Datenschützer Kelber bringt neue EU-Behörde gegen Facebook & Co. ins Spiel

Data protection officer Kelber finds the Irish data protection agency's dealings with large tech groups “unbearable”. He suggests a new EU authority as a solution.
The Federal Commissioner for Data Protection, Ulrich Kelber, criticizes the Irish data protection supervisory authority. Source: dpa
Federal Commissioner for Data Protection Ulrich Kelber
The Federal Commissioner for Data Protection, Ulrich Kelber, criticizes the Irish data protection supervisory authority.

Berlin The Federal Commissioner for Data Protection, Ulrich Kelber, has accused the Irish data protection supervisory authority of inaction in dealing with large international digital groups such as Facebook.

Over a year and a half has passed since the entry into force of the uniform European General Data Protection Regulation (GDPR), "without there being a draft decision on major cases such as WhatsApp, Facebook, Microsoft," said Kelber at a European Academy event on Monday evening Freedom of information and data protection in Berlin. "This is unbearable."

Kelber compared the Irish authority to the Federal Motor Transport Authority (KBA). "I sometimes feel the situation of the Irish Data Protection Agency, like that of the Federal Motor Transport Authority in the Dieselgate affair," he said. Both the pressure on her, the resources she has, and her self-image of how she wants to act. "It cannot be that there is no clarification of what is with Facebook, while we have to deal with whether German companies are allowed to operate Facebook fan pages."

The Irish data protection authority is responsible for large tech groups like Facebook across Europe, as these groups have their EU offices there. Hamburg data protection officer Johannes Caspar, who is the contact person in Germany for complaints via Facebook, must report any violations of the GDPR to his Irish colleagues, who will then decide on further measures. Irish data protection officers are considered less strict than their German counterparts.
"We offered to support," said Kelber, "but have not yet received an answer." That is why his doubts grew day by day "whether the one-stop shop can stay as it is, whether it only requires minor corrections or whether you have to take a major radical step". According to the one-stop-shop principle, according to the GDPR, the so-called lead supervisory authority is the sole contact for those responsible and processors for cross-border data processing.

Data protection officer Johannes Caspar: "Significant deficits" in the enforcement of the GDPR
Kelber favors a different process for the future. "Personally, I would also like a system to have a European data protection agency or agency to which the European Data Protection Board can delegate large, cross-border cases with a three-quarters majority," he said. The EDSA data protection committee consists of representatives of the national data protection authorities and the European Data Protection Supervisor.

In order for a new authority to be able to act effectively, according to Kelber, it should be bound by European administrative law and not by national law.

Kelber is not alone in his criticism of Irish data protection officers. The Hamburg data protection officer Caspar recently also criticized "significant deficits" in the enforcement of the GDPR. "The lack of regulatory measures favors dominant companies, which not least consolidate and expand their competitive position with an aggressive data protection policy," Caspar told Handelsblatt. A European digital industrial policy could not succeed in this way. "Innovative companies that use data protection-compatible products and services have no chance in this system."

Like Kelber, Caspar is also convinced that the "massing of the leading control competence with a few authorities at the main European location of these companies" has not proven itself. The head of the authorities therefore calls for “regulations to be created that involve the so-called lead authorities more closely in a European enforcement system”.

"Here, for example, there is a need for other authorities to assume supervisory responsibility if the lead authorities do not submit a draft decision within a certain period of time," said Caspar. It should not be possible for the inaction of an authority across Europe to prevent its enforcement.

More: Data protection violations have been punished with increasing frequency since the new EU rules came into force. The regulatory authorities are also keeping tens of thousands of data breaches in suspense.