The European Commission has given its clearest signal yet that it’s prepared to intervene over weak enforcement of the EU’s data protection rules against big tech.
Today the bloc’s executive also had a warning for adtech giants Google and Facebook — accusing them of choosing “legal tricks” over true compliance with the EU’s standard of “privacy by design” — and emphasizing the imperative for them to take data protection “seriously”.
Speaking at a privacy conference this morning, Vera Jourová, the EU’s commissioner for values and transparency, said enforcement of the General Data Protection Regulation (GDPR) at a national level must buck up — and become “effective” — or else it “will have to change”, warning specifying that any “potential changes” will move toward centralized enforcement.
“When I was looking at existing enforcement decisions and pending cases, I also came to another conclusion,” she also said. “So, we have penalties or decisions against Google, Facebook, WhatsApp.
“To me this means that clearly there is a problem with compliance culture among those companies that live off our personal data. Despite the fact that they have the best legal teams, presence in Brussels and spent countless hours discussing with us the GDPR. Sadly, I fear this is not privacy by design.
“I think it is high time for those companies to take protection of personal data seriously. I want to see full compliance, not legal tricks. It’s time not to hide behind small print, but tackle the challenges head on.”
In parallel, an influential advisor to the bloc’s top court has today published an opinion which states that EU law does not preclude consumer protection agencies from bringing representative actions at a national level — following a referral by a German court in a case against Facebook Ireland — which, if the CJEU’s judges agree, could open up a fresh wave of challenges to tech giants’ misuse of people’s data without the need to funnel complaints through the single point of failure of gatekeeper regulators like Ireland’s Data Protection Commission (DPC).
On paper, EU law provides people in the region with a suite of rights and protections attached to their data. And while the regulation has attracted huge international attention, as other regions grapple with how to protect people in an age of data-mining giants, the problem for many GDPR critics, as it stands, is that the law decentralizes oversight of these rules and rights to a patchwork of supervisory agencies at the EU Member State level.
While this can work well for cases involving locally bounded services, major problems arise where complaints span borders within the EU — as is always the case with tech giants’ (global) services. This is because a one-stop-shop (OSS) mechanism kicks in, ostensibly to reduce the administrative burden for businesses.
But it also enables a huge get-out clause for tech giants, allowing them to forum shop for a ‘friendly’ regulator through their choice of where to locate their regional HQ. And working from a local EU base, corporate giants can use investment and job creation in that Member State as a lever to work against and erode national political will to press for vigorous oversight of their European business at the local authority level.
“In my view, it does take too long to address the key questions around processing of personal data for big tech,” said Jourová giving a keynote speech to the Forum Europe data protection & privacy conference. “Yes, I understand the lack of resources. I understand there is no pan-European procedural law to help the cross-border cases. I understand that the first cases need to be rock-solid because they will be challenged in court.
“But I want to be honest — we are in the crunch time now. Either we will all collectively show that GDPR enforcement is effective or it will have to change. And there is no way back to decentralised model that was there before the GDPR. Any potential changes will go towards more centralisation, bigger role of the EDPB [European Data Protection Board] or Commission.”
Jourová added that the “pressure” to make enforcement effective “is already here” — pointing to debate around incoming legislation that will update the EU’s rules around ecommerce, and emphasizing that, on the Digital Services Act, Member States have been advocating for enforcement change — and “want to see more central role of the European Commission”.
Point being that if there’s political will for structural changes to centralize EU enforcement among Member States, the Commission has the powers to propose the necessary amendments — and will hardly turn its nose up at being asked to take on more responsibility itself.
Jourová’s remarks are a notable step up on her approach to the thorny issue of GDPR enforcement back in summer 2020 — when, at the two year review mark of the regulation entering into application, she was still talking about the need to properly resource DPAs — in order that they could “step up their work” and deliver “vigorous but uniform enforcement”, as she put it then.
Now, in the dying days of 2021 — with a still massive backlog of decisions yet to be issued around cross-border cases, some of which are highly strategic, targeting adtech platforms’ core surveillance business model (Jourová’s speech, for example, noted that 809 procedures related to the OSS have been triggered but only 290 Final Decisions have been issued) — the Commission appears to be signalling that it’s finally running out of patience on enforcement.
