European Commission Defends Irish Data Protection Commissioner
In a letter addressed to certain members of the European Parliament (“MEPs”), European Commissioner for Justice Reynders refuted some of the criticism that has been raised against the Irish Data Protection Commissioner (“DPC”).
On December 6, 2021, the concerned MEPs sent a letter to Commissioner Reynders to raise concerns about how the DPC enforces the EU General Data Protection (“GDPR”) and applies the GDPR’s cooperation mechanism. The MEPs asked Commissioner Reynders to initiate infringement proceedings against the DPC.
As the lead data protection authority (“DPA”) for various Big Tech companies that have their EU headquarters in Ireland, the DPC has been subject to criticism from various angles over the past years.
Commissioner Reynders’ Response
In his response, Commissioner Reynders defended the DPC against the criticism and stated, among other things, that:
It is too early to come to definitive conclusions as to the efficiency and functioning of the GDPR cooperation mechanism.
The European Commission is taking appropriate actions to monitor the application of the GDPR in EU Member States. As an example, Commissioner Reynders mentioned the ongoing infringement proceedings against the Belgian DPA in connection with its alleged lack of independence.
There is no evidence that the Irish data protection rules have not been respected by the DPC and that the cooperation mechanism has not been applied correctly. Commissioner Reynders referred to the €225 million fine issued against WhatsApp as an example of the DPC’s action to enforce the GDPR. He further reminds the MEPs that not all investigations carried out by DPAs lead to a decision (e.g., the complaint may be withdrawn by the data subject or closed by the DPA). According to the Commissioner, this may explain the low statistics, which the MEPs used in their letter to demonstrate the DPC’s inaction.
Despite being requested to do so by the MEPs, the European Commission is not competent to comment on or launch infringement proceedings against a DPA for the views it expressed on a specific topic (i.e., the question of which data can be processed on the basis of contract in an online context in this case) in the context of discussions at the European Data Protection Board.