The lead data supervisor for a slew of tech giants in the European Union, including Apple, Facebook, Google, LinkedIn, TikTok and Twitter, is still relying on Lotus Notes to manage complaints and investigations lodged under the bloc’s flagship General Data Protection Regulation (GDPR), per freedom of information requests made by the Irish Council for Civil Liberties (ICCL).
Back in its 2016 annual report Ireland’s Data Protection Commission (DPC) stated that one of its main goals for GDPR (and ePrivacy) readiness included “implementation of a new website and case-management system” in time for the regulation coming into force in May 2018. However some five years later this ITC upgrade project is still a work in progress, responses to the ICCL’s FOIs show.
Project deadlines were repeatedly missed, per internal documents now in the public domain, while by October 2020 the cost of the DPC’s ICT upgrade had more than doubled vs an initial projection — ballooning to at least €615,121 (a figure that excludes staff time spent on the project since 2016; and also does not include the cost of maintaining the antiquated Lotus Notes system which is borne by the Irish government’s Department of Justice).
The revelation that the lead data supervisor for much of big tech in Europe is handling complaints using such ‘last-gen’ software not only looks highly embarrassing for the DPC but raises questions over the effectiveness of its senior management.
The DPC continues to face criticism over the slow pace of regulatory enforcement vis-a-vis big tech which, combined with the GDPR’s one-stop-shop mechanism, has led to a huge backlog of cases that the European Commission has conceded is a weakness of the regulation. So the revelation that it’s taking so long to get its own ITC in order will only fuel criticism that the regulator is not fit for purpose.
The wider issue here is the vast gulf in resources and technical expertise between tech giants, many of which are racking up vast profits off of people’s data that they can use to put toward paying armies of in-house lawyers to shield them from the risk of regulatory intervention, vs the tiny, under-resourced public sector agencies tasked with defending users’ rights — without appropriately modern tools to help them do the job.
In Ireland’s case, though, the length of time involved in overhauling its internal ICT does throw the spotlight on management of resources. Not least because the DPC’s budget and headcount has been growing since around 2015, as more resource have been allocated to it to reflect GDPR coming into application.
The ICCL is calling for the Irish government to consider hiring two additional commissioners — to supplement the current (sole) commissioner, Helen Dixon, who was appointed to the role back in 2014.
It notes that Irish law allows for the possibility of having three commissioners.
“The people who are supposed to make sure that Facebook and Google do not misuse the information that they have about each of us, are using a system so antiquated that one former staff member told me it is ‘like attempting to use an abacus to do payroll’,” Dr Johnny Ryan, an ICCL senior fellow, told TechCrunch.
The DPC is not configured for its digital mission,” he added in a statement. “What we have discovered indicates that it cannot run critically important internal technology projects. How can it be expected to monitor what the world’s biggest tech firms do with our data? This raises serious questions not only for the DPC, but for the Irish Government. We have alerted the Irish Government of the strategic economic risk from failing to enforce the GDPR.”
Reached for comment, the DPC told us it has a “functional and fit-for-purpose” Case Management System which it said has been “optimised with new features over the last number of years (including with capability for the generation of statistics and management reports)”.
But it conceded the system is “dated” and “limited” in terms of how much it can be adapted for integration with a new DPC website and web forms and the IMI [information systems management] shared platform used between EU data protection authorities — given that it’s based on Lotus Notes technology.
“Significant work in specifying the system and building its core modules has been completed,” deputy commission Graham Doyle said. “Some delays in delivery have occurred because of updates to specification of security and infrastructure elements. Some other elements have on demand from the DPC been slowed in order to allow for the resolution between EU DPAs of final intended processes such as those involved in the Article 60 cooperation and consistency mechanism under the GDPR.
