of cross-border privacy cases: “The figure about the proportion of cases dealt by the Irish DPC mentioned in your letter appears to be a misinterpretation of the statistic.”
Any criticism of the bona fides of the DPC regarding the original Schrems case was, and is ,unjustified and cannot be legitimately upheld. Meanwhile, Facebook Inc. switched to “standard contractual clauses” to transfer EU data to the U.S., to which Schrems responded by updating his complaint with the DPC to include this new transfer mechanism which launched Schrems No:2. Although apparently not known by Mr Schrems at the time, FBI had identified three legal bases for ongoing transfers to the US. These were standard contractual clauses (SCCs), transfers with the consent of the data subject and transfers under the contractual necessity derogation in the then Directive. In fact, it was the DPC that had invited Schrems to reformulate his complaint in light of the judgment in Schrems 1 and in light of the fact that Safe Harbours had been found to be invalid. On Dec.1 2015 Schrems submitted a reformulated complaint using the validity of the standard contractual clauses as the prong of attack.
End in sight
In May 2016, the DPC issued a draft decision stating that the DPC had formed the view on a “preliminary basis” that Max Schrems’s contention that the SCCs could not be relied on was well founded. However, in the DPC’s view, questions as to the validity of the SCCs could only be determined by the CJEU, not by the DPC, or by national courts. The DPC therefore immediately commenced further proceedings in the Irish High Court seeking a reference to the CJEU. Following an unsuccessful appeal by Facebook Ireland Ltd. (FBI) against the High Court’s decision to refer a range of questions to the CJEU, these proceedings ultimately led to the CJEU’s Schrems II ruling in July 2020. It is worth noting that in the meantime the European Commission had adopted a Decision that the Privacy Shield, as a replacement for the Safe Harbor, now ensured an adequate level of protection for personal data transferred from the EU to the US. Furthermore the GDPR had replaced the former Data Protection Directive, coming into force in May 2018.
The Schrems II ruling established that, although the SCCs remained valid, a data exporter in the EU making use of them is nevertheless required to verify, on a case by case basis, and taking into account their terms, whether the law and practice in the destination country ensures essentially equivalent protection for any transferred data . At particular issue was the ability of public authorities in the destination country to conduct surveillance on the transferred data. The CJEU had specially concluded that EU citizens had no effective way to challenge American government surveillance of their personal data after it had been sent to the U.S. Such surveillance was legal under U.S. law. If the data exporter is not, as far as is necessary, able to put in place sufficient supplementary measures to guarantee essentially equivalent protection, the data exporter, or, failing that, the relevant data protection authority, is required to suspend or end the transfers. In the ruling, the CJEU also went on to quash the Commission’s Decision on the Privacy Shield.
In August 2020 , the month following the CJEU’s ruling in Schrems 11, the DPC wrote to FBI enclosing the PDD that was subsequently the subject of the FBI’s judicial review application. This gave FBI 21 days to respond and stated that the DPC was now undertaking an “own-volition” inquiry into FBI’s data transfers after which it would return to Max Schrems’ original, reformulated complaint. At that stage the situation was that if the Preliminary Draft Decision of the DPC was translated into a final decision , then Facebook would be required to suspend its data transfers to the US. However Max Schrems appears to have taken exception to his apparent exclusion from proceedings and submitted his own application to the Irish High Court for judicial review of the DPC’s approach. Settlement was subsequently reached between the DPC and Max Schrems on this judicial review application in which the DPC agreed, upon the Court’s lifting of the stay of its investigation, to progress the handling of Max Schrems complaint and its “own-volition” inquiry as expeditiously as possible. FBI took exception to the issuing of the PDD on several grounds relating to unfairness including procedural unfairness and instigated judicial review proceedings against the DPC with a consequential stay on the DPC’s “own-volition” inquiry. The case was heard by the Irish High Court in December.
