A guide to the Data Protection Commission’s role in investigation and enforcement of data protection rights under GDPR and the Data Protection Act (2018).
In this paper, Noeleen Healy BL examines these legal issues in the context of the Max Schrems led cases against Facebook and takes a deep dive into how the Commission’s investigation and enforcement role can be legally undertaken notwithstanding the the judicial remedies open to data subjects, controllers and processors.
Legal Background / Introduction
Max Schrems is an Austrian activist and author who became known for campaigns against Facebook for privacy violation, including its violations of European privacy laws and alleged transfer of personal data to the US National Security Agency (NSA) as part of the NSA’s PRISM program.
The Irish Data Protection Commission has been subject to ongoing criticism both locally and across the EU, accused of having no real teeth when it comes to enforcement of data protection laws and regulation of the tech giants.
This criticism has been all the sharper because Dublin is home to a number of international tech giants’ European headquarters. The Commission has been accused of working too closely with the tech giants rather than policing them.
Recently, the Commission has been further criticised for its slow procedures. The advocacy group None of Your Business, which was co-founded by Max Schrems, obtained leave to challenge that alleged slow procedure in the High Court in July of this year.
Functions of the National Independent Supervisory Authorities
Article 51 of the GDPR provides that each member state of the EU shall establish an independent supervisory authority. The primary function of the supervisory authority is set out in article 51(1).
“Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (‘supervisory authority’).”
Helen Dixon, Data Protection Commissioner
The role of national supervisory authority, assigned to the Commission in Ireland, was broadened under the GDPR.
The Data Protection Commissioner, Helen Dixon, stated as follows in October 2017.
“The coming into effect of the GDPR on 25th May 2018, will place considerable additional functions and responsibilities on the DPC as the national supervisory authority for regulating the proper application of the new law. The operational demands, including deeper cooperation with other EU data protection authorities and the new European Data Protection Board, and the legal complexity of issues dealt with is anticipated to give rise to an unprecedented increase in the workload of the DPC.”[1]
The GDPR allows for the functions of the supervisory authority to be separated in two discrete bodies. Ireland, however, has opted to assign both monitoring and enforcement duties to the Commission’s office.
GDPR One-Stop-Shop
The GDPR introduces what is referred to as a ‘one-stop shop’ mechanism.
Under article 56, a data controller or processor engaged in cross-border activity within the EU will engage with the supervisory authority in the member state where its main establishment is located, and not necessarily where the data breach occurs.
For a company engaged in inter-EU trade, the relevant enforcement body will usually, therefore, be where its EU headquarters is located. Since most tech giants have located their European headquarters in Ireland, the Irish Commission has an onerous role in the enforcement of data protection rights on behalf of European Union citizens.
A supervisory authority in another member state may be responsible for conducting the investigation in, for example, the case of a data breach. That authority will then report back to the lead supervisory authority, where the controller has its headquarters and the lead supervisory authority will be responsible for enforcement.
These provisions require national supervisory authorities to work together on one investigation, meaning close cooperation is key to the functioning of the one-stop shop provision.
The Right to Make a Data Protection Complaint
The right to complain is provided in article 77(1) in the following terms.
“Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.”
Recital 177 provides guidance on how a complaint should be dealt with.
“The investigation following a complaint should be carried out, subject to judicial review, to the extent that is appropriate in the specific case. The supervisory authority should inform the data subject of the progress and the outcome of the complaint within a reasonable period.”
The Court of Justice of the European Union (hereafter ‘the CJEU’) explained, in the case of Schrems I, that all complaints to a national supervisory authority should be investigated.
