Two years may have passed since enforcement of the European Union’s data privacy regulation began, but regulators are just wrapping up the first wave of investigations. Change comes slowly in the realm of data privacy, and it is still too soon to assess the regulation’s impact or effectiveness.
The General Data Protection Regulation (GDPR) gave European regulators the authority to issue heavy fines—up to €20 million euros ($22.8 million), or up to 4 percent of the organization’s annual worldwide revenue—to organizations found violating the law. However, there have been only two major fines under GDPR over the past two years: the French data protection authority CNIL’s €50 million ($54 million) fine on Google over Android, and the United Kingdom Information Commissioner’s Office’s £183 million ($221 million) fine on British Airways.
While there have been thousands of complaints against big and small companies, there hasn’t been as many major cases against technology titans, especially those companies that operate in multiple countries. There are signs that will soon change, as Irish data regulators are expected to announce several decisions soon. The Irish DPC last week submitted a draft decision to other European data commissioners regarding one of the investigations into Twitter on whether the social media company notified the supervisory authorities quickly enough after a data breach, and whether it effectively documented the details.
“This own-volition inquiry was commenced by the DPC following receipt of a data breach notification from the controller. The draft decision focusses on whether Twitter International Company has complied with Articles 33(1) and 33(5) of the GDPR,” the DPC said in a statement.
The regulators from other countries have a month to consider the draft decision and lodge “reasoned and relevant objections” if they disagree with the DPC. Disagreements would be resolved by the European Data Protection Board (EDPB). The final decision for this case is expected this summer.
The bulk of the investigations into technology companies fall under Ireland’s jurisdiction because European rules specify that complaints are handled by the country where the companies have their European headquarters. Ireland’s privacy watchdog, the Data Protection Commission, is currently juggling 23 investigations into Apple, Facebook, Google, LinkedIn, Tinder, Twitter, and Verizon. There are two investigations into Apple, eight into Facebook, two into Google, one into Instagram (owned by Facebook), three into Twitter, and two into WhatsApp (owned by Facebook).
Irish regulators have sent a preliminary draft decision to WhatsApp, which gives the company a chance to provide additional information for the regulators to consider before coming to a decision on whether WhatsApp was being transparent around what information is shared with parent company Facebook. DPC also said it had completed its inquiries into how Facebook processes personal data (the complaint was filed in May 2018) and was in the process of making a decision. And finally, the commision sent draft inquiry reports to all parties involved in two other cases with WhatsApp and Instagram.
"In addition to submitting this draft decision to other EU supervisory authorities, we have this week sent a preliminary draft decision to WhatsApp Ireland Limited for their final submissions which will be taken in to account by the DPC before preparing a draft decision in that matter also," Deputy Commissioner Graham Doyle said.
Antsy About GDPR
The news that Ireland is moving forward with some of the investigations is a welcome one, especially with GDPR's second anniversary prompting some activists, business leaders, and regulators to wonder about its success in regard to improving consumer privacy. Privacy activist Max Schrems, the honorary chair of advocacy group nyob, criticized the DPC for not issuing “a single fine under the GDPR against a private actor, despite reporting 7,215 complaints in 2019” in an open letter to EU data regulators. The French CNIL took seven months to fine Google over how Android handled data for behavioral advertising being transparent, and DPC was still months away from a final decision in any of the cases against technology companies, Schrems said. “After two years, we feel that the time has come to shine light on the shortcomings of GDPR enforcement as we experience in Ireland and trigger a public debate,” he wrote.
Ireland’s DPC said “procedural queries” had delayed decisions on some of these cases, which was why the investigations were moving so slowly.
The letter from Schrems doesn’t address the fact that Ireland’s DPC has to shoulder a heavy workload because of the sheer number of technology companies headquartered in Ireland. The DPC is also woefully underfunded and understaffed: the 2020 budget is only €16.9 million ($18.5 million), compared to the UK ICO’s €61 million ($66.8 million) and French CNIL’s €20.8 million ($22.8 million). The Irish commissioner, Helen Dixon, said she was “disappointed” the government had allocated “less than one third of the funding” the DPC had requested.
“Europe’s GDPR enforcers do not have the capacity to investigate Big Tech,” was the conclusion Brave, a privacy-focused web browser, drew after analyzing the budgets of various European data protection authorities.
“If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities,” said Johnny Ryan, Brave’s chief policy & industry relations officer. “Robust, adversarial enforcement is essential.”
Ireland isn’t the only one with a small budget investigating tech firms. The authorities in the Netherlands are still investigating Netflix, and Luxembourg has yet to issue a single enforcement notice against Amazon and Paypal. Luxembourg’s watchdog agency has a €5.5 million ($6 million) budget, and just 43 employees.
A report from Access Now said European data protection authorities can’t effectively enforce the regulations due to a lack of resources, tight budgets, and administrative challenges. The number of data protection staff have not increased significantly, and most countries said they didn’t have sufficient resources.
“Companies could leverage DPA’s lack of resources, using it to get around the application of the GDPR, or at least significantly delay its effect,” Access Now warned in the report.
The European Commission’s progress report on GDPR is expected in June. While there are many who feel that the slow pace of enforcement means the regulation is due for reform, the European Commission is more likely to reiterate that GDPR is supposed to be a journey, and not a quick fix. It takes time to establish procedures for investigations, enforcement mechanisms, and figuring out how the appeals process would work. The last thing regulators would want is to overlook something during the investigation which could result in decisions being overturned during the appeals.
“The GDPR has changed the landscape in Europe and beyond. Nonetheless, compliance is a dynamic process and does not happen overnight,” Věra Jourová, European Commission’s vice-president for values and transparency, and Didier Reynders, the commission’s Commissioner for Justice, said in a statement marking the anniversary.
Regardless of how actual enforcement has been under GDPR, Europe's data privacy law has changed the conversation within governments around the world and for all businesses. While its effects are specifically for Europe, it is being used as a blueprint for other countries as they develop their own privacy laws.Countries around the world—such as Argentina, Brazil, Chile, India, Japan, Kenya, and South Korea, to name a handful—have some variation of the law on the books. While the United States still doesn’t have a federal law, several states have started the process to carve out their data privacy regulations.
From a business standpoint, GDPR is about compliance, but it has also forced businesses to “become more aware of the importance of data protection,” Jourová and Reynders said. They can't just skip over the questions or the requirements in the rush to get to market. It would be hard for an organization to claim they cannot comply with GDPR at this point, as they had two years after the law went into effect to figure out needed to be done, and two years of enforcement to refine their data storage, use, and collection processes.
While fines happen to be the most obvious way GDPR can force organizations to be careful with consumer data, it isn't the only tool available to regulators. In fact, fines are the easiest part of the enforcement. Google’s 50 million fine is a minuscule fraction of its annual revenue. But if the regulator decides companies have to change their business models, to temporarily or permanently stop data collection, that is a significant business disruption. Article 5 of the GDPR stipulates that companies cannot use the data for anything other than the purpose for which it was originally collected and if regulators decide to block certain products or services, the companies would have to make significant changes to their products.
People outside Europe have benefited from the privacy protections because companies realized that it didn't make sense to maintain separate privacy policies and procedures based on the user's country of residence.
“Within two years, these rules have not only shaped the way we deal with our personal data in Europe, but has also become a reference point at global level on privacy,” Jourová and Reynders said.