This is a short article I wrote for the BEERG (Brussels European Employee Relations Group) weekly newsletter on some interesting recent developments on data protection, particularly the criticisms of the Irish Data Protection Commission. Though unconnected, I had a short Twitter exchange with renowned privacy advocate, Max Schrems, on a related topic, a few days later.
In early December one of the five directors at Belgium’s Data Protection Authority (APD/GBA) resigned, citing the same concerns about a “lack of independence” at the authority which the EU Commission had raised several weeks earlier.
In November VRT (public-service broadcaster for the Flemish Community of Belgium) ran a story saying that the European Commission was commencing infringement proceeding against Belgium claiming that:
some members of the APD/GBA cannot currently be considered free from outside influence, as they either report to a management committee dependent on the Belgian government, have participated in government projects for the detection of COVID-19- contacts, or are a member of the Information Security Committee.
Quitting her role on the APD/GBA Alexandra Jaspar told Belgian media that she was leaving as “I have done everything to prevent the conflict of interests and the lack of integrity, but everyone lets it go. I do not want to be an accomplice in this”, adding that some members of the GBA “wear two hats,” which makes for a conflict of interests when it comes to safeguarding Belgians’ data privacy.
The implications of the Commission’s action against Belgium and the APD/GBA took a twist, (though not an unexpected one for those who have been following GDPR developments), when it came up in Ireland where the Irish Data Protection Commission has been fending off criticisms contained in a letter from a group of MEPs plus claims from the Irish Council for Civil Liberties, that the DPC had reached draft decisions on just 2% of 164 privacy cases referred to it.
Last weekend the Irish DPC dismissed all the claims as unfounded and misinformed, however it is worth noting that the MEPs’ letter – from Dutch MEPs, Liberal Sophie in ’t Veld and Green Party representative Tineke Strik; and Germany’s Social Democrat Birgit Sippel and Left Party’s Cornelia Ernst) – asked why legal proceedings had been launched against Belgium’s DPC “but not against other member states, including Ireland”.
Due to actions like this, and a number of other factors, GDPR is gradually straying from its original purpose: the efficient protection of EU citizens’ persona data and becoming a means to impose hefty fines and penalties on companies, whether there is real culpability, or not.