Lead Data Supervisor in EU Relies on Outdated System for GDPR Complaints

The primary data protection authority for numerous tech companies operating within the European Union – including Apple, Facebook, Google, LinkedIn, TikTok, and Twitter – continues to utilize the Lotus Notes software platform for managing complaints and investigations related to the General Data Protection Regulation (GDPR). This information was revealed through freedom of information requests submitted by the Irish Council for Civil Liberties (ICCL).

Delayed IT Upgrade

In its 2016 annual report, Ireland’s Data Protection Commission (DPC) identified the “implementation of a new website and case-management system” as a key objective for preparing for the GDPR and ePrivacy regulations, with a target completion date of May 2018. However, responses to the ICCL’s FOI requests demonstrate that this crucial IT upgrade project remains incomplete over five years later.

Internal documentation indicates that project deadlines were consistently missed. By October 2020, the cost of the DPC’s IT infrastructure upgrade had exceeded the initial estimate, reaching at least €615,121. This figure excludes staff time dedicated to the project since 2016 and does not account for the ongoing maintenance costs of the legacy Lotus Notes system, which are covered by the Irish government’s Department of Justice.

Embarrassment and Questions of Effectiveness

The reliance on such an outdated software solution to handle data protection complaints from major technology firms is considered highly embarrassing for the DPC. It also prompts questions regarding the effectiveness of the organization’s senior leadership.

Backlog of Cases and Regulatory Enforcement

The DPC has faced ongoing criticism regarding the slow pace of regulatory enforcement concerning large technology companies. This, combined with the GDPR’s ‘one-stop-shop’ mechanism, has resulted in a substantial backlog of cases. The European Commission has acknowledged this backlog as a weakness within the regulation. Consequently, the prolonged delay in modernizing the DPC’s IT infrastructure will likely intensify criticism that the regulator is not adequately equipped to fulfill its responsibilities.

Resource Disparity

A significant challenge lies in the considerable disparity in resources and technical expertise between tech giants – who generate substantial profits from user data and employ large legal teams – and the under-resourced public sector agencies responsible for protecting user rights. These agencies often lack the modern tools necessary to effectively perform their duties.

Growing Budget and Headcount

In Ireland’s specific case, the extended timeframe for overhauling its internal IT systems raises concerns about resource management. This is particularly noteworthy given that the DPC’s budget and staffing levels have increased since approximately 2015, reflecting the allocation of additional resources to accommodate the implementation of the GDPR.

Call for Additional Commissioners

The ICCL is advocating for the Irish government to appoint two additional commissioners to support the current commissioner, Helen Dixon, who has held the position since 2014. Irish law permits the appointment of up to three commissioners.

Analogy to Antiquated Technology

Dr. Johnny Ryan, a senior fellow at the ICCL, described the situation to TechCrunch, stating that those responsible for ensuring responsible data handling by companies like Facebook and Google are using a system “so antiquated that one former staff member told me it is ‘like attempting to use an abacus to do payroll’”.

DPC’s Response

The DPC asserts that it possesses a “functional and fit-for-purpose” Case Management System, which has been enhanced with new features in recent years, including statistical analysis and reporting capabilities. However, the DPC acknowledges that the system is “dated” and “limited” in its ability to integrate with a new DPC website, web forms, and the IMI shared platform used by EU data protection authorities, due to its foundation in Lotus Notes technology.

Deputy Commission Graham Doyle stated that significant work on system specification and core module development has been completed. Delays have occurred due to updates in security and infrastructure specifications. Some elements were intentionally slowed to allow for consensus among EU DPAs on key processes, such as those related to Article 60 cooperation and consistency under the GDPR.

EU-Wide Coordination Challenges

The European Data Protection Board (EDPB) is still finalizing guidance on the operationalization of Article 60 and the dispute resolution mechanism under Article 65. These features require seamless integration between systems. Furthermore, the EU has yet to adopt its new e-Privacy legislation, almost three years after its intended implementation date. The DPC, along with all other EU DPAs, is continuously refining its understanding of the GDPR’s procedural and operational aspects.

The DPC anticipates rolling out initial core modules of the new Case Management System in Q2 2021, and progress continues on the investment.

Limited Enforcement Record

To date, Ireland’s regulator has issued only one decision regarding a cross-border GDPR complaint: a €550,000 fine imposed on Twitter in December for a security breach disclosed in January 2019.

Lengthy Decision Processes

Disagreements between Ireland and other EU DPAs regarding the initial enforcement proposal added months to the decision-making process. The DPC was ultimately compelled to increase its proposed penalty by a few thousand euros following a majority vote. The Twitter case, while relatively swift, contrasts sharply with the seven+ years involved in a separate complaint (Schrems II) concerning Facebook’s international data transfers, which predates the GDPR.

Legal Challenges and Data Transfers

In the Schrems II case, the DPC opted to pursue legal action to challenge the legality of the data transfer mechanism itself, rather than addressing a specific complaint about Facebook’s use of Standard Contractual Clauses. This led to a referral to the European Court of Justice, which ultimately invalidated the EU-US Privacy Shield agreement.

Despite successfully challenging the Privacy Shield, the DPC has not yet prohibited Facebook’s EU data transfers. However, in September, it issued a preliminary suspension order, which Facebook immediately challenged and temporarily blocked through judicial review.

Ongoing Legal Proceedings

Last year, the DPC settled a counter judicial review brought by the original complainant, agreeing to expedite the finalization of the complaint. A decision is expected later this year.

DPC’s Defense and Mounting Criticism

The DPC defends itself against accusations of enforcement delays by emphasizing its commitment to due process to ensure the legal validity of its decisions. However, the revelation that its internal IT upgrade has been ongoing for five years since being prioritized will likely fuel further criticism.

EU Parliament’s Concerns

Last week, the EU parliament’s civil liberties committee issued a draft motion calling on the Commission to initiate infringement proceedings against Ireland for allegedly failing to adequately enforce the GDPR. The motion expressed “deep concern” that numerous complaints regarding GDPR breaches remain unresolved by the Irish DPC, despite the regulation’s implementation in May 2018.

Focus on Schrems II Case

The LIBE committee specifically highlighted the Schrems II Facebook transfers case, expressing concern that the DPC initiated the case rather than issuing a decision within its powers under Article 58 GDPR.

Proposed Regulatory Changes

The Commission’s plans for updating pan-EU platform regulations – the Digital Services Act and Digital Markets Act – propose to address enforcement bottlenecks by suggesting that enforcement against the largest platforms be centralized at the EU level. This aims to prevent individual Member State agencies from hindering cross-border enforcement of European citizens’ data rights, as has been observed with the GDPR.

Limitations of Freedom of Information

A unique aspect of the Irish DPC is that it is not fully subject to freedom of information law. The law applies only to records concerning “the general administration of the Commission”. This means that its “supervisory, regulatory, consultation, complaint-handling or investigatory functions (including case files) are not releasable under the Act”, as stated on its website.

Freedom of information requests filed by TechCrunch last year, seeking information on the number of times the DPC has used GDPR powers to impose temporary or absolute bans on data processing, were denied on these grounds.

The DPC’s refusal to disclose whether it has ever ordered an infringing entity to cease processing personal data cited the limited scope of FOI law, clarifying that “general administration” refers only to records related to the management of the FOI body, such as personnel, finances, recruitment, IT, accommodation, and internal procedures.

While Ireland’s FOI law restricts scrutiny of the DPC’s activities, the agency’s enforcement record remains a clear indicator of its performance.