Briefing country visit Ireland Commissioner Reynders 24 25 November 2022.pdf

Ares(2023)703075 - 31/01/2023
COMMISSIONER DIDIER REYNDERS
VISIT OF COMMISSIONER REYNDERS
LOCATION: DUBLIN
DATE AND TIME: THURSDAY & FRIDAY 24-25 NOVEMBER 2022
MEMBERS RESPONSIBLE:
1

Table of Contents

out of scope

out of scope

Meeting with the Parliamentary Committee on EU Affairs ................................................................ 40
Bilateral meeting with Helen McEntee, Minister for Justice** and James Browne, Deputy Minister
of Justice (Minister of State at the Department of Justice) ................................................................ 52
out of scope

Meeting with Data Protection Commissioner, Helen Dixon, and then with the staff of the DPA .... 78
out of scope

2

Ares(2023)703075 - 31/01/2023

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

29

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

out out of scope

out of scope

30

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

out of scope

out out of scope

31

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

32

Ares(2023)703075 - 31/01/2023

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

out of scope

out of scope

out of scope

out of scope

34

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

out of scope

35

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

out of scope

out of scope

36

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

out of scope

37

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

out of scope

out of scope

38

Ares(2023)703075 - 31/01/2023

out of scope

39

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

out of scope

out of scope

41

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

out of scope

out of scope

out of scope

42

Ares(2023)703075 - 31/01/2023

out of scope

43

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

out of scope

44

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

45

Ares(2023)703075 - 31/01/2023

out of scope

out of scope




out of scope

out of scope

out of scope

46

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

out of scope

out of scope

47

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

out of scope

48

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

49

Data protection
•  Let me now address a field which I know is a great importance in Ireland,
namely data protection. Since the General Data Protection Regulation (the
‘GDPR’) came into force, cooperation in cross-border cases between the
Data Protection Authorities (the DPAs) has become daily practice.
•  DPAs are working closely,  providing mutual assistance to each other in
many cases. Strong and swift enforcement is crucial for ensuring a
consistent interpretation of the GDPR all over Europe.
•  Ireland plays a pivotal role as lead  supervisory  authority  for the
enforcement of EU data protection rules as regards big tech multinationals,
as many of them have their European headquarters  established in your
country.
•  Concerning big tech multinationals, several decisions have been taken in
2021 and 2022 resulting in fines of around 1.5 bil ion EUR.
•  We have consistently called on the data protection authorities  to step up
their enforcement efforts.  We welcome that several enforcement actions
by the Irish Data Protection Authority  against  big tech multinationals are
being  finalised. We encourage the DPC to continue making progress to
dispel the negative narrative about the enforcement model of the GDPR,
which gives the wrong impression that the GDPR is not properly enforced.
•  In this context, we welcome the additional resources allocated to the DPC,
notably the increase in the staff and funding.

50

Ares(2023)703075 - 31/01/2023

out of scope

51

Ares(2023)703075 - 31/01/2023

Bilateral meeting with Helen McEntee, Minister for Justice**
and James Browne, Deputy Minister of Justice (Minister of
State at the Department of Justice)

out of scope

52

Ares(2023)703075 - 31/01/2023

• out of scope

out of scope

out of scope

out of scope

53

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

out of scope

54

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

out of scope

55

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

out of scope

out of scope

out of scope

56

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

out of scope

out of scope

out of scope

out of scope

57

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

out of scope

out of scope

58

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

out of scope

out of scope

59

Ares(2023)703075 - 31/01/2023

out of scope

  out of scope

[Data protection]
•  The  Commission attaches utmost  importance  to the  enforcement  of the
GDPR. As you know, the governance system put in place by the GDPR is
based on independent data protection authorities,  with strong and
harmonised enforcement powers.
•  When  monitoring the implementation of the GDPR, a key task of the
Commission is to make sure that Member States enable their data protection
authorities  to make use of all their powers. The Commission will act
against any Member State in case of a systemic failure to act by its
independent authorities.
•  The Commission welcomes the additional resources allocated to the Data
Protection Commission (DPC), notably the increase in staff and funding.
This is of particular importance given the pivot role  of the DPC as lead
supervisory  authority for the enforcement of GDRP by big tech
multinationals.
60