What we now know
We now know that on 14 May 2021 the Irish High Court handed down its judgment in the judicial review case brought by Facebook Ireland Ltd (FBI)against the DPC, finding substantially in favour of the DPC. Although not entirely uncritical of the DPC, the judgment accepts the validity of the approach adopted by the DPC in its investigation of FBI’s data transfers. The Court did agree with FBI that the issuing of the PDD and the surrounding procedures were open to judicial review and therefore went on to consider, in some depth, each of the grounds of challenge advanced by FBI. In the course of proceedings, FBI dropped two of these grounds. The remaining grounds were all rejected by the Court, the overall conclusion being that FBI had not established any basis for calling into question the validity of the DPC’s processes. It is reported that on 20 May and with consent of the parties, the Irish High Court formally lifted the stay on the DPC’s “own-volition” inquiry. FBI still had the opportunity at that time to respond to this PDD but, unless it could satisfy the DPC as to the safeguards in place for its international transfers to the US, it seems likely that, following the application of the GDPR’s cooperation and consistency mechanism, FBI would be ordered to suspend these transfers.
The High Court judgment when it came was lengthy and detailed, running to nearly 200 pages. For the most part, it addressed procedural points which, given that that the findings went against FBI, are unlikely to be particularly instructive for other businesses. The picture is also made more complex by the involvement of Max Schrems himself as a participant in the hearing and by his own application for judicial review against the DPC. This application was settled between the date of the High Court hearing and the date of the delivery of its judgment and is referred to in the judgment. There is thus little to be gained from an in depth analysis of all aspects of the judgment. It might nevertheless be of value to recap just where we are now, and how we have arrived there, in the long running saga of Max Schrems and his challenges to FBI’s international data transfers. Some high level insights can also be drawn about the conduct of major investigations by data protection authorities which might be instructive. Finally, there remains an open question as to where this now leaves other businesses that are continuing to transfer personal data to the US on the basis of the European Commission’s Standard Contractual Clauses (SCCs).
It was clear from the judgment that the DPC’s preliminary view, as set out in its PDD, was that;
- US law did not provide a level of protection that is essentially equivalent to that provided by EU law;
- SCCs cannot compensate for the inadequate protection provided by US law;
- FBI did not appear to have in place any supplemental measures which would compensate for the inadequate protection provided by US law.
More support for DPC
The High Court judgment was undoubtedly welcome news for the embattled Irish Data Protection Commissioner, Helen Dixon. She had, and continues to, come under fire from many sides, including the European Parliament’s LIBE Committee, for what is perceived to be a reluctance to take sufficiently strong enforcement action against major tech companies that have their European headquarters in Ireland and for her office’s long processing times. The LIBE Committee even expressed disappointment with her decision to initiate the Schrems II case rather than triggering enforcement action against FBI. Furthermore, the Committee has called on the European Commission to launch infringement proceedings against Ireland for a failure to enforce the GDPR effectively. Against this background, the judicial review case makes clear that DPC was right to have proceeded cautiously.
When faced with enforcement action that seeks to significantly restrict their business models or when faced with multi-million euro fines businesses will understandably look for legitimate avenues to challenge the actions of data protection authorities, whether through more conventional appeals against sanctions or by means of judicial review. Any data protection authority needs to have a defensible position that it can put before the courts when challenged. The DPC has survived an examination by the Irish High Court and there can be no denying that it was a comprehensive and searching examination.
Had the DPC been found to have jumped to conclusions without a thorough investigation, not to have been offering FBI a proper opportunity to state its case, otherwise followed procedures that were unfair to any of the parties involved or had not been sufficiently transparent about those procedures, it would almost certainly have come a cropper. Ensuring the necessary procedural fairness requires time and effort by a data protection authority whatever the political pressures on it might be. At the time there was a concerted and shallow choreography of criticism directed at the DPC.
