Commission Introduces a new reporting protocol for GDPR Investigations

The European Commission, in response to an inquiry by the European Ombudsman and pressure from Irish privacy campaigners, has requested that all national data protection regulators file detailed bi-monthly reports on any active large-scale cross-border investigations. The Commission stipulates that the reports will be required to include details including key procedural steps taken, the controller and/or processor who is the subject of investigation, as well as the provisions of GDPR that are at issue.

This development has scope for considerable impact on the Irish regulatory environment. Since companies are regulated in the country where they are headquartered, the Irish Data Protection Commission (DPC) has played a central role in monitoring compliance of big tech with the provisions of GDPR. However, there has been mounting discontent in Europe regarding the enforcement of GDPR, with the DPC attracting particular opprobrium from its peers. 

The introduction of the new reporting procedure follows recent investigations of the DPC into Meta subsidiaries Facebook, WhatsApp, and Instagram. The Irish regulator had initially proposed to fine Meta a maximum of €59 million for breaching transparency rules on data processing. This conclusion was challenged by other European data regulators under dispute resolution procedures overseen by the European Data Protection Board (EDPB), which is comprised of EU and EEA members, and has the power to review decisions by national regulators. Upon review, the EDPB demanded an increased fine and resolved that the DPC had failed to investigate the original complaints with “due diligence”. To overrule the decision of a national regulator, a two-thirds majority within the EDPB is required. In the recent Meta cases, there were four abstentions by EU Member States, while all others supported the position of the EDPB. 

It is evident, therefore, that a disparity exists between the wider European consensus on how to enforce GDPR, and the approach that the DPC has been pursuing to date. The new reporting requirements are plainly designed to increase the accountability of national regulators, and to aid in the harmonisation of GDPR enforcement across Europe. The Irish Council of Civil Liberties (ICCL), whose complaint prompted the inquiry by the Ombudsman, has welcomed the development. Dr Johnny Ryan, a senior fellow at ICCL, commented that “this heralds the beginning of true enforcement of the GDPR, and of serious European enforcement against Big Tech.” Whether this causes any noticeable shift by the DPC in its conduct of GDPR investigations will be of great interest, with potentially significant implications for data controllers and processors based in Ireland.