Ares(2023)703075 - 31/01/2023

•  The European Data Protection Board has transmitted to the Commission
a  list of administrative procedural aspects  that could be further
harmonised at EU level. We will work on a targeted legislative initiative to
address the request of the EDPB to ensure a better and smoother
cooperation between DPAs.
•  This should improve the handling of cases and be beneficial for citizens.
•  The Commission has announced in its Work Programme for next year that
we will come with legislative initiative concerning the procedural aspects
of handling of  cross-border cases. In this context, the EDPB “wish list”
will feed into the Commission reflection on how to support DPAs in dealing
with cross-border cases, notably concerning big tech multinationals.
out of scope

out of scope

out of scope

61

Ares(2023)703075 - 31/01/2023

Ares(2023)703075 - 31/01/2023

out of scope

64

Ares(2023)703075 - 31/01/2023

out of scope

65

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

66

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

67

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

out of scope

68

Ares(2023)703075 - 31/01/2023

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

out of scope

out of scope

out of scope

out of scope

70

Ares(2023)703075 - 31/01/2023

out of scope

71

Ares(2023)703075 - 31/01/2023

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

out of scope

out of scope

73

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

74

Ares(2023)703075 - 31/01/2023

out of scope



out of scope

  out of scope

out of scope


75

Ares(2023)703075 - 31/01/2023

out of scope

out of scope

out of scope

76

Ares(2023)703075 - 31/01/2023

out of scope

77

Ares(2023)703075 - 31/01/2023

Meeting with Data Protection Commissioner, Helen Dixon,
and then with the staff of the DPA

Bilateral with Helen Dixon
•  I welcome  the  recent progress in the enforcement by the DPC, in
particular:
-  the €405 million fine imposed on Instagram in September, following the
€225 million fine imposed on WhatsApp in 2021;
-  the submission to the EDPB of 4 draft decisions under the cooperation
mechanism concerning TikTok, Meta Platforms and Yahoo;
-  the submission to the EDPB of 3 draft decisions to the dispute resolution
mechanism  on the legal basis for processing, regarding respectively
Facebook, WhatsApp and Instagram.
•  We are aware of the challenges faced by the DPC as regards enforcement
of  the GDPR as regards big tech multinationals,  in particular  the
complexity  of the investigations regarding big tech multinational
companies and that they take time, especially since most of them will be
attacked in courts.
78

Ares(2023)703075 - 31/01/2023

•  It is  essential  for the DPC  to sustain its  efforts,  given the particular
situation of the DPC as lead supervisory authority for a large number of big
tech multinational companies  in the EU.  It is key to ensure proper
enforcement and to  show tangible results, if we want to preserve the
credibility of the enforcement model  provided for the GDPR, which
relies on national independent authorities, and if Ireland wants to preserve
its credibility as hosting Member State of the main tech companies in
Europe.
•  Recently the Commission  announced that we will  propose a legislative
initiative in 2023  (before summer in principle) concerning  a targeted
harmonisation of procedural aspects of handling cross-border cases. In
this context, the Commission will take inspiration from the “wish list” of
procedural issues adopted by the EDPB in October.
•  I would be interested to receive an update on pending investigations by
the DPC, especially against big tech multinationals. And more generally on
your work, also as regards cooperation with other DPAs, within the
EDPB, and your contacts with other stakeholders, including the European
Parliament.
•  I welcome  your efforts to regularly inform the Commission, in particular
on large scale inquiries.
•  You can count on my support to ensure enforcement of the GDPR vi-à-vis
big tech companies. I followed in particular with great interest the Twitter
recent developments. When I met them, I stressed them the need to comply
with EU rules and to cooperate with you.
•  You can ask Ms Dixon to update you on this recent case and their findings.

