Few would deny that Europe’s privacy regulation, the GDPR, has been hugely influential; significantly affecting how businesses handle customer data, casting a spotlight on the need for improved enterprise data security, and inspiring efforts at similar legislation globally.
Yet 24 months after the law was introduced on May 25, 2018, critics say enforcement is deeply patchy, with Ireland’s Data Protection Commission (DPC) — the authority that supervises many US tech giants’ EU operations — yet to issue a single GDPR fine against the private sector.
That’s despite reporting 7,215 complaints in the first year of the legislation and having over 130 staff. (A number that pales into insignificance alongside the resources of some the world’s tech giants).
In the UK, meanwhile, the Information Commissioner’s Office (ICO) has kicked huge planned fines against the Marriott hotel group and British Airways into the long grass, with little sign that the businesses — both of which suffered huge data breaches — will actually have to pay up.
How long will it be before sustained signs that regulatory bark is worse than regulatory bite start to dilute GDPR’s effectiveness? Critics say it’s an open question and that Data Protection Authorities (DPAs) need to step up, if the regulation is to be taken seriously by businesses.
Many are calling for urgent action, including by the European Commission, as investigations into complaints against some of the biggest blue chips drag on seemingly interminably, and some EU member states allegedly abuse GDPR to curtail civil liberties [pdf, p. 17] and investigative journalism.
GDPR at Two: A “Chocolate Teapot”?
Poor resourcing is blamed by some for limited enforcement.
As non-governmental organisation Access Now puts it in a new report today (which finds that from May 2018 to March 2020, authorities levied 231 fines and sanctions under GDPR), DPAs are “crippled by a lack of resources, tight budgets, and administrative hurdles.”
Its GDPR anniversary report found that out of 30 DPAs from all 27 EU countries, the United Kingdom, Norway, and Iceland, only nine said they were happy with their level of resourcing.
The NGO said: “The inadequate budget provided to DPAs means that our rights may not be effectively protected. In fact, it may create a negative incentive for DPAs investigating large tech companies to agree on settlements that may be more favourable to the companies.”
Estelle Massé, Senior Policy Analyst and Global Data Protection Lead at Access Now added: “The European Union may have the best law in the world for the protection of personal data, but if it is not enforced, it risks being as useful as a chocolate teapot.”
GDPR at Two: Schrems Calls for Judicial Review
Yet others argue this a poor excuse for inaction.
One of the most vocal critics of perceived regulatory inertia is Austrian lawyer Max Schrems, whose privacy advocacy NGO Noyb today in an open letter [pdf] urged EU authorities to “take action” against the Irish Data Protection Commission for its slow investigations.
Noyb also says it will sue for judicial review of the DPC’s Facebook, WhatsApp and Instagram investigations, saying that “despite extremely high costs, we want to use all possible options within the Irish legal system to overcome the inaction by the Irish DPC.”
(Two years on from Noyb’s complaints against Facebook, WhatsApp and Instagram, the Irish DPA appears a long way from a draftdecis
Schrems said: “Many DPAs are frustrated with situations like in Ireland, but only calling them out is not enough. They also have to use the tools that the GDPR foresees.”
(GDPR allows DPAs to request that regulatory colleagues in other jurisdictions start an “urgency procedure” if another DPA is inactive.)
Noyb today urged the European Commission and member states to ensure that: “DPAs should, at least informally (for example in a Memorandum of Understanding) clarify timelines for each step of a cooperation mechanism and other practical questions that may not be defined in the GDPR…
“DPAs should adopt interim measures or ask the EDPB to adopt a decision under Article 66 GDPR in order to provide an effective redress whenever investigations or decisions take too long.”
Ultimately, Schrems’ organisation notes today: “Member States and DPAs should also streamline their procedures in order to achieve better
harmonisation and facilitate cross-borders cases.”
Matt Lock, Technical Director UK at data security firm Varonis noted in an emailed comment that the COVID-19 lockdown was no time to drop the ball on enforcement: “Many companies took the GDPR seriously and made great progress ramping up their data protection measures. Reports that the ICO isn’t taking forward any cases and delaying current ones sends the message that regulators have pressed pause for the time being.
He added: “It’s reasonable to expect some lag time as regulators and companies re-assess their priorities during the COVID crisis. Ignoring data protection in the short term only opens the door to long term issues.”
Noyb meanwhile is urging the Irish DPC to “fundamentally streamline its procedures, ensuring that complaints under Article 77 GDPR lead to decisions within a matter of months – not years.”
With member states facing no shortage of other issues, not least the devastating economic impact of prolonged lockdown periods, dense and broadly interpreted data privacy legislation may not be top of the agenda.
That said, a many are closely awaiting the outcomes of a high-profile two-year review by the European Commission — publication, expected in April, was inexplicably delayed until June. Expect calls for closer regulatory alignment – and more aggressive timelines for investigations.