Background

1. In 2021, the complainant, the Irish Council for Civil Liberties, wrote to the European Commission about the enforcement of the EU’s General Data Protection Regulation (GDPR)[1] in Ireland.

2. Ireland has a special role in the implementation of the GDPR because it hosts most of the ‘big tech’ companies in the European Union[2]. If a data protection authority of another Member State receives a complaint that essentially concerns the work of a ‘big tech’ company in Ireland, the matter is normally passed on to the Irish Data Protection Commission. It is then up to the Irish Data Protection Commission to determine how the matter is dealt with.

3. The complainant referred to the widely held concern that the Irish Data Protection Commission was not taking adequate steps to enforce the GDPR[3]. The complainant questioned whether the European Commission had collected enough information to be able to monitor this issue.

4. The Commission replied, in summary, that it had no evidence that would confirm this concern, and that it is taking adequate steps to monitor the application of the GDPR in Ireland.

5. The complainant disagreed and turned to the European Ombudsman in January 2022.

The inquiry

6. In her letter to the European Commission opening this inquiry, the Ombudsman set out the scope of her inquiry:

7. The inquiry is about whether the European Commission has taken adequate steps to collect sufficient factual elements that would allow it to monitor properly the implementation of the GDPR in Ireland. It is not about whether the European Commission is generally doing enough to ensure that the GDRP is applied. The European Commission enjoys wide discretion in deciding whether and when to commence an infringement procedure. The Ombudsman may ask the European Commission to re-examine issues of substance in infringement cases only if there is an indication that it was manifestly wrong in its presentation of the facts or of law.

8. The Ombudsman emphasised that this inquiry was necessary because questions are bound to arise in the minds of citizens if different factual accounts circulate regarding the implementation of the GDPR. She pointed out that public bodies, along with civil society organisations, had raised concerns that the application of the GDPR in Ireland was inadequate.

9. The Ombudsman therefore asked the European Commission to provide a detailed and comprehensive account of the information that it had collected to inform itself as to whether the GDPR is applied in all respects in Ireland. She asked the Commission to explain how and from what sources it gathers the information.

10. The Ombudsman inquiry team held two meeting with representatives of the European Commission. The Ombudsman also received two formal replies[4]. The complainant gave its comments on the meeting reports and the European Commission’s replies.

11. The key issue is whether the European Commission’s information gathering is sufficient in relation to the issue referred to above, namely whether citizens can genuinely trust that Ireland, through its Data Protection Commission, takes adequate measures to examine and follow up on data protection cases that other Member States’ data protection authorities refer to it in relation to the ‘big tech’ companies located there (hereinafter ‘cross border cases’).

12. In addition to those observations in the letter opening this inquiry, the Ombudsman notes the following: this inquiry does not concern whether the European Commission could or should instruct individual supervisory authorities regarding their handling of specific investigations. National supervisory authorities act independently when implementing the GDPR and the European Commission’s work in relation to potential infringements is at any rate conducted towards the Member States, not towards individual public bodies. This inquiry is, rather, focused on information gathering. The GDPR puts very considerable emphasis on the provision of information, be it through publication or through compulsory disclosure of information in response to requests. In the exercise of its Treaty-based monitoring powers, the European Commission can make the necessary information requests to individual supervisory authorities.

Whether the European Commission collects sufficient information

Arguments presented to the Ombudsman

13. The main argument in the complaint can be summed up as follows: In relation to cross border cases, the European Commission can monitor Ireland’s application of the GDPR only if it knows how many such cases are transferred to Ireland; how long their processing time is (as per the key steps in the process); what concrete measures are taken (or not) to provide redress for the individual citizen and (where relevant) to correct unlawful practices of the ‘big tech’ companies in question[5]. The complainant could not find this information in the annual reports of the Irish Data Protection Commission, nor in the European Commission’s first report (communication) on the application of the GDPR[6].

14. In 2020, the complainant published its own report on the issue[7], relying on, among other elements, data in an EU database[8]. It concluded that Ireland did not handle cross border cases properly. In subsequent correspondence with the European Commission, the latter informed the complainant that its report contained inaccurate data, and that the EU database that it had relied on does not serve the purpose of informing the public about the implementation of the GDPR.

