One of the functional pillars of the EU's General Data Protection Regulation (GDPR) – and one of its most controversial – is the one-stop-shop mechanism.
This mandates that if someone wishes to bring a data-handling complaint to a regulator, the complaint is referred to the regulator in the country where the organisation at the centre of the complaint has its European base.
In practice this has meant that most complaints made in the EU about the world's largest-scale data-handlers – the big technology companies – wend their way to the Irish Data Protection Commission.
However, data protection authorities (DPAs) in other EU countries complain that Irish fines have been far too low. That is, when decisions have actually been taken.
A recent report from the Irish Council for Civil Liberties (ICCL) forcefully reiterates and documents these problems. A fifth of all EU complaints referred between authorities are sent to the Irish commission, but 98 per cent of them remain unresolved. Ireland, it says, is the GDPR bottleneck.
The GDPR is a powerful enforcement tool that grants significant abilities to national DPAs to take decisions, yet it remains underutilised by a slow-moving Irish office averse to implementing large fines. That's according to none other than Viviane Reding, the former EU justice commissioner who was the key shaper and driver of the GDPR.
In September, she gave a talk for an event on cross-border data protection for the Brexit Institute at Dublin City University. She noted that, while EU states had initially been slow to punish large companies for data violations, instead focusing on minor domestic cases, this had started to change due to growing public and press criticism of regulator timidity and delays. However, with its landmark €746 million fine against Amazon in July, it was Luxembourg, not Ireland, that "emerged as a privacy champion". This was good, she said, "because it puts pressure on Ireland".
Ireland had failed to deliver significant fines, she said, until the recent fine against WhatsApp. But that September fine was initially just a fraction of its final €225 million until the centralised EU GDPR resolution body, comprising eight other EU regulators, demanded a substantial increase after finding the original punishment too small.
Centralised body
Reding’s most intriguing comment was that she had opposed the one-stop-shop mechanism, preferring complaints against large companies to be handled by a centralised EU body, with the concentrated power to take on these corporate behemoths.
Why did we end up with the one-stop shop? Because individual EU states lobbied for it, she said.
The one-stop shop was sold as a key GDPR strength. Increasingly, the approach has come to appear a troublesome one, exposed to divide-and-conquer strategies from multinationals.
Initially, too, I had thought Ireland would wither at the implications of the alarming regulatory burden placed on its regulator. Now, it seems Ireland may have lobbied for the mechanism. If so, why? To attempt to retain some control over a key business and multinational regulatory area in which many European countries were often at odds with the Irish Government?
Whatever the case, underfunding a regulator's office is a move that can easily be interpreted as deliberate. On the other hand, as the ICCL report makes clear, every DPA in Europe is underfunded and lacks enough specialists – due to, ahem, the one-stop-shop mechanism. Specialised legal expertise is expensive. Corporations can afford it.
Not fit for purpose
Reding argued that DPAs thought they “could sit back and not do anything, and nobody would notice”. But if national DPAs will now do their jobs, “everything will be fine”, she says. If not, she thinks the EU must reform GDPR and centralise regulation.
I have argued this for some time. The one-stop shop didn’t seem fit for purpose – not without well-funded DPAs willing to take decisions even at the risk of a legal challenge (big tech tends to challenge decisions regardless).
It makes sense that, originally, a one-stop shop was not even part of the GDPR, but was bolted on later to satisfy other motivations. We may never know exactly what those were, though we can speculate.
Reding, incidentally, noted that the US lobbied hard on GDPR, sending over 80 “high-level specialists who made one of the biggest lobbying campaigns Europe had ever seen”, she said. “It was a lobby war. They should have invested the money in changing [their] system: that would have been more efficient because, as you know, they lost the lobbying without result.”
Just maybe, they got one result. Did they push for the one-stop shop?
Whatever the case, the past is now the past. I am glad the original GDPR architect has clearly stated that the GDPR needs reform if key national regulators, such as Ireland’s and Luxembourg’s, fail to act in a timely, impactful way.