“[W]here a person whose personal data has been or could be transferred to a third country which has been the subject of a Commission decision pursuant to Article 25(6) of Directive 95/46 lodges with a national supervisory authority a claim concerning the protection of his rights and freedoms in regard to the processing of that data and contests, in bringing the claim, as in the main proceedings, the compatibility of that decision with the protection of the privacy and of the fundamental rights and freedoms of individuals, it is incumbent upon the national supervisory authority to examine the claim with all due diligence.”[2]
The Schrems I case was in the context of possible transfers of personal data to third countries, and the GDPR’s predecessor, the Data Protection Directive. It is nevertheless apposite in that it provides that the Commission shall examine all complaints lodged. The lodging of a complaint with a national supervisory authority does not oust a data subject’s right to instigate court proceedings in respect of the alleged data breach.
Investigations of Complaints
The Commission may, of its own volition, or as the result of a complaint lodged, instigate an inquiry. Chapter 5 of part 6 of the 2018 Act sets out the manner in which an investigation is to be dealt with by the Commission.
Once an investigation has been instigated, a controller or processor should be given notice of the investigation and the opportunity to respond.
The authorised officer, the Commission’s investigator, may apply to the Circuit Court for an order compelling compliance with the investigation. In carrying out their duties, an authorised officer may apply, under section 131 of the 2018 Act, to a District Court judge to obtain a search warrant, if information in relation to an investigation is believed to be contained on a premises.
Under section 138, the officer may seek the giving of information on oath and the production of documents. Failure to comply can result in a summary application to the Circuit Court to compel the action sought.
Thereafter, a draft report is prepared by the authorised officer which should then be forwarded to commissioner to determine whether it should be approved and if corrective powers should be used.
Corrective Powers
Article 58(2) provides a list of corrective powers that each supervisory authority shall have in ensuring compliance with the GDPR.
Each supervisory authority shall have all of the following corrective powers:
- to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Regulation;
- to issue reprimands to a controller or a processor where processing operations have infringed provisions of this Regulation;
- to order the controller or the processor to comply with the data subject’s requests to exercise his or her rights pursuant to this Regulation;
- to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;
- to order the controller to communicate a personal data breach to the data subject;
- to impose a temporary or definitive limitation including a ban on processing;
- to order the rectification or erasure of personal data or restriction of processing pursuant to Article 17, 18 and 19 and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Article 17(2) and Article 19;
- to withdraw a certification or to order the certification body to withdraw a certification issued pursuant to Article 42 and 43, or to order the certification body not to issue certification if the requirements for the certification are not or are no longer met;
- to impose an administrative fine pursuant to Article 83 in addition to, or instead of measures referred to in this paragraph, depending on the circumstances of each individual case;
- to order the suspension of data flows to a recipient in a third country or to an international organisation.
The foregoing is similarly provided for by section 115 of the 2018 Act.
Administrative Fines
Article 83 of the GDPR sets out as follows:
“Each supervisory authority shall ensure that the imposition of administrative fines.”
This enforcement power is mandatory in terms. That is to say, the supervisory authority must have the power to directly impose administrative fines for breaches of data protection law. This is in furtherance of, inter alia, recital 148 of the GDPR, which provides that the underlying purpose of administrative fines as follows.
“In order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation, in addition to, or instead of appropriate measures imposed by the supervisory authority pursuant to this Regulation.”
Article 83(2) specifically allows for mitigating and aggravating factors to be taken into account when assessing the level of fines. It also allows for fines to be imposed in addition to or as an alternative to the corrective enforcement measures enunciated in article 58(2).
The importance of administrative fines as an enforcement tool available to national supervisory authorities was commented upon by the Article 29 Working Party[3] in the following terms.
Administrative fines are a central element in the new enforcement regime introduced by the Regulation, being a powerful part of the enforcement toolbox of the supervisory authorities together with the other measures provided by article 58.[4]
The imposition of fines must be “effective, proportionate and dissuasive”[5].
The potential fines that can be imposed are substantial.
Article 83(3) provides that fines can be up to €10 million or 2% of total worldwide annual turnover (whichever is greater) for serious breaches; and €20 million or 4% of total worldwide annual turnover (whichever is greater) for very serious breaches.