The High Court did recognise that there has to be some flexibility. A data protection authority can legitimately be expected to continue a well-established practice of following a particular procedure but, provided that it stays within the law, it does not have to do so rigidly. It can adapt its approach to the circumstances of particular cases. It is just that any procedural variation by the data protection authority has to be based on objective reasons and must not create unfairness or be unjust to the party under investigation. Nothing was written in stone. An earlier annual report, detailing inquiry procedures that Facebook sought to rely on, did state ( at p.28) things were “subject to changes”. ( See DPC Annual Report 2018)
Rebuke for DPC
The DPC did not entirely escape criticism though. The High Court judge, whist finding in favour of the DPC in relation to an allegation of premature judgment, suggested that it might have been wiser for the Commissioner, Helen Dixon, to have been more circumspect in remarks she made in a conference address to the effect that the Schrems II ruling by the CJEU had given her no room for manoeuvre in relation to EU-US data transfers. Again, whilst finding in favour of the DPC in relation to an allegation of a failure to respect the duty of candour, the judge expressed some misgivings about the DPC’s failure to respond more fully to requests for information from FBI and suggested that it had acted in an overly defensive manner. The Judge was actually at his most critical in relation to an allegation by the DPC that FBI’s issuing of its proceedings amounted to an abuse of process and had been done for an improper purpose, that of buying time. Here the Judge said that this was a serious allegation, that there was no basis for it and that it ought never to have been made.
Data protection commissioners have a difficult path to steer. On the one hand they operate in an increasingly political environment and are expected to be champions of privacy and of data subject rights. On the other hand, when considering sanctions, they carry out quasi-judicial functions and have to act, and be seen to act fairly and without bias. The High Court judgment confirms that Helen Dixon has managed to keep to the straight and narrow so far in the case in question but the same might not have been true had she conceded more ground to her critics. What is clear though is the extent to which commissioners, when acting in their quasi-judicial capacity, can now be held accountable to the courts, and the extent to which affected businesses may be willing to exercise their rights to give effect to this accountability. As the UK Commissioner, Elizabeth Denham was also reminded of when seeking to defend the ICO’s imposition of a fine on Facebook in the wake of the Cambridge Analytica scandal, commissioners need to be very careful not to risk giving any appearance of rushing to premature judgment, to stick to their published procedures unless there are objective and fair reasons for departing from these and not to otherwise risk bringing unfairness or injustice into their deliberations whatever the wider pressures on them might be.
Back to the SCCs
It was the question of supplemental measures that attracted most interest from other businesses. Here it needs to be borne in mind that Facebook Inc in the US qualifies as an electronic communications service provider and can therefore be ordered to make transferred data about specified non-US persons in its stored communications directly available to US public authorities. It is not just liable to have its communications to and from the EU intercepted in transit by such authorities. Although, in an effort to be helpful, the EDPB had produced recommendations on supplemental measures that could be adopted to enhance the SCCs, there remained a question in relation to EU-US transfers as to how to sufficiently compensate for the inadequate protection provided by US law in practice.
We now know that the DPC went on to prepare a full draft decision and submitted it via the co-operation and consistency mechanism. The DPC had simultaneously been working on an inquiry into Facebook Ireland( now Meta Platforms) concerning a series of data breaches between 7 June 2018 and 4 December 2018. The inquiry examined the extent to which Meta Platforms complied with the requirements of GDPR Articles 5(1)(f), 5(2), 24(1) and 32(1) in relation to the processing of personal data relevant to the twelve breach notifications.
As a result of its inquiry, the DPC found that Meta Platforms infringed Articles 5(2) and 24(1) GDPR. The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.
Final destination in sight?
Given that the processing under examination constituted “cross-border” processing, the DPC’s decision was subject to the co-decision-making process outlined in Article 60 GDPR and all of the other European supervisory authorities were engaged as co-decision-makers. While objections to the DPC’s draft decision were raised by two of the European supervisory authorities, consensus was achieved through further engagement between the DPC and the supervisory authorities concerned. Accordingly, the DPC’s decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU. On 15 March 2022 the DPC imposed a fine of €17 million on FBI( Meta Platforms). To any fair minded neutral observer, any criticism of the DPC on the basis of inactivity is certainly unsustainable.
