European Union lawmakers are dealing with additional strain to step in and do one thing about lackadaisical enforcement of the bloc’s flagship knowledge safety regime after the European Parliament voted yesterday to again a name urging the Commission to begin an infringement continuing in opposition to Ireland’s Data Protection Commission (DPC) for not “properly enforcing” the regulation.
The Commission and the DPC have been contacted for touch upon the parliament’s name.
Last summer time the Commission’s personal two-year evaluate of the General Data Protection Regulation (GDPR) highlighted an absence of uniformly vigorous enforcement — however commissioners had been keener to level out the positives, lauding the regulation as a “global reference point”.
But it’s now almost three years because the regulation begun being utilized and criticism over weak enforcement is getting more durable for the EU’s government to disregard.
The parliament’s decision — which, whereas non-legally binding, fires a robust political message throughout the Commission’s bow — singles out the DPC for particular criticism given its outsized position in enforcement of the General Data Protection Regulation (GDPR). It’s the lead supervisory authority for complaints introduced in opposition to the various huge tech firms which select to web site their regional headquarters within the nation (on account of its corporate-friendly tax system).
The textual content of the decision expresses “deep concern” over the DPC’s failure to succeed in a choice on numerous complaints in opposition to breaches of the GDPR filed the day it got here into software, on May 25, 2018 — together with in opposition to Facebook and Google — and criticises the Irish knowledge watchdog for decoding “without delay” in Article 60(3) of the GDPR “contrary to the legislators’ intention – as longer than a matter of months”, as they put it.
To date the DPC has solely reached a ultimate determination on one cross-border GDPR case — in opposition to Twitter.
The parliament additionally says it’s “concerned about the lack of tech specialists working for the DPC and their use of outdated systems” (which Brave additionally flagged final yr) — in addition to criticizing the watchdog’s dealing with of a criticism initially introduced by privateness campaigner Max Schrems years earlier than the GDPR got here into software, which pertains to the conflict between EU privateness rights and U.S. surveillance legal guidelines, and which nonetheless hasn’t resulted in a choice.
The DPC’s strategy to dealing with Schrems’ 2013 criticism led to a 2018 referral to the CJEU — which in flip led to the landmark Schrems II judgement final summer time invalidating the flagship EU-U.S. knowledge switch association, Privacy Shield.
That ruling didn’t outlaw different knowledge switch mechanisms however made it clear that EU DPAs have an obligation to step in and droop knowledge transfers if Europeans’ info is being taken to a 3rd nation that doesn’t have primarily equal protections to these they’ve beneath EU legislation — thereby placing the ball again within the DPC’s courtroom on the Schrems criticism.
The Irish regulator then despatched a preliminary order to Facebook to droop its knowledge transfers and the tech large responded by submitting for a judicial evaluate of the DPC’s processes. However, the Irish High Court rejected Facebook’s petition final week. And a keep on the DPC’s investigation was lifted yesterday — so the DPC’s technique of reaching a choice on the Facebook knowledge flows criticism has began shifting once more.
A ultimate determination might nonetheless take a number of months extra, although — as we’ve reported earlier than — because the DPC’s draft determination can even must be put to the opposite EU DPAs for evaluate and the prospect to object.
Update: The DPC stated at this time that it’s now written to Facebook following the lifting of the keep — giving the corporate six weeks to supply submissions on the preliminary order.