“The EDPB [European Data Protection Board] is only now preparing internal guidance on the operationalisation of Article 60 and further on the dispute resolution mechanism under Article 65. These are key features of work between EU DPAs that require hand-offs between systems. In addition, the EU almost 3 years after it intended to has not yet adopted its new e-Privacy legislation. Further, the DPC alongside all other EU DPAs is learning how the procedural and operational aspects of the GDPR are to operate in fine detail and some of them remain to be settled.”
Doyle added that “progress continues” on the new Case Management System investment — saying it’s the DPC’s intention that “initial core modules” of the new system will be rolled out in Q2 2021.
To date, Ireland’s regulator has only issued one decision pertaining to a cross-border GDPR complaint: In December when it fined Twitter $550k over a security breach the company had publicly disclosed in January 2019.
Disagreement between Ireland and other EU DPAs over its initial enforcement proposal added months more to the decision process — and the DPC was finally forced to increase its suggested penalty by up to a few thousand euros following a majority vote.
The Twitter case was hardly smooth sailing but it actually represents a relatively rapid turnaround compared to the seven+ years involved in a separate (2013) complaint (aka Schrems II) — related to Facebook’s international data transfers which predates the GDPR.
With that complaint the DPC chose to go to court to raise concerns about the legality of the data transfer mechanism itself rather than acting on a specific complaint over Facebook’s use of Standard Contractual Clauses. A referral to the European Court of Justice followed and the EU’s highest court ended up torpedoing a flagship data transfer arrangement between the EU and the US.
Despite its legal challenge resulting in the EU-US Privacy Shield being struck down, the DPC still hasn’t pulled the plug on Facebook’s EU transfers. Although last September it did issue a preliminary suspension order — which Facebook immediately challenged (and blocked, temporarily) via judicial review.
Last year the DPC settled a counter judicial review of its processes, brought by the original complainant, agreeing to swiftly finalize the complaint — although a decision is still likely months out. But should finally come this year.
The DPC defends itself against accusations of enforcement foot-dragging by saying it must follow due process to ensure its decisions stand up to legal challenge.
But as criticism of the unit continues to mount revelations that its own flagship internal ICT upgrade is dragging on some five years after it was stated as a DPC priority will do nothing to silence critics.
Last week the EU parliament’s civil liberties committee issued a draft motion calling on the Commission to begin infringement proceedings against against Ireland “for not properly enforcing the GDPR”.
In the statement it wrote of “deep concern” that several complaints against breaches of the GDPR have not yet been decided by the Irish DPC despite GDPR coming into application in May 2018.
The LIBE committee also flagged the Schrems II Facebook transfers case — writing that it is concerned this case “was started by the Irish Data Protection Commissioner, instead taking a decision within its powers pursuant to Article 58 GDPR”.
It’s also notable that the Commission’s latest plans for updating pan-EU platform regulations — the Digital Services Act and Digital Markets Act — propose to side-step the risk of enforcement bottlenecks by suggesting that key enforcement against the largest platforms should be brought in-house to avoid the risk of any single Member State agency standing in the way of cross-border enforcement of European citizens’ data rights, as continues to happen with the GDPR.
Another quirk in relation to the Irish DPC is that the unit is not subject to the full range of freedom of information law. Instead the law only applies in respect of records concerning “the general administration of the Commission”. This means that its “supervisory, regulatory, consultation, complaint-handling or investigatory functions (including case files) are not releasable under the Act”, as it notes on its website.
Freedom of information requests filed by TechCrunch last year — asking the DPC how many times it has used GDPR powers to impose a temporary or absolute ban on data processing — were refused by the regulator on these grounds.
Its refusal to disclose whether or not it has ever asked an infringing entity to stop processing personal data cited the partial coverage of FOI law, saying that ‘general administration’ only refers to “records which have to do with the management of an FOI body such as records referring to personnel, pay matters, recruitment, accounts, information technology, accommodation, internal organization, office procedures and the like”.
While Ireland’s FOI law prevents closer scrutiny of the DPC’s activities the agency’s enforcement record speaks for itself.