The imposition of a fine for a breach of data protection law is not entirely new. These are available in the criminal sphere in circumstances where the supervisory authority brings a prosecution, and fines can be imposed by national courts for a criminal offence.
The power to impose administrative fines, however, was an entirely new power, introduced by the GDPR, and greatly enlarges the arsenal of enforcement powers available to the Commission.
Chapter 6 of the 2018 Act sets out the national procedure in respect of the imposition of fines. Section 143 provides that fines imposed by the Commission should be confirmed by the Circuit Court.
The Commission, must, therefore apply to the Circuit Court, which shall confirm the decision to impose the fine unless the Court sees good reason not to do so.
It has been widely reported that the Commission’s first administrative fine was issued against Tusla, the Child and Family Agency.[6] In May 2020, the Commission fined the agency €75,000 for unauthorised disclosure of personal data.
The Commission issued a second fine against the same agency one week later. EU-wide, the largest fine thus far was imposed by the French supervisory authority. In January 2019, it fined Google €50 million for its failure to provide transparent and understandable data usage policies. Unlike its European partners, Ireland’s Commission did not issue a single fine in 2019.
Oversight & Judicial Review
Thematic throughout the GDPR is the right to an effective judicial remedy for controllers, processors and subjects.
Recital 142 specifically provides that national courts shall have full jurisdiction to deal with questions of both law and fact. In this jurisdiction, there has always been the right to appeal a decision of the Commission, which is a full de novo appeal, and the option, where appropriate, to judicially review a decision of the Commission.
Article 79(1) provides for the right to an effective judicial remedy for data subjects, as well as the right to lodge a complaint with the Commission.
“Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.”
The CJEU explained the underlying purpose of having an effective judicial remedy, in the case of Schrems I.
“The first paragraph of Article 47 of the Charter requires everyone whose rights and freedoms guaranteed by the law of the European Union are violated to have the right to an effective remedy before a tribunal in compliance with the conditions laid down in that article. The very existence of effective judicial review designed to ensure compliance with provisions of EU law is inherent in the existence of the rule of law.”[7]
The High Court and Circuit Court have concurrent jurisdiction to deal with data protection matters. Section 150 of the 2018 Act provides for the right to an effective judicial remedy, so called, a data protection action. A data controller or processor which is subject to an enforcement notice from the Commission, can appeal that notice. A data subject also has the right to appeal a decision of the Commission affecting them.
Further, it is open to a person subject to a decision of the Commission to judicially review any such decision to the High Court. An affected person could apply to have any such decision quashed by way of certiorari. A full discussion of the principles underlying judicial review is outside the scope of the within. Suffice to say, any such applicant may encounter difficulty where there is an appeal available to the Circuit Court. One is usually expected to exhaust available remedies before bring an application to have a decision quashed by way of judicial review.
However, judicial review seeking to compel a decision, by way of mandamus, may well be warranted in certain circumstances.
In NOYB – European Centre for Digital Rights v Data Protection Commission [2020 437 JR], the applicant obtained leave to judicially review the Commission on 6 July 2020.
The applicant lodged a complaint to the Commission in relation to WhatsApp and Instagram, both based in Ireland.
The Commission has taken two years to produce a first draft inquiry report. This is only the first of stage of investigation in, what the applicant claims is, an urgent case.
The applicant is seeking to compel the Commission to make a decision.
The applicant is also seeking the High Court to make a declaration that the Commission has failed in its obligation to carry out an investigation into the complaints against WhatsApp and Instagram within a reasonable time, as required by article 57 of the GDPR and section 113 of the 2018 Act.
Compensation for Breaches of Data Protection Rights
The Commission has no power to compensate data subjects whose personal data protection rights have been breached. Anyone seeking compensation must apply to the Courts. Article 82(1) of the GDPR provides the following:
“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
Article 82(4) sets out that these claims are to be brought in national courts.
“Court proceedings for exercising the right to receive compensation shall be brought before the courts competent under the law of the Member State referred to in Article 79(2).”