15. In the course of this inquiry, the Irish Data Protection Commission published a report focusing on the handling of cross border cases[9]. The complainant informed the European Commission that, notwithstanding this report, it is still not possible to know the answer to the issues set out in paragraph 13 above.

16. In its replies to the Ombudsman, the European Commission described its sources of information in this area. It referred, in particular, to the European Data Protection Board[10] as the main source of information on the implementation of the GDPR. The European Commission took the view that the information gathered by the European Data Protection Board was substantively satisfactory, although it could be presented better. With regard to information that the European Commission itself holds, the Commission drew attention to its first report (communication) on the application of the GPDR, and stated that, when preparing that report, it had collected information from the national data protection authorities, including the Irish Data Protection Commission. It also consulted the annual reports of that Commission.

17. The European Commission also informed the Ombudsman that the Irish Data Protection Commission sends it a bi-monthly overview of ‘big tech’ cases that it is investigating. This bi-monthly overview (the content of which is confidential) provides the European Commission with more extensive and useful information than statistics alone can provide[11]. The European Commission thus considers that it is taking adequate measures to inform itself whether Ireland adequately examines and acts on cross border cases under the GDPR.

18. In its most recent submissions to the Ombudsman, the complainant maintained, in summary, that it was still unclear whether the European Commission, in fact, holds information corresponding to what is set out above (paragraph 13). It also referred to a legislative development that had taken place in the meantime, providing links to two recent access to documents requests that it had made in relation to the subject matter of this inquiry.

19. The legislative development that the complainant referred to was the EU’s adoption of the Digital Services Act[12], which provides for enhanced protection of internet users and grants a much bigger role to the European Commission to control ‘big tech’ companies. The complainant drew attention to a newspaper article in which one of the European Commission’s Executive Vice-Presidents had held that the enhanced role for the European Commission came about in light of a lack of trust regarding Ireland’s enforcement role towards ‘big tech’ companies[13].

20. The access to documents requests were addressed to the European Data Protection Board and the European Commission. The request to the European Data Protection Board[14] was, in summary, about obtaining information that the Board holds on cross border cases. The complainant appears to conclude from his exchanges with the Board that the Board does not hold the kind of basic information that the complainant considers should be available for the European Commission to monitor properly the application of the GDPR in relation to cross border cases. The complainant appeared to see this as evidence that the European Commission had wrongly concluded that the Board’s data on the implementation of the GDPR (to which the Commission has access) is adequate.

21. The complainant’s request to the European Commission was very broad[15], and included all relevant communications between the Commission and Irish authorities. The complainant appeared to conclude from some of the documents that the Commission had adopted an attitude of forbearance to the work of individual data protection authorities in the Member States[16].

The Ombudsman's assessment

22. To monitor EU law, the European Commission gathers information on a broad range of issues. It does so within its wide discretion to organise its work to ensure the application of EU law. Although EU legislation sometimes provides for reporting obligations, it rarely prescribes in detail precisely what specific information the European Commission shall collect.

23. In light of the European Commission’s wide discretion in this field, the European Ombudsman does not tend to examine routinely and in detail what information the European Commission collects to monitor the application of EU law. The Ombudsman will normally do so only when the facts suggest that there are significant information gaps that have not been adequately explained, and/or if particular circumstances so require.

24. When launching this inquiry, the Ombudsman concluded that there were particular circumstances. There was a widespread assumption that Ireland was not adequately protecting citizens’ rights under the GDPR. The EU has celebrated the GDPR as a milestone in its protection of citizens’ fundamental rights in the digital age. EU citizens are entitled to expect that the European Commission collects sufficient information to monitor the application of that legislation.

25. The information referred to in paragraph 13 is the kind of information that one would expect the European Commission to hold, that is basic information for the purpose of examining Ireland’s handling of cross border cases. The information should be factual and allow for independent verification by the European Commission. Moreover, the European Commission would have to show a high degree of control over how the information is defined and presented. The European Commission could, for instance, draw up a table setting out the categories of factual and verifiable information that would have to be provided by the Irish Data Protection Commission on a regular basis.

26. In the course of this inquiry, the European Commission explained that it regularly receives an update from the Irish Data Protection Commission on the latter’s handling of ‘big tech’ cases, including cross border cases. The European Commission pointed out in its second reply that this bi-monthly overview provides it with more extensive and useful information than statistics alone would[17].

