The mechanism that determines which EU data protection authority (DPA) should lead investigations and enforcement actions against companies for data breaches and abuses is “slow” and “unsustainable,” says the head of the regulator that oversees most Big Tech firms.
Helen Dixon of Ireland’s Data Protection Commission (DPC) believes the “one-stop shop” provision under the General Data Protection Regulation (GDPR) is not fit for purpose in the long term.
Dixon spoke as part of a panel discussion Monday at an International Association of Privacy Professionals-organized event. She noted the one-stop shop “slows the enforcement process down” and “drains resources.”
Part of the reason for the slow turnaround is because different EU member states take very different views on what constitutes a GDPR infringement, she said. They are also divided over how punitively the legislation should be enforced.
“A DPA reaches a decision, tries to defend it against a lot of arguments from 26 other national DPAs under Article 60 [of the GDPR], and then tries to defend a revised version again under Article 65 that attempts to take into account their concerns before the European Data Protection Board (the EU’s umbrella data regulator) steps in to give a final verdict,” said Dixon. “That is unsustainable.”
Dixon added the Irish DPC is being “drowned” by “scattergun demands” from other DPAs for mutual assistance requests, which are slowing down its work.
The Irish DPC is working on more cross-border investigations than any other EU country. It has 28 ongoing cross-border inquiries into Big Tech firms, with Facebook and its associated companies accounting for 15.
In the nearly three years the GDPR has been in force, Ireland has faced fierce criticism over the slow progress the authority has made in trying to investigate Google, Facebook, and others. With a budget of just €16.9 million (U.S. $20.4 million) this year—and a staff of 145—the Irish DPC’s resources pale in comparison to those of the companies it is meant to regulate.
European Data Protection Supervisor Wojciech Wiewiórowski said at the same event Monday he would like to see the one-stop shop reformed in the long term because there is a “danger” the lack of consensus leads to DPAs “disowning decisions they don’t like” in the way some regulators—namely, Austria, Germany, Hungary, and Italy—did with the Twitter GDPR decision in December.
Wiewiórowski, who is in charge of overseeing data protection in the EU’s institutions, thinks there is a risk one-stop shop binding decisions taken by the EDPB “may become orphans” because a majority of DPAs “will all say in the end that, ‘We would’ve done it better only if it was our own decision.’”
He warned trying to achieve consensus among the EU’s 27 members could result in “a national DPA pushing through a decision it does not agree with.”
Wiewiórowski added some of the problems relating to the one-stop shop are because the mechanism was agreed in haste after the rest of the GDPR’s articles and details had been signed off. Several DPAs objected to it as unworkable.