Remember, in the content of the FBI/Schrems saga the DPC had to prepare its draft decision and submit this to the cooperation and consistency mechanism, which ultimately involved the need for an EDPB opinion. This process seldom results in a quick outcome, despite the time limits in the GDPR.Because of a sort of stalemate on the issue going back to February this year, there were movements by some national supervisory authorities to take a stand on the case. Some adopted a literal interpretation of the ruling.
The French privacy regulator CNIL ruled that an unnamed website could not use Google Analytics because doing so involves the transfer of personal information from Europe to the U.S. in violation of the 2020 Schrems II decision. The French decision came hot on the heels of a decision by Austria’s data protection authority to also ban a website from using the popular Google web analytics tool for the same reason, and presages a raft of decisions by other European data protection authorities on the use of these tools. The Dutch privacy agency warned last December that using Google Analytics may soon be illegal. Elsewhere, the Norwegian data watchdog has advised companies to start looking for alternatives to Google’s tools.
Data protection authorities, including the CNIL, are also expected to rule soon on the use of Facebook’s analytics tool, known as Facebook Connect. These decisions mark a significant clamp-down on data transfers, which form the lifeblood of the digital economy and represent billions of euros’ worth of transatlantic trade. GDPR and data protection advisory services, such as GDPRXPERT.ie, have had large volume of enquiries from businesses regarding the future of transfers to the US. Much from the preceding paragraphs has been reported through https://www.politico.eu/article/us-eu-data-transfers-on-life-support-after-french-google-decision/
Once the landmark decision began to bite, regulators across the bloc were left with few alternatives or choices in adhering to the new rules. That began to prompt companies like Google, Microsoft and TikTok to consider the once unthinkable: storing ever more data in Europe. The potential negative effects of such moves may also have spurred the DPC to continue efforts to resolve the issue. After the 2021 High Court ruling against Facebook the DPC was able to continue efforts to bring a conclusion to the protracted affair. This meant publishing a full draft decision and taking it all through the cooperation and consistency mechanism under Art. 60 GDPR in order to set out a final decision. This is exactly what the DPC did. Throughout all of this, proper procedures were followed.
Finally, the stage was reached where it was imperative the Commission reached a decision on transfers. Some measure of substantive adjustment to existing Standard Contractual Clauses, or an entirely new mechanism, was needed to ensure uninterrupted data flows to the US. On 22nd March 2022 the European Commission and the Biden administration reached an agreement in principle, the Trans-Atlantic Data Privacy Framework Agreement. While the agreement is still “in principle” and specific details have yet to be determined, if approved, this agreement will reimplement an important legal mechanism necessary to facilitate data transfers between the European Union and the United States. Some have urged caution, “From a purely technical perspective, there’s no path forward for data transfers. That’s why we need [a] durable EU-U.S. data pact that can stand the test in court,” said Rob van Eijk, Europe managing director for the Future of Privacy Forum think tank.
More still to come
Very soon we will return to the issue to report on the evolving position on transfers to the US.
We also note the DPC has attempted to clear the air on the criticisms directed at it and has issued a report on cross border complaints where it sets out the actual statistics, instead of some alternative ones, that to an objective observer were clearly distorted, biased and misleading. See https://www.dataprotection.ie/en/news-media/press-releases/dpc-publishes-statistical-report-handling-cross-border-complaints-under-gdprs-one-stop-shop-oss The actual report is here.
Here at GDPRXPERT.ie we are GDPR and data protection law experts offering businesses our vast expertise in addressing compliance issues.
GDPRXPERT.ie are located in Carlow/Kilkenny and Mayo, offering a nationwide service.
Call 0858754526 or 0599134259 to discuss your particular need.
Patrick Rowland, GDPRXPERT.ie