Mr. Max Schrems:

We have the same experience with access requests. It is impossible for DPAs to figure out what data are available unless they go on premises and take the hard drives out of computers. Otherwise, they would never know what is stored. That is a matter of logic. We have seen other DPAs do that, but we have not seen the DPC do it. For example, we have big cases in regard to Facebook, in respect of which Facebook still does not provide all the data to our understanding.

On the question regarding bypassing, that is definitely a big issue. We are an organisation that does strategic litigation. One of our biggest questions when we file a new case is how can we bypass the DPC. There are different routes and options. There are possibilities with class actions that are coming up in two years and there is a collective redress directive that allows GDPR class actions to be filed wherever the individual claimant is. There is a possibility that the DPAs will no longer see the main establishments in Ireland as main establishments. There are disputes around that. The jurisdiction of the DPC is based on the fact that a big international company claims domain establishment in Ireland. We saw companies, rather randomly, declaring the main establishment in Ireland for one purpose and not for another and going back and forth each year on where their main establishment is. That is then used to dispute that there is a main establishment in Ireland in the sense of decision-making from a GDPR perspective. That then leads to not them having an exclusive jurisdiction of the DPC. We had a case like that in Norway, which was about Twitter to a certain extent and the issue of main establishment. More and more DPAs are saying that they believe that a particular company in Ireland is not a main establishment; it is something else such as a subsidiary and it is not really making any decisions.

On e-privacy, there is now a live debate on how to reform e-privacy without the one-stop shop. If the DPC becomes the one-stop shop for e-privacy as well, the fear is that we will have the same problem that we have in regard to GDPR and so consideration is being given to establishing a different system for e-privacy. I personally am against that because I think it makes sense that the law is consistent and that we trust each other in the European Union, but right now that trust is hard to explain to people in Brussels. In terms of a last bypass, increasingly there is an appetite for an infringement procedure against, in this case, the whole Republic of Ireland.

This is interesting because it is an independent body but that is how EU law works. It would then be basically an infringement procedure against Ireland which the European Parliament, or at least a committee of it, has asked for. It is very likely this vote will go through.

The answer which is much harder to give is as regards the countries where everything works well. The GDPR is something that is very hard to enforce for people and it took a great deal of resources. We saw a great deal of hiring of the good people to the private sector so the data protection agencies, DPAs, were just brain-drained to a certain extent. There are all of these issues.

However, we see countries where, if you look at the numbers, they are definitely more efficient. In Austria we have a huge funding issue but you get your case decided. They even have to decide within six months by law. They do not always make that because they simply do not have the personnel right now but they are at least trying. Spain is quite interesting because they have similar numbers to the Data Protection Commission, DPC - similar complaints numbers, similar budget numbers and similar staff numbers - and there are five to six decisions that are popping out of Spain daily with exactly the same GDPR that needs to be enforced as in Ireland. We had very positive results in Norway. The quality of the staff is very good, as is the decision quality, which is well argued and everybody understands how the decision was arrived at and what it means. It is very likely these decisions will never be overturned because they are very solid.

In Germany certain DPAs are doing quite a good job. Germany has 17 DPAs. Everything is federated in Germany. There we see it is a bit different in each state. For example, Hamburg is usually very proactive. Some of the decisions are, however, pulled back by the courts, which is something the DPC argues regularly, as well, especially on the European level. It is interesting that the commissioner argues that Irish procedural law would hold her back from doing her job, while on the Irish level it is usually argued that it is GDPR, or European law, that is the big problem. It seems on each level of debate, the other level is always guilty of the problem. We see that in some countries the courts are very hard on the DPAs, which is very different from the situation in Ireland where the courts have allowed many decisions to stand, especially in comparison with litigation in other countries. It is a problem in Germany that certain courts try to push back against the idea of privacy.