The lead regulator overseeing big tech companies’ compliance with the general data-protection regulation has come under fire from privacy activists who argue its IT systems are ill-equipped for the task.
Freedom-of-information requests filed by the Irish Council for Civil Liberties found that the Data Protection Commission (DPC) has not implemented a new core system to cope with the demands of the European Union General Data Protection Regulation (GDPR), which became enforceable in 2018.
This is despite internal documents and public statements dating back to 2017 indicating that such an overhaul would be necessary to deal with the regulation, which adds substantially to the amount of data its systems must process.
The findings come as questions grow over the future of the “one-stop shop” model, which allows national regulators to handle GDPR investigations on behalf of the EU, but has increasingly been viewed as a bottleneck.
“The GDPR gives Ireland a central role in protecting data rights across all of the European Union but [it] is not configured for its digital mission,” said Dr Johnny Ryan, senior fellow at the council. “How can it be expected to monitor what the world’s biggest tech firms do with our data?”
The DPC’s core systems are used to track and handle complaints and investigations relating to GDPR. One former employee quoted by the council described the situation as akin to “trying to run your payroll system with an abacus”.
Graham Doyle, the deputy commissioner, said the regulator had “a functional and fit-for-purpose” case-management system that had been updated with new features over the years.
However, he admitted it was now “dated” because of the limitations of the underlying technology, which made it hard to integrate it with the regulator’s new website and a platform linking European data regulators.
“Significant work in specifying the system and building its core modules has been completed,” said Mr Doyle, adding that the commission planned to roll out new core parts of the system in the second quarter of 2021.
He said that among the causes of delays were changing specifications and continued fine-tuning of the implementation of GDPR.
The investigation comes as the regulator faces continued criticism over the speed of its decision-making. Under "one-stop shop" rules, the DPC acts as the lead EU authority for GDPR cases involving companies that have headquarters there, such as Google and Facebook.
“The whole co-operation system relies on a few key regulators moving cases along and so far this is barely happening,” said Estelle Massé, senior policy analyst at Access Now.
The commission also faced a draft resolution, introduced last week in the European Parliament, calling for formal infringement proceedings against it over alleged enforcement failings. Edward Machin, a lawyer at Ropes & Gray, said the action exposed deep faultlines in Europe around enforcement of the GDPR.
Mr Ryan also pointed to an opinion last month from the European Court of Justice’s advocate general Michal Bobek who said member states should be able to sidestep lead authorities and directly enforce rules against companies.
David Dumont, partner at law firm Hunton Andrews Kurth, emphasised that Mr Bobek’s opinion referred to specific situations under which the one-stop shop could be sidestepped, such as if a lead authority decided not to handle a case or if urgent action is required.
Nevertheless, the future of the arrangement looks increasingly dubious, said Mr Machin. “Whether or not the commission brings proceedings against the DPC, any hopes that the GDPR would usher in an era of harmonised, co-operative enforcement by European regulators and legislators are now fading.” – Copyright The Financial Times Limited 2021