27. The Ombudsman cannot describe in detail the content or nature of this regular overview because copies of it were given to her office on a confidential basis. The European Commission’s practice of obtaining such an overview is, however, an encouraging example of a specific targeted monitoring measure that - in the circumstances of this case - is appropriate and in line with good administration. In the absence of this measure, the Ombudsman would have had serious doubts as to the adequacy of the information that the European Commission relies on[18].

28. Some relevant improvements can, however, be made to the regular overview. The Ombudsman will therefore make related suggestions for improvements to the European Commission when closing this inquiry.

29. The Ombudsman will also encourage the European Commission to make public the specific nature of the regular overview that it receives from the Irish Data Protection Commission (or from other national authorities in a similar scenario). The Ombudsman makes a related suggestion for improvement.

Conclusion

Based on the inquiry, the Ombudsman closes this case with the following conclusion:

The European Commission’s practice of obtaining a bi-monthly overview from the Irish Data Protection Commission on the latter’s handling of ‘big tech’ cases, including cross border cases, is appropriate and in line with good administration. In the absence of this measure, the Ombudsman would have had serious doubts as to the adequacy of the information that the European Commission relies on.

The complainant and the European Commission will be informed of this decision.

Suggestions for improvement

The regular case overview from the Irish Data Protection Commission

The Ombudsman makes the following detailed suggestions for the bi-monthly overview that the European Commission receives on a confidential basis from the Irish Data Protection Commission on the latter’s handling of ‘big tech’ cases, including cross border cases.

The European Commission could draw up a table with a series of pre-determined fields that should be filled in by the Irish Data Protection Commission, with information on cross border cases, containing, for each such case: the case number, the data controller involved, the other data protection authorities concerned, the dates of the key steps undertaken (as per the GDPR) and their dates, and the concrete measures taken. Whenever individual cases have given rise to own initiative investigations, this too should be noted for the individual cases, together with a reference to the own initiative investigation so as to allow the European Commission to monitor how the individual cases were processed.

The European Commission’s second report on the application of the GDPR

The Ombudsman suggests that the European Commission in its second report (2024) on the application of the GDPR provides an account of its practice of receiving the above-mentioned regular case overview from the Irish Data Protection Commission, and in it give as much non-confidential information as possible. This could for instance include an outline of the specific kinds of data that the European Commission receives through that regular overview.

 

Emily O’Reilly
European Ombudsman

Strasbourg, 19/12/2022

 

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

[2] As mentioned in the European Commission’s 2020 report (communication) on the implementation of the GDPR (cited here on the issue of resources of national supervisory authorities, “Given that the largest big tech multinationals are established in Ireland and Luxembourg, the data protection authorities of these countries act as lead authorities in many important cross-border cases and may need larger resources than their population would otherwise suggest.” - p. 6, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020DC0264&from=EN), and cf. also the Commission’s related ‘staff working document’, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020DC0264&from=EN

[3] See for instance media reports in Politico, such as ‘How one country blocks the world on data privacy’ (24 April 2019:  https://www.politico.com/story/2019/04/24/ireland-data-privacy-1270123), or in the Financial Times, ‘Fight breaks out between Ireland and Germany over Big Tech regulation’ (17 March 2021: https://www.ft.com/content/37705bcf-c5b6-4ef0-adb8-35a8680dbaec). The Irish Data Protection Commission itself has published information on the issue in 2022 (“The DPC’s handling of cross-border complaints continues to be the subject of public commentary, regrettably based on information that is incomplete and lacking context.”, https://www.dataprotection.ie/sites/default/files/uploads/2022-10/04.10.22%20Cross%20border%20complaint%20stats%202018%20to%20Sept%202022.pdf). See also concerns expressed in the European Parliament’s resolution of 25 March 2021 on the Commission evaluation report on the implementation of the General Data Protection Regulation two years after its application (2020/2717(RSP)), point 20. (https://www.europarl.europa.eu/doceo/document/TA-9-2021-0111_EN.html)

[4] See the Ombudsman’s webpage for this case (‘Other documents’, https://www.ombudsman.europa.eu/en/case/en/60860 )

[5] The complainant made more technical suggestions as to what the European Commission should hold. They are presented here in summary form.

[6] See footnote 2 above.