The parliament’s decision states that it “is worried that supervisory authorities have not taken proactive steps under Article 61 and 66 of the GDPR to force the DPC to comply with its obligations under the GDPR”, and — in additional normal remarks on the enforcement of GDPR round worldwide knowledge transfers — it states that it:
Is involved in regards to the inadequate degree of enforcement of the GDPR, notably within the space of worldwide transfers; expresses considerations on the lack of prioritisation and general scrutiny by nationwide supervisory authorities with regard to non-public knowledge transfers to 3rd nations, regardless of the numerous CJEU case legislation developments over the previous 5 years; deplores the absence of significant choices and corrective measures on this regard, and urges the EDPB [European Data Protection Board] and nationwide supervisory authorities to incorporate private knowledge transfers as a part of their audit, compliance and enforcement methods; factors out that harmonised binding administrative procedures on the illustration of information topics and admissibility are wanted to supply authorized certainty and cope with crossborder complaints;
The knotty, multi-year saga of Schrems’ Facebook data-flows criticism, as performed out through the procedural twists of the DPC and Facebook’s attorneys’ delaying techniques, illustrates the multi-layered authorized, political and industrial complexities certain up with knowledge flows out of the EU (post-Snowden’s 2013 revelations of U.S. mass surveillance packages) — to not point out the staggering problem for EU knowledge topics to truly train the rights they’ve on paper. But these intersecting points round worldwide knowledge flows do appear to be lastly coming to a head, within the wake of the Schrems II CJEU ruling.
The clock is now ticking for the issuing of main knowledge suspension orders by EU knowledge safety businesses, with Facebook’s enterprise first within the firing line.
Other U.S.-based providers which might be — equally — topic to the U.S.’ FISA regime (and in addition transfer EU customers knowledge over the pond for processing; and whose companies are such they can not protect person knowledge through “zero access” encryption structure) are equally prone to receiving an order to close down their EU-U.S. data-pipes. Or else having to shift knowledge processing for these customers contained in the EU.
U.S.-based providers aren’t the one ones dealing with rising authorized uncertainty, both.
The U.Okay., post-Brexit, can also be classed as a 3rd nation (in EU legislation phrases). And in a separate decision at this time the parliament adopted a textual content on the U.Okay. adequacy settlement, granted earlier this yr by the Commission, which raises objections to the association — together with by flagging an absence of GDPR enforcement within the U.Okay. as problematic.
On that entrance the parliament highlights how adtech complaints filed with the ICO have did not yield a choice. (It writes that it’s involved “non-enforcement is a structural problem” within the U.Okay. — which it suggests has left “a large number of data protection law breaches… [un]remedied”.)
It additionally calls out the U.Okay.’s surveillance regime, questioning its compatibility with the CJEU’s necessities for important equivalence — whereas additionally elevating considerations in regards to the threat that the U.Okay. might undermine protections on EU residents knowledge through onward transfers to jurisdictions the EU doesn’t have an adequacy settlement with, amongst different objections.
The Commission put a four-year lifespan on the U.Okay.’s adequacy deal — that means there can be one other main evaluate forward of any continuation of the association in 2025.
It’s a far cry from the “hands-off” 15 years the EU-U.S. “Safe Harbor” settlement stood for, earlier than a Schrems problem lastly led to the CJEU putting it down again in 2015. So the takeaway right here is that knowledge offers that permit for folks’s info to depart Europe aren’t going to be allowed to face unchecked for years; shut scrutiny and authorized accountability at the moment are firmly up entrance — and can stay within the body going ahead.
The world nature of the web and the benefit with which knowledge can digitally stream throughout borders after all brings large advantages for companies — however the ensuing interaction between completely different authorized regimes is resulting in rising ranges of authorized uncertainty for firms looking for to take folks’s knowledge throughout borders.

In the EU’s case, the difficulty is that knowledge safety is regulated throughout the bloc and these legal guidelines require that safety stays with folks’s info, irrespective of the place it goes. So if the info flows to nations that don’t provide the identical safeguards — be that the U.S. or certainly China or India (and even the U.Okay.) — then that threat is that it might’t, legally, be taken there.
How to resolve this conflict, between knowledge safety legal guidelines primarily based on particular person privateness rights and knowledge entry mandates pushed by nationwide safety priorities, has no simple solutions.
