Is the GDPR failing? If it is, how can it be saved?

Posted on May 1, 2020 by Glyn Moody

The coronavirus pandemic rightly dominates the headlines, including those of the privacy world, but in the background, life goes on. For example, companies operating in the EU are still subject to the GDPR, two years after it first came into operation. But as this blog noted a few months back, there are increasing fears that the law is turning into a paper tiger: impressive in theory, but rather less so in practice. The question is being raised again, prompted by some interesting research carried out by Johnny Ryan, the chief policy officer at the browser company Brave, which places a particular emphasis on privacy. He contacted 28 EU Member State national data protection agencies (DPAs), 17 DPAs in the German states, and 3 other national DPAs, and asked about their staffing levels – particularly how many people they had with technical knowledge. It provides some troubling details on the state of GDPR enforcement in the EU:

The Brave report shows that only five of Europe’s 28 national GDPR enforcers have more than 10 tech specialists. Europe’s GDPR enforcers do not have the capacity to investigate Big Tech.

Half of EU GDPR enforcers have small budgets (under €5 million). EU governments have not given their GDPR enforcers the capacity to defend their decisions against ‘big tech’ companies in court on appeal.

The UK Government’s privacy watchdog is Europe’s largest and most expensive to run. But only 3% of its 680 staff is focussed on tech privacy problems.

These national agencies are clearly dwarfed by the companies they are supposed to regulate – Google, Facebook, Apple etc. As noted previously here, the situation is most worrying in Ireland, which is effectively the lead privacy regulator for the EU, since the top foreign digital companies have their headquarters in that country. The new report confirms that Ireland is struggling, with the knock-on effect that it has not issued any major fines against online leaders, undermining the credibility of the GDPR not just in the EU, but globally. Indeed, the biggest GDPR fine so far was issued not by Ireland, but by France, against Google. In theory, even companies with turnovers running to tens of billions of dollars per year might think twice about breaking the GDPR, since they can be fined 4% of their global turnover. However, if in practice they are subject to small or no fines, they will simply pay lip-service to the GDPR, while largely ignoring it.

The new report usefully offers practical suggestions as to how the evident problems with the GDPR might be addressed. At the level of national governments, it suggests that more money should be made available in order to recruit specialist tech investigators that can hold digital companies to account. These are needed so that data protection officials can understand the subtleties of digital business. That’s hard when it is so fast moving, and even harder when regulators struggle with the underlying technology.

Ryan’s report also recommends that national data protection agencies should “pursue adversarial enforcement, and to defend their decisions against expensive legal appeals by Big Tech.” That basically means we need to see some big, high-profile fines to prove that the GDPR is a serious law, with serious consequences for those who break it. Moreover, since big companies routinely try to bury punishments by appealing and swamping underfunded agencies with long legal battles, it’s important that DPAs should be prepared to fight such attempts in court to the bitter end, rather than being intimidated and giving up. If this is not done, even big fines will become moot, since deep-pocketed online giants will just threaten expensive legal proceedings in order to have them reduced or annulled.

At the EU level, the analysis wants to see funding for a central specialist investigative unit to support national efforts – again, to enable officials to monitor, analyze and react to the latest tech developments. The report also suggests that the European Commission should launch infringement procedures against EU Member States if they fail to provide the necessary “human, technical and financial resources, premises and infrastructure” for data protection agencies. It proposes referring countries to the Court of Justice of the EU if they fail to do so, in order to concentrate the minds of national politicians on the need to spend more money supporting DPAs and the GDPR.

Despite the rather depressing figures gathered by Ryan in his report, it is important to put them in context. The EU is a slow-moving beast; it takes time for legislation to be crafted, and for its effects to manifest themselves in everyday life. The hard part was getting the law passed; now that it exists, it will take years more before its full impact is felt. As the head of the Irish data protection agency put it in her most recent annual report:

A new legal framework and one that contemplates very significant penalties, not to mention legal novelty in terms of the ‘cooperation and consistency’ provisions set down, is always going to take time to implement correctly. But have no doubt that intensive work is underway. We currently have: 30 live litigation cases as of the end of 2019

This year may not be make or break for the GDPR, but it could be for the most important local arm, the Irish DPA. If it is still unable to impose serious fines on major Internet companies for privacy violations, it will be time for the EU to look at re-vamping the way the GDPR is enforced. For example, instead of underfunded local DPAs, it could create a central data protection body with proper funding and real teeth.

Featured image by dimitriwittmann.