[7] ‘Europe’s enforcement paralysis - ICCL’s 2021 report on the enforcement capacity of data protection authorities’  (“Three and a half years after the introduction of the GDPR, EU GDPR enforcement against Big Tech is paralysed by Ireland’s failure to deliver draft decisions on major cross-border cases.”): https://www.iccl.ie/digital-data/2021-gdpr-report/

[8] Information on this: https://ec.europa.eu/internal_market/imi-net/news/2018/07/index_en.htm

[9] ‘One-Stop-Shop Cross Border Complaint Statistics - 25 May 2018 - 19 September 2022’: https://www.dataprotection.ie/sites/default/files/uploads/2022-10/04.10.22%20Cross%20border%20complaint%20stats%202018%20to%20Sept%202022.pdf

[10] https://edpb.europa.eu/edpb_en

[11] “The Commission has requested information from the DPC and receives, on a confidential basis and roughly every two months, an overview of the large scale statutory inquiries. The Commission considers that this is a detailed overview of the state-of-play of the on-going individual investigations, allowing to understand their content and to measure the procedural steps at national level, their progress and timetable for the submission to the procedures under Article 60 and, possibly, Article 65 of the GDPR. It is important to note that, through the abovementioned overview document, the Commission has in fact at its disposal more information about the Irish DPC actions against big multinational tech companies than it would have through statistics.“ (The Commission’s second reply in this inquiry, Part II, p. 2).

[12] Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2022.277.01.0001.01.ENG

‘Digital Services Act: Commission welcomes political agreement on rules ensuring a safe and accountable online environment’: https://ec.europa.eu/commission/presscorner/detail/en/IP_22_2545

[13] ‘Vestager: There was a ‘distrust of Ireland as an enforcer’ on Big Tech - The European Commission executive vice-president tells Peter O’Dwyer that new regime for Digital Services Act will assure that rules will be properly implemented’, Business Post, Tech, 1 October 2022: https://www.businesspost.ie/news/vestager-there-was-a-distrust-of-ireland-as-an-enforcer-on-big-tech/#:~:text=The%20European%20Commission%20stepped%20in,executive%20vice%2Dpresident%20has%20said

[14] https://www.asktheeu.org/en/request/lsa_csa_feedback_report_document#incoming-39411

[15] https://www.asktheeu.org/en/request/irish_data_protection_commission#incoming-40159

[16] The complainant quoted a briefing note for the responsible Commissioner’s meeting with the Irish Minister for Justice, December 2021: “In the context of the adoption of the EP resolution, you participated in the EP plenary session: you defended the conclusions reached in the COM report. Among others, you asserted that we welcome the EDPB’s effort to improve its procedures for the one-stop-shop and that the Commission will continue to support it and will follow carefully the progress made.  You underlined at the same time that you do not believe that pointing the finger at individual data protection authorities or exposing disagreement between authorities is conducive to finding a constructive solution. The cooperation mechanism is based on consensus-finding and not a competition between data protection authorities. All authorities are independent and all authorities enjoy a margin of discretion in the assessment of cases before them. For the  new GDPR governance system to work efficiently, it is essential to develop trust and a European spirit of cooperation, to embrace the differences to the extent necessary and to work towards mutually acceptable solutions. The EDPB was designed to be more than just a sum of the DPAs.”

(15) 2021.12.10 briefing for meeting Csser Reynders and IE Minster McEntee.pdf, p. 12:

https://www.asktheeu.org/en/request/11728/response/39971/attach/5/documents.zip?cookie_passthrough=1).

[17] “The Commission has requested information from the DPC and receives, on a confidential basis and roughly every two months, an overview of the large scale statutory inquiries. The Commission considers that this is a detailed overview of the state-of-play of the on-going individual investigations, allowing to understand their content and to measure the procedural steps at national level, their progress and timetable for the submission to the procedures under Article 60 and, possibly, Article 65 of the GDPR. It is important to note that, through the abovementioned overview document, the Commission has in fact at its disposal more information about the Irish DPC actions against big multinational tech companies than it would have through statistics.“ (The Commission’s second reply in this inquiry, Part II, p. 2).

[18] In addition to the references to the annual reports of the Irish Data Protection Commission and the information collected for the Commission’s first report on the application of the GDPR, cf. Annex in the Ombudsman’s letter of further inquiry of 19 July 2022

https://www.ombudsman.europa.eu/en/doc/correspondence/en/158576