79

Ares(2023)703075 - 31/01/2023

Fireside chat between DP Commissioner Helen Dixon and
Commissioner Reynders with audience of 30 senior staff from DPC
1.  Helen Dixon (HD): Commissioner Reynders – we’ve now passed the 4-
year mark in terms of application of the GDPR and the EU Commission
will be gearing itself up for the evaluation and review it must report to
Parliament and Council on in 2024 under Article 97 GDPR in terms of
the functioning of the GDPR. What is your own sense of how the first 4
years have gone?

•  There is more and more evidence of the benefits that the GDPR brought
to people. Citizens are more aware of their rights.
•  Many important cases have been decided by national Data Protection
Authorities. And we see an increase of GDPR enforcement against the
big tech,  with a  rise in terms of number of cases and of effective
sanctions. The Luxembourg DPA 746 EUR million fine on Amazon; the
DPC fines: 225 EUR million on WhatsApp and 405 EUR million on
Instagram.  And I know that other enforcement actions by the DPC
against big techs are in the process of being finalised.
•  Nevertheless, the enforcement against the big tech continues to be
criticised, even if it has increased. It often refers to the alleged inaction of
Data Protection Authorities (DPAs), including the DPC. We know that
investigations of complex cases,  notably  involving big tech,  require
time. We have seen this also in other fields like competition.
•  There is some time needed to get the system up and running. There is of
course still margin for improvement, but we are certainly moving in the
good direction.
•  The  cooperation between DPAs needs to be improved. The lack of
harmonisation  of the  national procedures in cross-border cases  was
identified by the DPAs themselves as one of the main challenges.
80

Ares(2023)703075 - 31/01/2023

•  This is why we will present a legislative initiative on this next year, to
facilitate cooperation among DPAs and speed up the process.
•  The independence and ability of the DPAs to make effective use of their
powers  is important for enforcement. The Commission monitors this
closely and launched several infringements against Member States.
•  I am glad to see that some Member States, like Ireland, have increased
the staff and funding for their DPAs and hope that other Member States
will do the same.
•  The Court of Justice of the EU is looking at key concepts of the GDPR in
the context of preliminary rulings. The decisions of the Court will bring
further clarification on the interpretation of the GDPR.
•  Last, but not least, let me briefly mention the international dimension.
There is a growing number of countries across the world,  from Latin
America to South Korea,  who look at the GDPR as a model  for their
privacy legislation. Recently I met the Kenyan Commissioner for Data
Protection  who came to Brussels with her staff to join our Data
Protection Academy. She told me how important data protection is for
their society and their economy and that this is a key interest also for other
African countries.
•  To sum up, I would say that the GDPR is a success story overall, but
with  still some margin of improvement. In addition, we should not
lower our attention to ensure compliance. We should not take anything
for granted as your intervention in the Twitter’s case shows.

81

Ares(2023)703075 - 31/01/2023

HD:  One of the particular areas the EU Commission must evaluate is the
operation of the one-stop-shop. Despite the results produced by the Irish DPC,
there are many who nonetheless agitate for a centralised enforcement of data
protection law vis-à-vis the very large online platforms. How do you see that all
panning out? Do you think direct accountability by the enforcers (LSAs, DPAs)
to the European Parliament (say via the LIBE committee) form any part of the
assessment for potential change to the one-stop-shop?
•  The one-stop-shop mechanism is the  equilibrium  found by the co-
legislators between proximity and the need to preserve the functioning of
the single market.
•  The  proximity  principle ensures that, in case of problems, citizens can
easily address a DPA that speaks their language and knows the context.
On the other hand, the digital services and the digital economy is cross-
border by definition. Therefore, there is a need to ensure cross-border
enforcement and coherent enforcement action.
•  For this, an enhanced cooperation between DPAs  for  cross-border
cases is essential. DPAs have to embrace their differences to the extent
necessary and work towards mutually acceptable solutions.
•  The Commission supports the  preservation of the one-stop shop
mechanism and does not share calls for centralisation.
•  We consider that our upcoming proposal on the procedural aspects of
cross-border cooperation will facilitate the cooperation between DPAs
and will reinforce the European dimension without changing the system.
•  We will look again at the functioning of the system again during the next
evaluation of the GDPR.

