Top EU data protection agency under pressure to act against Internet giants as GDPR turns 2 years old

Posted on May 27, 2020 by Glyn Moody

A few weeks ago, this blog noted that there were questions hanging over the GDPR, not least the fact that no major fines had been issued against top Internet companies. The GDPR has just passed the two-year mark, and many have taken the opportunity to weigh in on this issue. For example, the data protection agency in Ireland, which would be responsible for issuing fines against the main online players, has just written a post on its GDPR enforcement plans. It says that the country’s Data Protection Commissioner (DPC) has submitted a draft decision about a Twitter data breach to the other data protection authorities in the EU, as it is required to do under the GDPR. This means a public statement on the case should follow fairly soon.

Perhaps more interesting are some other cases involving well-known Internet names. One concerns WhatsApp, and how information about its users is shared with Facebook, which bought WhatsApp for $19 billion in 2014. Three others are cases brought by the privacy expert Max Schrems, discussed on this blog two years ago. Schrems says that top Internet services like Facebook, WhatsApp and Instagram are guilty of “forced consent”. This is the practice of offering two basic choices to users of an online service: agree to be tracked for the purposes of serving up ads, or be thrown off the service. It’s a crucially important issue, since many Web sites adopt the same approach. If the DPC rules against it, the impact on the digital sector in the EU would be huge.

With its public statement, the Irish DPC is trying to signal that it is working hard on these big cases, but Schrems doesn’t think it is making enough progress. In an open letter to the EU’s data protection bodies, the European Commission, and the European Parliament, Schrems writes:

These three cases, in which the DPC acts as the lead authority, show that the cooperation mechanism under Chapter 7 of the GDPR becomes fundamentally dysfunctional if involved Data Protection Authorities (DPAs) do not cooperate in a swift and efficient manner. In a parallel procedure, the French [data protection agency] CNIL was able to single-handedly issue a €50 million fine against Google within seven months. In contrast, after two years, the DPC has completed the first of six steps last week in the cases against Instagram and WhatsApp

He points out that at the current speed, these cases could easily take more than ten years until all appeals are decided and a final decision is reached. Moreover, he says that two of the draft inquiry reports share most of their text – a plagiarism app found an overlap of 82% – which suggests the real pace of the inquiry is even slower. It’s not just about speed. Schrems claims that the DPC had “confidential” meetings with Facebook about how to bypass some of the GDPR’s protection. He’s not the only GDPR expert that thinks there’s a big problem with the enforcement side of things. Johannes Caspar, a leading German regulator for data protection, told Politico:

“I’m completely critical of the enforcement structure of the GDPR,” said Caspar, whose office is in charge of overseeing the German activities of several Silicon Valley firms. “The whole system doesn’t work.”

Against that troubled background Access Now has produced a useful report reviewing the general progress in implementing the GDPR. It too notes the slow pace of enforcement, but also underlines a worrying trend for the law to be misused to silence journalists and NGOs. It warns that an official review of the GDPR, currently underway, is being used by opponents of the law in an attempt to water down its stringent privacy protections.

Finally, marking the second anniversary of the GDPR, the Security Research group at the University of Cambridge has picked out three interesting studies that look at particular aspects of the GDPR. “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence” looks at how users are manipulated into giving their consent to being tracked online, and how Web sites make it hard for people to protect their privacy. “Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework” is an updated version of research discussed on Privacy News Online in December last year. The academics tested the cookie banners used on 560 Web sites, and found at least one GDPR violation on 54% of them. The final paper explores “The Commodification of Consent“, and how the legal concept of “consent” has become an asset that can be traded:

Users interact with a consent dialogue offered by one coalition member. The default setting allows any other coalition member, including both publishers and third-party vendors, to use this consent as a legal basis for processing personal data. This paper considers how this legal innovation could change the distribution of revenues among firms.

As the above indicates, the GDPR has become a rich and complex area, touching many different aspects of privacy, not just in the EU, but globally. Pressure is building on the Irish DPC in particular to demonstrate that the GDPR has real teeth, and that infringements will be pursued and punished with serious fines. That means that we are likely to see some very interesting new developments in the field of enforcement in the not-too-distant future.

Featured image by waldryano.