The DPC may look to have found its teeth with a €225m fine for Facebook. How it will deal with the lengthy backlog of cases will show whether that’s really the case
For the first time, the DPC flexes its muscle: Last week, the Irish Data Protection Commission (DPC) fined Facebook €225m for failing to comply with transparency requirements on how it uses personal data gathered by WhatsApp and shared across other Facebook platforms. The fine is the second highest in Europe under the GDPR, following the recent one issued by Luxembourg to Amazon (€746m) and could show that the DPC is finally finding its feet in enforcing the GDPR. Up until now, the Irish authority had not come after Big Tech with the exception of a small fine for Twitter (€450k) in December 2020.
The DPC remains under the EU’s watch: It is too early to say whether Ireland will finally live up to the expectations of other data protection authorities in the EU. The fine only got as high as €225m due to the intervention of other EU authorities and the European Data Protection Board (EDPB) – the original proposal was just €50m. This shows that, despite recent criticism, the one-stop-shop mechanism does allow for other European authorities to influence important cases. At the same time, the DPC continues to be under the watchful eye of the rest of the EU due to the growing line of cases still pending. The DPC is funded like a DPA of a large EU country (its annual budget is now €17m, compared to €20m for the CNIL in France and €14m for the AEPD in Spain). However, this may not be enough to deal with all the cases in which the DPC is the lead authority, considering it has made draft decisions in 4 out of 196 cases between 2018 and 2020.
Legal appeals could yet be successful: The Irish decision, as with the Amazon one in Luxembourg, will also have to stand the test of legal challenge. Companies are lamenting the lack of due legal process in how the EDPB reaches its decisions, which influences what individual DPAs do without giving companies the opportunity to comment. Should the European Court of Justice side with Big Tech on this aspect, the dispute resolution process within the EDPB could suffer a significant blow and would need to be redesigned. The appeal also puts on hold any changes to how WhatsApp handles people’s data, which means that it could take years before Facebook complies with the decision.
