Tech & Sourcing @ Morgan Lewis


The European Union’s General Data Protection Regulation (GDPR) requires companies to monitor and comply with some of the strictest privacy laws in effect. Now, the European Commission is refocusing efforts and oversight on ongoing investigations under the GDPR. Going forward, companies may want to focus even more intently on their compliance as the EU steps up investigatory procedures.

In December 2022, the ombudsman released its decision after completing its review of the European Commissions and Irish Data Protection Commission’s handling of GDPR enforcement on big tech. In summary, the ombudsman initially inquired whether the European Commission had adequately collected factual elements allowing it to properly monitor GDPR implementation in Ireland. The ombudsman reviewed and noted that among other responses, the European Commission stated that it receives bi-monthly overviews of investigations of “big tech” from the Irish Data Protection Commission. The ombudsman ultimately decided that the European Commission was acting in line with good administration; however, the ombudsman provided suggested improvements to the current system and process.

The ombudsman review and suggestions have led to changes to GDPR enforcement with a focus on progressing investigations of potential non-compliance in the big tech sector. The changes are aimed at progressing investigations into large tech company cases which have continued for years with no outcomes or results. The European Commission has expanded the review requirements to the data protection supervisory authorities of all EU member states (beyond just Ireland’s Irish Data Protection Commission).

The Commission will require all such supervisory authorities to provide reports every two months on current cases or investigations under their control which involve the large-scale cross-border investigations under the GDPR. Each report will be required to include certain key details, including:

  • Case number
  • Controller or processor involved
  • Investigation type
  • Summary of the investigation
  • Data protection authorities’ concerns
  • Key process steps to take and the dates of such
  • Investigatory measures or any of the measures taken and the dates of such

It is important to note that the reports provided to the European Commission will be delivered on a strictly confidential basis. To that extent, the consumers or persons the GDPR is aiming to protect will not know until information is specifically released to the public the status of (or even if there is) an ongoing investigation into a big tech company or otherwise with which the consumers or persons may have shared data.