The divergence between strict legal requirements and poor implementation of the GDPR is significant. One key finding is the reluctance of the Irish DPC1 to take any action against global players like Facebook. Allthogh the Irish DPC has a discretion to choose between different actions, it is similarly bound by the GDPR to take effective measures. If the Irish DPC is in breach of this obligation, a data subject may file for damages pursuant to European public liability law.
1. Liability pursuant to European public liability law
Any natural person can sue a Member State for damages if an organ of the State does not comply with Community law. In this context, the Member State is seen as a single entity. A breach of Community law by any organ – such as the Irish DPC – will be attributed to Ireland.
The ECJ has defined three conditions for the liability of a Member State:
a) the rule of law infringed must be intended to confer rights on individuals;
b) the breach must be sufficiently serious; and
c) there must be a direct causal link between the breach of the obligation incumbent upon the State and the damage suffered by the injured parties.2
This article also evaluates d) the application and e) the limits of European public liability law.
In respect of the facts, firstly it has been proven that Facebook is infringing the GDPR.3 Secondly, the Irish DPC has failed to take effective action against Facebook.4
a) Infringement of rights of individuals
The first requirement of the ECJ is that the rule of law infringed must be intended to confer rights on individuals. The aim of the GDPR is to protect the Right to Data Protection of natural persons.5 In addition, the key task of the supervisory authorities is to
“…enforce the application of this Regulation;”6
Insofar as the Irish DPC is failing to enforce the GDPR against Facebook, which is unlawfully processing personal data, the Irish DPC is failing to protect the Fundamental Rights of the individual. Therefore, the GDPR as the rule of law in question is intended to confer rights on individuals.
b) The breach must be sufficiently serious
The Irish DPC acts with complete independence.7 But the DPC may not act in an arbitrary manner, because the DPC itself is bound by the GDPR.
Pursuant to the GDPR, the key task of the supervisory authorities is to enforce the application of the GDPR.8 Nevertheless, the Irish DPC has a discretion as to what measures to choose in the event of an infringement of the GDPR by Facebook, pursuant to Art. 58 (2) of the GDPR. These measures are inter alia:9
-
to issue reprimands to a controller,
-
to order the controller to bring processing operations into compliance,
-
to impose a temporary or definitive limitation including a ban,
-
to impose an administrative fine,
-
to order the suspension of data flows to a recipient in a non-EU country.
But the Irish DPC is similarly bound by the GDPR that the measures to be taken have to
“…be effective, proportionate and dissuasive.”10
In order to fulfil these requirements, the Irish DPC has to document that
-
it has taken several measures into consideration,
-
it has weighed up these measures, and
-
it has chosen the measure which is adequate and effective.11
All three steps are subject to review by the courts. Insofar as the Irish DPC does not provide documentation of this due process, the Irish DPC is acting unlawfully.12
Because Facebook is in breach of the GDPR, the Irish DPC has to take an effective measure. The failure to take any action constitutes a breach of the GDPR by the Irish DPC. Therefore, the breach by the Irish DPC is a sufficiently serious breach pursuant to European public liability law.
c) Direct causal link between the breach and the damage
The third condition imposed by the ECJ is a direct causal link between the breach of the obligation incumbent upon the Member State of Ireland and the damage suffered by the injured parties. If the Irish DPC had chosen effective measures and e.g. had banned the unlawful data processing by Facebook, the infringement of the right of the individual would have been stopped. This failure to act constitutes a cause in a legal sense, because the Irish DPC is legally obliged to take action to enforce the GDPR.13
Therefore, there is a direct link between the breach of the obligation by the Irish DPC and the harm to the data subject’s Right to Privacy. It follows that the data subject has the right to receive compensation for the non-material damage of the Right to Data Protection from the Irish DPC. The right to compensation of the non-material damage is laid down in Art. 82 (1) of the GDPR.
