31 January 2023
Following action by the Irish Council for Civil Liberties (ICCL), the European Commission will start regularly checking the progress of all “large-scale” GDPR cases across the EU.
ICCL has previously criticised the lack of GDPR enforcement against Big Tech, and the European Commission’s failure to monitor how the GDPR is applied.
The European Commission has now committed to examining every large-scale GDPR case, everywhere in Europe. It will measure how long each procedural step in a case is taking, and what the relevant data protection authorities are doing to progress the case. The Commission will do this six times per year.
Dr Johnny Ryan, ICCL Senior Fellow, said: “The European Commission’s new commitment should transform Europe’s data and digital enforcement. Previously, big cases lay dormant for years. Now, we should see acceleration in investigation and enforcement, and it will be clear where the European Commission needs to take swift action against Member States that fail to apply the GDPR. This heralds the beginning of true enforcement of the GDPR, and of serious European enforcement against Big Tech.”
The Commission’s monitoring overhaul follows a sixteen-month action by ICCL, which began in September 2021 when the organisation alerted the European Commission to its EU-wide “data deficit”. ICCL urged the Commission to monitor the progress of GDPR cases across Europe, and followed up by launching a complaint process with the EU Ombudsman.
This culminated in December last year when the EU Ombudsman recommended that the Commission monitor the progress of all Big Tech cases that fall under the responsibility of the Irish Data Protection Commission. Today’s commitment by the European Commission applies those recommendations to all large-scale cases across Europe, finally implementing ICCL’s suggestion to the Commission from September 2021.
Timeline
- September 2021: ICCL writes to the European Commission alerting it to its EU-wide “data deficit”, and begins exchanging correspondence with European Commissioner for Justice, Didier Reynders
- November 2021: ICCL lodges a formal complaint with the EU Ombudsman, alleging that the European Commission is in breach of its obligation under EU Law to carefully monitor how Ireland applies the GDPR
- February 2022: EU Ombudsman Dr Emily O’Reilly launches an inquiry in to ICCL’s complaint, and asks Commission President Ursula von der Leyen to "provide a detailed and comprehensive account of the information that it has so far collected to inform itself as to whether the GDPR is applied in all respects in Ireland"
- February-December 2022: ICCL provides ongoing detailed submissions throughout the Ombudsman’s inquiry
- December 2022: The EU Ombudsman recommends that the Commission monitor all Big Tech cases that fall under the responsibility of the Irish Data Protection Commission
- January 2023: The European Commission commits to new monitoring regime across the EU
Documents
The European Commission’s commitment to a new GDPR monitoring system, 25 January 2023 (PDF)
Emily O'Reilly's initial letter to Ursula von der Leyen, 10 February 2022 (PDF)