The EU Ombudsman recommended changes to how the Irish Data Protection Commission (DPC) provides regular reports to the European Commission on cases involving so-called Big Tech firms, in a move that may give the commission greater insight to the DPC’s handling of issues with the major technology companies based in Dublin.
The DPC provides bimonthly reports to the commission that give an overview of its handling of cases with big technology firms, including cases that involve other countries. The DPC is the main regulator in Europe for several large firms which have their EU base in Ireland, including Facebook parent Meta, and Google’s owner Alphabet.
In a ruling published on Tuesday, EU Ombudsman Emily O’Reilly makes a number of “suggestions for improvement” in how those reports are filed.
Among the measures, the commission “could draw up a table with a series of predetermined fields that should be filled in by the Irish Data Protection Commission, with information on cross-border cases, containing, for each such case: the case number, the data controller involved, the other data protection authorities concerned, the dates of the key steps undertaken (as per the GDPR) and their dates, and the concrete measures taken”, Ms O’Reilly wrote in the ruling.
Your work questions answered: My hours have been cut but someone new has been hired. Can my employer do this?
Cliff Taylor: How the return of SSIA-style incentives might be on the cards for Irish households
From intern to CEO: does it pay to be a company lifer?
My remuneration ‘was substantial’: The interview transcript Derek Quinlan didn’t want made public
“Whenever individual cases have given rise to own initiative investigations, this too should be noted for the individual cases, together with a reference to the own initiative investigation so as to allow the European Commission to monitor how the individual cases were processed.”
Ms O’Reilly also suggested the commission’s second report on how the GDPR rules were applied provided “an account of its practice” of receiving regular case overviews from the DPC, and gave “as much non-confidential information as possible”.
Ms O’Reilly’s comments came in a decision on the Irish Council for Civil Liberties’ (ICCL) complaint against the European Commission for what it described as the commission’s “failure to adequately monitor Ireland’s application of the GDPR”.
In her decision, the Ombudsman wrote the practice of obtaining a bimonthly overview of the DPC’s big tech cases “is appropriate and in line with good administration.”
“In the absence of this measure, the Ombudsman would have had serious doubts as to the adequacy of the information that the European Commission relies on,” she added.
A DPC spokesman declined to comment.
“We hope this will lead to improvement in the European Commission’s monitoring of Ireland’s application of the GDPR”, said Liam Herrick, executive director of ICCL in a statement.