d) Application of European public liability law
Because the Irish DPC’s obligation to enforce the GDPR is based on Community law, European public liability law is applicable.14 The ECJ states in its judgement Konle:
“It is for each Member State to ensure that individuals obtain reparation for damage caused to them by non-compliance with Community law, whichever public authority is responsible for the breach…”.15
The independence of the Irish DPC does not prevent Ireland from being liable, because a Member State can be held liable for other independent bodies e.g. for its courts.16
The new aspect of this constellation under the GDPR, which is derived from the role of lead authority17, is that not only nationals but rather also data subjects of other Member States may file claims against the Irish DPC for damages.
e) Limitation of liability
This article does not elaborate on the limits of the Irish DPC’s obligation, for e.g. on its own initiative to investigate breaches by Facebook. It does not discuss whether the data subject has a duty to file a complaint against Facebook with the Irish DPC before being granted the right to compensation.18
At least when a data subject complains about a breach by Facebook to the Irish DPC, any other data subject which is directly affected by that complaint may file for damages against the Irish DPC. In light of the nature of the data processing by Facebook, the number of potential plaintiffs and the potential amount of damages is significant.
2. Assessment
Non-contractual European liability law is one of the key principles which has been developed by the ECJ to force Member States to comply with European legislation. Currently, the direction of this instrument has turned to forcing national supervisory authorities such as the Irish DPC to enforce European legislation. Can European liability law motivate national authorities to accord European interests a higher weight than national interests and enforce the GDPR as community law? Or will poor implementation lead to the conclusion that a European supervisory authority is essential to implementing the GDPR against global players like Facebook?19
2 EuGH C-5/94, 23 May 1996, Hedley Lomas, mn. 25
3 See inter alia German Federal Antitrust Authority (Bundeskartellamt), press release: https://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2019/07_02_2019_Facebook.html?nn=3591568;
OLG Hamburg, press release: https://justiz.hamburg.de/aktuelles/10550476/pressemitteilung/
4 See inter alia: OPINION OF ADVOCATE GENERAL SAUGMANDSGAARD ØE, C-311/18, 19 December 2019, Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems, pages 45 and 46
5 According to Art. 1 GDPR and Rec. 2 GDPR
6 According to Art. 57 (1) (a) GDPR
7 According to Art. 52 (1) GDPR
8 According to Art. 57 (1) (a) GDPR
9 According to Art. 58 GDPR
10 According to Art. 83 (1) GDPR
11 OPINION OF ADVOCATE GENERAL SAUGMANDSGAARD ØE, C-311/18, 19 December 2019, Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems, pages 45 and 46;
Principles of discretion in German Administrative Law: Steffen Detterbeck, Allgemeines Verwaltungsrecht mit Verwaltungsprozessrecht, 17th edition, Munich 2019, 4. Grenzen des Ermessens und gerichtliche Kontrolldichte, mn. 324 ff.
12 Principles of discretion in German Administrative Law: Steffen Detterbeck, Allgemeines Verwaltungsrecht mit Verwaltungsprozessrecht, 17th edition, Munich 2019 , 4. Grenzen des Ermessens und gerichtliche Kontrolldichte, mn. 324 ff.;
in a specific situation the Irish DPA has no discretion at all, because only one specific measure is adequate and effective. E.g. if the infringement by the controller is very serious, the only adequate option for the Irish DPC is banning the respective processing.
13 According to Art. 57 (1) (a) GDPR
14 ECJ C-352/98 P, Laboratoires pharmaceutiques Bergaderm SA, 4 July 2000, mn. 42
15 ECJ C-307/92, 1 June 1999, Konle, mn. 62
16 ECJ C-224/01, 30 September 2003, Köhler
17 According to Art. 56 GDPR
18 This requirement is a prerequisite in German public liability law
19 EDPS (European Data Protection Supervisor) calls for a centralised regulator; https://www.euractiv.com/section/data-protection/interview/top-eu-privacy-watchdog-wants-centralised-regulator-with-muscle-to-police-firms/