82

Ares(2023)703075 - 31/01/2023

HD: At every conference the DPC speaks at, the issue of EU to USA data
transfers is a source of stress for data protection professionals in organisations.
What are your expectations for what will happen next in this space?
•  As you will remember, in March an agreement in principle was
announced by the EU and the US to put in place a successor arrangement
to the Privacy Shield.
•  Since then, we have worked hard with the US to translate this
announcement into legal texts.
•  This work led to the signature by President Biden of an Executive
Order  early  October.  On that same day, the US Attorney General
adopted a Regulation to implement  certain aspects of that Executive
Order.
•  On that basis, we  will propose before the end of the year a draft
adequacy decision. As you know well, to be adopted, that decision needs
to go through a multi-step process that involves  –  as a first step –  an
opinion of the European Data Protection Board. As you are on the
“font line” of EU-US  transfers, the contribution of the DPC  to that
opinion will be very important.
•  Concerning the timeline for this process to be completed, if we look at
recent precedents, 6 months appear a realistic forecast. This would mean
that the adequacy decision could be adopted in the course of spring 2023
– provided of course that all the safeguards would in the meantime have
been effectively put in place by the US.
•  Importantly also for your work, we have negotiated these safeguards on
national security access to data so that, once they will be effectively in
place on the US side, they will benefit to all EU-US transfers under the
GDPR, regardless of the transfer mechanism used (so not only those
on the basis of the future adequacy decision but also under SCCs, BCRs
etc.).
83

Ares(2023)703075 - 31/01/2023

•  Finally let me say a very few words on the substance of the agreement we
have reached with the US.
•  In carrying out these negotiations, I was very clear that for the EU the
Schrems II judgment was our “mandate”. This is reflected in the outcome
which, I think, is not just a further evolution compared to first the Safe
Harbour and then the Privacy Shield – it is a significant improvement of
the situation, a change of paradigm.
•  For the first time, we have binding requirements on the US side that do
not just refer to necessity and proportionality,  but spell out what is
meant by those principles when intel igence agencies  have to decide
whether and to what extent they need to collect data.
•  And these safeguards  will be invokable before a redress body  which
independence  is protected and which will be equipped with binding
investigatory, adjudicative and remedial powers. Even  the most critical
voices admit that this is very different from the Privacy Shield
Ombudsperson.
•  Of course, questions around the balance between national security and
privacy are always complex. The Court of Justice will probably have to
again pronounce itself on that issue, including in the context of
international transfers. I don’t want to speculate on what the Court may
decide but we believe that, in case this new arrangement will be
challenged, we will be able to credibly defend it against the Schrems II
requirements.

84

Ares(2023)703075 - 31/01/2023

HD: The EU Commission has added to its work programme that it will seek to
harmonise procedural aspects of cross-border GDPR regulation. Can you give
us any insights as to what this will look like – will it be an EU legal instrument
that hangs off GDPR with specific procedural rules pertaining to GDPR and
what kind of timeline might be involved.
•  We have started our internal work on the  procedural aspects of the
enforcement of the GDPR in cross-border cases. This work is inspired
by our own findings in the GDPR evaluation report and by the work
carried out by the EDPB.
•  We are reflecting  which types of procedures can be harmonised at EU
level. There are three layers:
o  national procedures (admissibility/handling of complaints);
o  procedures governing pre-EDPB interactions between DPAs
(cooperation mechanism) and
o  EU-level procedures in the EDPB (dispute resolution).
•  Our objective is to enhance the harmonisation of national
administrative procedures. We are looking for the most appropriate
instrument that can supplement the GDPR to achieve it. We do not plan
to re-open the GDPR itself.
•  It will be therefore a targeted legislative intervention.
•  We could expect it before summer next year.

