US tech giants pinning their hopes on an easy ride from the Irish Data Protection Commission over GDPR complaints look to have had their hopes shattered after a bust-up with other European Union data protection chiefs, many of whom want harsher penalties.
The row has been sparked by the Irish DPC’s draft decision over a Twitter breach, dating back to November 2018. As the case involved cross-border processing, the Irish regulator was required to cooperate with other data protection authorities (DPAs) on the case and submitted its proposal to them in May.
However, it has been reported that an unspecified number of other authorities have raised objections over the level of the punishment, forcing the European Data Protection Board – which is made up of all the DPAs in the EU – to intervene.
The Irish DPC has long faced criticism that it is a “soft touch” amid accusations that it does not have the resources to bring the companies it regulates to book. With so many tech businesses setting up their Euro HQs in Ireland – including Apple, Amazon, Google, Facebook, eBay, PayPal, LinkedIn, Twitter, Salesforce.com, Intel and Oracle to take advantage of tax breaks – it certainly has its work cut out.
Among the fiercest critics are the Germans, who recently claimed that the regulator “clearly needs better financing and more staff”.
However, Irish Data Protection Commissioner Helen Dixon has consistently refuted these claims, insisting her office must be scrupulous in ensuring decisions are protected from legal challenges, especially large fines.
Now it is up to the EDPB to decide whether the Twitter penalty is tough enough. Depending on the complexity of the case, the board has up to two months to reach a two-thirds majority decision, or, failing that, within a further two weeks, to reach a majority decision, which is binding on all member states.
However, Mishcon de Reya data protection advisor Jon Baines reckons there could be further trouble ahead, even after the EDPB ruling.
In a blogpost, Baines writes: “In the context of the Irish DPC, and its jurisdiction over the European processing of many of the world’s largest technology companies, this could have an interesting outcome.
“There are many supervisory authorities on the EDPB who take a substantially harder line than the Irish – if they end up being part of a simple majority which results in a ‘robust’ binding decision adverse to the technology companies, then further challenges may almost certainly result.”
He goes on to explain that there is no direct route of appeal under GDPR, with the only way for companies to challenge a decision being to seek an annulment under Article 263 of the Treaty of the Functioning of the European Union. They could also potentially challenge the decision through domestic courts, perhaps even leading to a referral to the European Court of Justice (ECJ).
Baines concludes: “It has taken seven years, and counting, for complaints raised with the Irish DPC, about transfers of data by Facebook to the US, to wend their way through the ECJ process. There may be years of similar challenges to come.”
WhatsApp and Twitter facing first major GDPR rulings
Top EU data cop cutback threat triggers EU complaint
Oops we did it again: Twitter admits fresh data gaffe
Twitter admits GDPR breach after exploiting user data
Verizon faces GDPR probe as WhatsApp decision looms
$5bn Facebook fine blasted as ‘just a slap on the wrist’
Irish data chief hits back over GDPR ‘soft touch’ claims
2019 Review of the Year: Why it’s crunch time for GDPR