Judicial Review against DPC over slow procedure granted

Jul 06, 2020

In the complaints procedures concerning WhatsApp and Instagram, both based in Ireland, the Irish Data Protection Commission (DPC) has taken 2 years only to produce a first "Draft Inquiry Report". This is only the first of six steps in an urgent GDPR case before arriving at an actual decision. After multiple exchanges with the DPC, noyb.eu was granted leave by the High Court today for a Judicial Review of the DPC’s procedure on behalf of two complainants.

Complaints on 25 May 2018. Within the first hours that the GDPR became applicable, noyb.eu filed four complaints on behalf of individual users. While one complaint against Google was handled by the French regulator (CNIL) within months and lead to a fine of €50million, the other complaints were forwarded from Austria, Germany and Belgium to the Irish DPC, where they are still being "processed".

Instagram and WhatsApp. While there is some (slow) process in a complaint filed by noyb.eu against Facebook, the two cases on Instagram and WhatsApp have only seen a first "Draft Inquiry Report" after two years. Five further steps are necessary before the concerned users can receive a final decision on their fundamental rights. The DPC was unable to give any timeline when these steps should be completed. Previous deadlines were regularly not met.

Gerard Rudden of ARQ Solicitors, representing noyb.eu: "In these proceedings, noyb.eu is seeking a Declaration that the DPC has failed to carry out an investigation into the complaints within a reasonable period, as they are obliged to do. The DPC have adopted, in noyb.eu’s view, an unnecessary and cumbersome six step procedure in relation to these complaints. In the two years since the complaints were filed, they have only completed the first step."

Judicial Review. Today noyb.eu was granted leave by the Irish High Court to challenge the DPC on this extremely slow procedure that de facto deprives Europeans of their rights under the GDPR when they file against a company that is based in Ireland and therefore "regulated" by the DPC. The review will not delay the procedure further, but will be carried out in parallel to these cases before the DPC.

Max Schrems, honorary chairperson of noyb.eu: "Soon after the GDPR came into force it became obvious that the DPC is acting as a bottleneck for Europeans' right to privacy. The procedure is Kafkaesque and seems to be almost designed to delay user complaints for years and thereby protect US multinationals that are headquartered in Ireland. We are happy that the Irish High Court will now review this structural problem."

Delayed translations and missing documents. Even the result of this first step cannot be processed by noyb.eu, as the relevant authorities in Germany and Belgium have not provided a translation to German and French. In addition, it appears that the DPC has not even provided all relevant document to its European counterparts, who in turn cannot provide the necessary documents to the complainants. Other documents were held back by the DPC for more than a year, further delaying the cooperation between DPAs.

Schrems: "Even if the DPC has now performed a first of six steps, we are still lacking documents from that first step. Even the documents that we did receive, we did not receive in the legally required languages. Under the procedural law we have to receive and file the documents in the national languages - even if we would be happy to file everything in English. It seems that these DPAs in turn wait for documents from the DPC. We reject any suggestion by the DPC that these additional delays are caused by us. Instead the DPC has delayed the forwarding of documents for years and has failed to organise translations with its European counterparts."