85

Ares(2023)703075 - 31/01/2023

HD: A vast majority of the cases the DPC deals with lodged by NGOs relate to
issues pertaining to the advertising technology  sector. The GDPR does not
outright ban targeted advertising; nor indeed does the new Digital Services Act
other than for children. And yet NGOs want the “business model” dismantled.
What in your view are the reasons why the EU might not want to explicitly and
outright ban this activity that some dub “surveillance capitalism”?
•  The GDPR acknowledges direct marketing as a legitimate activity.
•  Targeted advertising is currently the most common form of advertising.
When a company uses targeted advertising that relays on processing of a
large amount of personal data, it must make sure that the processing is
lawful. The individuals must be informed about the use of their data and
must be presented with an option to object it, the use of data must also be
fair, transparent  and comply with data minimisation  (data protection
principles). Practices  that do not comply with these rules, must be
sanctioned. The Commission is following with interest the current
discussion at the EDPB and the progress of the cases in front of the Court
of the Justice of the EU.
•  The Commission is also taking action when there is an identified need to
further limit data processing in a specific area. For instance, we proposed
to limit the use of sensitive data for targeted political advertising,
because of the risk for democracy.
•  To address online advertising practices by large platforms, we agreed to
limit personal data that can be used for targeted advertising in the
DSA.
•  We are also seeing voluntary initiatives by the industry. The advertisers
have agreed on codes of conduct on how to target individuals. Market
participants, such as Google, Mozilla or Brave are exploring alternative
advertising practices that soon could replace the most intrusive targeted
advertising.  We thank the DPC for involving the Commission in their
discussion with Google about the Privacy Sandbox.
•  The  Commission  is  considering further engagement with the
stakeholders  in a form of  non-legislative initiative. In particular, the
Commission is  exploring the possibility of a pledge by companies
concerning the use of cookies.
•  The Commission does not  think that currently we should introduce a
general ban of targeted advertising.

86

Ares(2023)703075 - 31/01/2023

HD: The GDPR is frequently and in my mind reasonably referred to now as the
“Law of Everything”. It spans to cover all types of processing and it sets no
threshold over which a complaint must reach to be lodged with a DPA.
Consequently we receive a lot of complaints where no significant risk to rights
and freedoms is exposed. Former advocate general Bobek of the CJEU called
out this almost limitless reach of GDPR and suggested the courts or legislature
may have to rein it back in somewhat. What is your view on the expanse of the
GDPR as a “Law of Everything”?
•  The GDPR is a horizontal legislation. But it does not cover everything
and it is not the only instrument - for example, for law enforcement we
have the data protection Law Enforcement Directive. In some cases, the
GDPR itself allows to have more specific data protection rules, such as
employment.
•  It is also important to note that many EU legislation are building on the
GDPR to, for instance, restrict the processing of personal data (such as
the  AI Act  for remote biometric identifications, the political
advertisement proposal, the DSA, etc.).
•  We are aware that DPAs receive a lot of complaints. This has led several
DPAs to put in place administrative practices to cope with the number of
complaints. Such practices should not have negative effect on the
individuals.
•  The GDPR does not allow the DPAs to choose whether the complaint
should be handled as protection of personal data is a fundamental right.
However, the  GDPR allows DPAs, for instance, to solve some
complaints quickly through the so-called amicable settlements.

87

Ares(2023)703075 - 31/01/2023

HD: How is Belgium doing in the World Cup? The DPC moderated and
participated in a panel at IAPP in Brussels last week on the issues of collection
of large amounts of performance data on soccer players. What’s your view on
the amount of performance, health and movement data collected on the pro
players?
•  If the performance and movement data relate to individual players, it
constitutes personal data. It could allow for conclusions about their health
condition. Health data merit specific protection and the processing of
such data is prohibited.
•  We know that players’ health data can be used for different purposes. For
example, processed for anti-doping violation. The publication of sanctions
for anti-doping violations is a common practice. It ensures the awareness
of all relevant stakeholders of the fact that a player is banned from sport
competitions anywhere in the world.
•  However, such practice must  also  be in line with the GDPR. The
publication of individual sanctions must be proportionate and necessary.
This question is now with the Court of Justice. We await its assessment.

HD: Open up Q&A to staff.

88