Out-Law / Your Daily Need-To-Know

Core role of Irish regulator in EU data protection cases highlighted

Out-Law News | 17 Mar 2022 | 11:05 am | 2 min. read

Ireland’s data protection authority has taken the lead in assessing nearly 1,000 data protection complaints from across Europe since the EU General Data Protection Regulation (GDPR) took effect in May 2018, according to a new report it has issued.

The majority of the 969 cross-border cases the Data Protection Commission (DPC) has handled – 588 – have stemmed from complaints raised in other EU member states, it said. Almost a third originated from Germany.

Dublin-based Ann Henry of Pinsent Masons, who specialises in data-related dispute resolution, said this highlights the important role the DPC has in regulating data protection compliance across not just Ireland but the EU more generally.

The DPC’s report features statistics relevant to the operation of the so-called ‘one stop shop’ mechanism under the GDPR.

The purpose of the mechanism is to allow businesses to deal with just one data protection authority (DPA) in relation to their EU operations, as opposed to DPAs across all EU member states.

The mechanism provides for one DPA to take a lead in investigating cross-border cases. However, it requires the lead authority to enter into dialogue with the other DPAs in the countries where data subjects have been impacted and makes provision for those other DPAs to input to the inquiries and to raise 'relevant and reasoned' objections against proposed decisions of the lead authority. The European Data Protection Board (EDPB) has the power to issue binding decisions in cases where the lead authority and objecting authorities cannot reach a consensus.

Often, in the case of companies that operate on a cross-border basis within the EU, it will be the location of their EU headquarters that determines which DPA acts as the lead supervisory authority in respect of investigating complaints made about that company’s personal data processing. Ireland has been chosen by many large multinational organisations as a base for EU operations, particularly by companies in the technology sector.

According to the DPC, 634 of the 969 cross-border cases it has led on since May 2018 have been “fully concluded”, including 82 cases where complaints were not pursued. The vast majority of the 634 concluded cases – 544 – were concluded via “amicable resolution”.

“The DPC will carry out an assessment of each valid cross-border complaint to establish if it is suitable for progressing with this, less adversarial, course of action designed to achieve speedier and more resource efficient outcomes for individuals,” the authority said in its report. “Amicable resolution involves contacting the organisation (data controller), asking questions in relation to the subject matter of the complaint, probing the answers provided by the organisation prior to proposing an amicable resolution to the complainant if the DPC is of the view that the responses of the organisation may facilitate an outcome in the interests of the complainant.”

“Amicable resolution is an effective and important tool that the GDPR and the Data Protection Act 2018 provide for and which the DPC uses to reach outcomes in the best interest of complainants,” it said.

While the DPC handled 969 cross-border cases itself, it said it has also received a further 181 complaints since May 2018 that it had passed on to another DPA within the EU. Those other DPAs acted as lead supervisory authority in those cases.

The DPC’s report was published on the same day as it announced that it had concluded a cross-border inquiry into a series of data breaches involving Meta, the company behind Facebook.

The DPC fined Meta €17 million for failing to meet its obligations on data security under the GDPR. It said its decision “represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU” after managing to resolve earlier differences that had arisen in respect of the case with two other DPAs under the one stop shop mechanism. This meant that, unlike in an earlier case involving Twitter that the DPC had led on, the case was not referred to the EDPB for a binding decision.