The patience of other European authorities is wearing thin, as they believe the Irish Data Protection Commission should be tougher on Big Tech
Discontent against the one-stop-shop has been evident for some time: The one-stop-shop mechanism is a defining aspect of the European GDPR. It ensures businesses only deal with one ‘lead authority’, depending on where in the EU a company has its main establishment, and that multiple data protection authorities (DPAs) do not take on the same case. In practice, this has meant the Irish Data Protection Commission (DPC) deals with all the cases involving Big Tech, which are all headquartered in Ireland. However, the mechanism soon showed signs of weakness, with DPAs from other countries (especially Germany) arguing that intervention against Big Tech was insufficient.
The Hamburg authority tries to force the hand of the EDPB: On 15 July, the European Data Protection Board (EDPB) adopted an urgent binding decision, requiring the DPC to investigate Facebook’s alleged processing of WhatsApp data. The decision followed a request from the Hamburg DPA, which in May this year issued urgent interim measures to stop Facebook from enacting WhatsApp’s new privacy policy. Due to the urgency of the matter, the Hamburg DPA referred it to the EDPB so that final measures could be adopted at EU-level. The EDPB rejected the Hamburg DPA’s request to take final measures against Facebook, saying it lacked evidence as to whether Facebook is already processing WhatsApp data. However, it noted the “high likelihood of infringements” warrants an investigation that the DPC should carry out as a matter of priority.
The Irish DPC needs to act more swiftly: With this decision, the EDPB leaves the DPC the final say on an important Big Tech case, although the pressure on the Irish authority is clearly mounting. The EDPB avoided creating a precedent whereby DPAs from other countries override the power of a lead authority, but the DPC will have to start acting swiftly to avoid further criticism from other regulators. Despite having multiple investigations ongoing into the conduct of Apple, Facebook, Google, and Twitter, the DPC has so far only issued a €450k fine for Twitter in December 2020. In a statement responding to the EDPB’s decision, the Hamburg DPA did not hide its disappointment, noting that the DPC had not been given a deadline to complete the investigation. The days of the one-stop-shop could be numbered if regulators continue to express discontent.
