A dispute between the European Parliament, the Irish data protection officer Helen Dixon and data protectionists from other EU countries has culminated in a scandal. A Dixon hearing scheduled for Thursday was canceled at short notice after Dixon wrote that the hearing was pointless in the planned form and even “perverse”. The German data protection officer Ulrich Kelber rejected Dixon’s allegations as false and misleading in another letter.
Ireland plays a key role in European data protection. According to the General Data Protection Regulation of the EU (GDPR), the Irish data protection authority is responsible for the internet giants Facebook, Google and Twitter, as their EU headquarters are in the country. Outside the island state, however, people are not very satisfied with the work of the Irish Data Protection Commission (DPC), which Dixon heads: The DPC is considered slow and rather generous towards the corporations, which Ireland has also attracted with the help of low taxes.
On Thursday, Dixon should now appear at a hearing in the EU Parliament. However, the responsible committee for civil liberties, justice and home affairs (LIBE) had not only invited them, but also the head of the European Data Protection Committee (EDSA), Andrea Jelinek, and the Austrian lawyer and activist Max Schrems, who complains to the European Court of Justice caused two EU agreements with the USA – Safe Harbor and Privacy Shield – to be overturned.
Hearing format “inappropriate” and “perverse”
Obviously, that wasn’t to Dixon’s taste. The questions she would be asked at the hearing would be filtered “in real time through the known prejudices of these parties,” said Dixon in a letter to the parliamentary committee on Tuesday. Instead of approaching them directly, he wanted to give Schrems another opportunity to “present his well-practiced criticism of my authority.”
This practice was not only “completely inappropriate,” but “with all due respect, perverted,” wrote Dixon, who asked to be questioned by the committee alone. The LIBE chairman Juan Fernando López Aguilar refused – whereupon Dixon canceled her participation.
But that wasn’t all. Dixon had previously taken offense at being criticized by the LIBE committee. In letters from February and March, she criticized the EDSA and colleagues in several EU countries, including the German data protection officer Ulrich Kelber. He responded on Tuesday with a letter that SPIEGEL had received.
Dixon makes statements that “reflect her personal opinion in a very one-sided way” and with which she “is often isolated among the European data protection supervisory authorities,” writes Kelber.
For example, he rejects Dixon’s accusation that the state data protection officer of Hamburg did not pursue early complaints from Schrems. Rather, it is true that after the GDPR came into force in 2018, his office submitted more than 50 complaints to Dixon’s DPC via the WhatsApp messenger service – “none of which have been closed to date,” says Kelber.
Dixon’s allegations that no other supervisory authority apart from their DPC had reacted to the requirements of the ECJ ruling against Privacy Shield and that courts had overturned the German fine concept are also false.
German accusation of being slow
Kelber’s letter culminates in the accusation that Dixon likes to insist on their responsibility for the large Internet companies and thus prevent initiatives by other supervisory authorities. The lack of decisions in these cases “is therefore primarily due to the extremely sluggish processing of cases by the DPC,” said Kelber.
Dixon’s authority is significantly slower than that of most of the other EU supervisory authorities – »especially the German«. At the end of December 2020, Ireland had the European lead in 196 proceedings. A total of four of these have been completed, Kelber says, while the German supervisory authorities alone have ended 52 of their 176 proceedings.
The citizens have the damage of the dispute, as the FDP MEP Moritz Körner criticizes: “The enforcement of the GDPR falls apart live in front of the eyes of all those involved.” He clearly sees the blame on Dixon. The fact that the Irish head of the authorities no longer even wants to face a discussion because of the criticism of the EU Parliament is an “outrageous process,” said Körner. “It shows that the Irish Data Protection Agency’s tentative approach is no accident.”
The lack of enforcement of European law should not be a locational advantage in the internal market, says Körner. “It cannot be that the small medium-sized company adheres to the strict data protection in Germany, but Facebook and Co. have nothing to fear from the Irish data protection authority.”