In respect of the likely approach that may be taken by the Courts in assessing compensation, guidance can be gleaned from the CJEU case of Digital Rights Ireland.
“To establish the existence of an interference with the fundamental right to privacy, it does not matter whether the information on the private lives concerned is sensitive or whether the persons concerned have been inconvenienced in any way.”[8]
Section 117 of the 2018 Act provides the procedure for making a claim for compensation to the courts in this jurisdiction. Claims for compensation are based upon the principles of tort and made to either the Circuit or the High Court.
A data subject can also apply for injunctive relief, seeking to restrain the processing of data under section 117. In April 2020, the High Court granted an interim injunction against eBay. The company was ordered to temporarily cease using a child’s image on its site, where the child’s mother claimed the company did not have permission to process the child’s personal data, viz, her image.[9]
As of yet, it is not entirely clear how the courts will approach the question of quantum in respect of compensation for non-material damage, a novel right introduced by the GDPR. There does not appear, as yet, to be a reported judgment on the matter.
In Collins v FBD Insurance Plc [2013] IEHC 137, the High Court overturned the Circuit Court’s award of €15,000 damages because the Directive, the predecessor to the GDPR, did not include any right to damages for non-pecuniary loss. Reports or written judgments are awaited on the matter.
Conclusions
The GDPR has certainly provided the Commission with an array of investigative and enforcement tools. Judicial oversight is also widely provided. Although it is clear that the Commission has not yet used the tools available to it to the fullest extent, the new rules, procedures and tools are still in their infancy.
The Commission will not only have to rigorously enforce the GDPR, and ensure that the tech industry is appropriately regulated, it will have to be seen to be carrying out its role. The Commission is responsible, not only to the Irish citizens, but to an EU-wide citizenry and will be open to criticism from across the bloc, even for a perceived failure.
***Schrems II and Privacy Shield [UPDATED: 25 September 2020]***
In Schrems II [Data protection Commissioner v Facebook Ireland & Schrems Case C-311/18, 16 July 2020], the Commission sought clarity from the EU court in respect of data transfers to the US under the privacy shield agreement. In July 2020, the CJEU struck down privacy shield, the data transfer agreement between the EU and the US. The matter is now back before the Irish courts.
Without an agreement in place between the US and the EU, Facebook, and many of the other tech company would have to fundamentally change the way they deal with EU citizens’ personal data or risk being in breach in the GDPR, and potentially be subject to enforcement provision.
REFERENCES
[1] Helen Dixon, Data Protection Commissioner (11 October, 2017) ‘Data Protection Commissioner welcomes significant €4 million Budget 2018 funding increase’, Press release available at https://www.dataprotection.ie/docs/EN/11-10-2017-Data-Protection-Commissioner-welcomes-significant%E2%82%AC4-million-Budget-2018-funding-increase/i/1670.htm
[2] Schrems (Case-C-362-14) (6 October, 2015) at para. 63
[3] The Article 29 Working Party was the independent European working party set up by each member states’ data protection body that dealt with issues relating to the protection of privacy and personal data until 25 May 2018 (entry into force of the GDPR).
[4] Article 29 Data Protection Working Party (3 October, 2017) ‘Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679’, 17/EN/ WP 253 at .4
[5] Article 8(1) of the GDPR
[6] See for example, Irish Times (17 May 2020) Tusla becomes first organisation fined for GDPR rule breach https://www.irishtimes.com/news/crime-and-law/tusla-becomes-first-organisation-fined-for-gdpr-rule-breach-1.4255692
[7] Schrems (Case-C-362-14) (6 October, 2015) at para. 95
[8] Digital Rights Ireland (Case C-293/12) (8 April, 2014)
[9] See https://www.irishtimes.com/news/crime-and-law/courts/high-court/mother-secures-order-to-stop-use-of-child-s-image-on-ebay-1.4233304?mode=amp