For the U.S., and for the transatlantic knowledge flows between the EU and the U.S., the Commission has warned there can be no fast repair this time — as occurred when it slapped a sticking plaster atop the invalidated Safe Harbor, hailing a brand new “Privacy Shield” regime; just for the CJEU to blast that out of the water for a lot the identical causes a couple of years later. (The parliament decision is especially withering in its evaluation of the Commission’s historic missteps there.)
For a repair to stay, main reform of U.S. surveillance legislation goes to be wanted. And the Commission seems to have accepted that’s not going to return in a single day, so it appears to be making an attempt to brace companies for turbulence…

On EU-US transfers, I’m in shut contact with 🇺🇸 authorities to seek out future-proof options. We are working onerous to supply stakeholders with sensible steering. There can be no quick-fix, as this might want to totally adjust to EU legislation, not. the fundament proper to privateness (3/3) pic.twitter.com/OzxCDvlEVD
— Didier Reynders (@dreynders) May 20, 2021

The parliament’s decision on Schrems II additionally makes it clear that it expects DPAs to step in and minimize off dangerous knowledge flows — with MEPs writing that “if no arrangement with the U.S. is swiftly found which guarantees an essentially equivalent and therefore adequate level of protection to that provided by the GDPR and the Charter, that these transfers will be suspended until the situation is resolved”.
So if DPAs fail to do that — and if Ireland retains dragging its toes on closing out the Schrems criticism — they need to anticipate extra resolutions to be blasted at them from the parliament.
MEPs emphasize the necessity for any future EU-U.S. knowledge switch settlement “to address the problems identified by the Court ruling in a sustainable manner” — declaring that “no contract between companies can provide protection from indiscriminate access by intelligence authorities to the content of electronic communications, nor can any contract between companies provide sufficient legal remedies against mass surveillance”.
“This requires a reform of US surveillance laws and practices with a view to ensuring that access of US security authorities to data transferred from the EU is limited to what is necessary and proportionate, and that European data subjects have access to effective judicial redress before US courts,” the parliament provides.
It’s nonetheless true that companies could possibly legally transfer EU private knowledge out of the bloc. Even, probably, to the U.S. — relying on the kind of enterprise; the info itself; and extra safeguards that might be utilized.
However, for data-mining firms like Facebook — that are topic to FISA and whose companies depend on accessing folks’s knowledge — then reaching important equivalence with EU privateness protections appears to be like, properly, primarily unattainable.
And whereas the parliament hasn’t made an express name within the decision for Facebook’s EU knowledge flows to be minimize off that’s the clear implication of it urging infringement proceedings in opposition to the DPC (and deploring “the absence of meaningful decisions and corrective measures” within the space of worldwide transfers).
The parliament additionally states within the decision that it desires to see “solid mechanisms compliant with the CJEU judgement” set out — for the good thing about companies with the prospect to legally transfer knowledge out of the EU — saying, for instance, that the Commission’s proposal for a template for Standard Contractual Clauses (SCCs) ought to “duly bear in mind all of the related suggestions of the EDPB“.
It additionally says it helps the creation of a instrument field of supplementary measures for such companies to select from — in areas like safety and knowledge safety certification; encryption safeguards; and pseudonymisation — as long as the measures included are accepted by regulators.
It additionally desires to see publicly out there sources on the related laws of the EU’s fundamental buying and selling companions to assist companies which have the opportunity of having the ability to legally transfer knowledge out of the bloc get steering to assist them accomplish that with compliance.
The overarching message right here is that companies ought to buckle up for disruption of cross-border knowledge flows — and gear up for compliance, the place doable.
In one other section of the decision, for instance, the parliament calls on the Commission to “analyse the situation of cloud providers falling under section 702 of the FISA who transfers data using SCCs” — happening to counsel that assist for European options to U.S. cloud suppliers could also be wanted to plug “gaps in the protection of data of European citizens transferred to the United States” and — in a extra blatant push for digital sovereignty — “reduce the dependence of the Union in storage capacities vis-à-vis third countries and to strengthen the Union’s strategic autonomy in terms of data management and protection”.