And that it is already eyeing a Plan B to make the GDPR truly effective.
Criticism of weak enforcement against tech giants has been a rising chorus in Europe for years. Most recently frustration with regulatory inaction led privacy campaigner Max Schrems’ not-for-profit, noyb, to file a complaint of criminal corruption against the GDPR’s most infamous bottleneck: Ireland’s DPC, accusing the regulator of engaging in “procedural blackmail” which it suggested would help Facebook by keeping key developments out of the public eye, among other eye-raising charges.
The Irish regulator has faced the strongest criticism of all the EU DPAs over its role in hampering effective GDPR enforcement.
Although it’s not the only authority to be accused of creating a bottleneck by letting major complaints pile up on its desk and taking a painstaking ice-age to investigate complaints and issue decisions (assuming it opens an investigation at all).
The UK’s ICO — when the country was still in the EU — did nothing about complaints against real-time-bidding’s abuse of people’s data, for example, despite sounding a public warning over behavioral ads’ unlawfulness as early as 2019. While Belgium’s DPA has been taking a painstaking amount of time to issue a final decision on the IAB Europe’s TCF’s failure to comply with the GDPR. But Ireland’s central role in regulating most of big tech means it attracts the most flak.
The sheer number of tech giants that have converged on Ireland — wooed by low corporate tax rates (likely with the added cherry of business-friendly data oversight) — gives it an outsized role in overseeing what’s done with European’s data.
Hence Ireland has open investigations into Apple, Google, Facebook and many others — yet has only issued two final decisions on cross-border cases so far (Twitter last year; and WhatsApp this year).
Both of those decisions went through a dispute mechanism that’s also baked into the GDPR — which kicks in when other EU DPAs don’t agree with a draft decision by the lead authority.
That mechanism further slowed down the DPC’s enforcement in those cases — but substantially cranked up the intervention the two companies ultimately faced. Ireland had wanted to be a lot more lenient vs the collective verdict once all of the bloc’s oversight...
Today the bloc’s executive also had a warning for adtech giants Google and Facebook — accusing them of choosing “legal tricks” over true compliance with the EU’s standard of “privacy by design” — and emphasizing the imperative for them to take data protection “seriously”.
Speaking at a privacy conference this morning, Vera Jourová, the EU’s commissioner for values and transparency, said enforcement of the General Data Protection Regulation (GDPR) at a national level must buck up — and become “effective” — or else it “will have to change”, warning specifying that any “potential changes” will move toward centralized enforcement.
“When I was looking at existing enforcement decisions and pending cases, I also came to another conclusion,” she also said. “So, we have penalties or decisions against Google, Facebook, WhatsApp.
“To me this means that clearly there is a problem with compliance culture among those companies that live off our personal data. Despite the fact that they have the best legal teams, presence in Brussels and spent countless hours discussing with us the GDPR. Sadly, I fear this is not privacy by design.
“I think it is high time for those companies to take protection of personal data seriously. I want to see full compliance, not legal tricks. It’s time not to hide behind small print, but tackle the challenges head on.”
In parallel, an influential advisor to the bloc’s top court has today published an opinion which states that EU law does not preclude consumer protection agencies from bringing representative actions at a national level — following a referral by a German court in a case against Facebook Ireland — which, if the CJEU’s judges agree, could open up a fresh wave of challenges to tech giants’ misuse of people’s data without the need to funnel complaints through the single point of failure of gatekeeper regulators like Ireland’s Data Protection Commission (DPC).
Towards centralized privacy oversight?
On paper, EU law provides people in the region with a suite of rights and protections attached to their data. And while the regulation has attracted huge international attention, as other regions grapple with how to protect people in an age of data-mining giants, the problem for many GDPR critics, as it stands, is that the law decentralizes oversight of these rules and rights to a patchwork of supervisory agencies at the EU Member State level.
While this can work well for cases involving locally bounded services, major problems arise where complaints span borders within the EU — as is always the case with tech giants’ (global) services. This is because a one-stop-shop (OSS) mechanism kicks in, ostensibly to reduce the administrative burden for businesses.
But it also enables a huge get-out clause for tech giants, allowing them to forum shop for a ‘friendly’ regulator through their choice of where to locate their regional HQ. And working from a local EU base, corporate giants can use investment and job creation in that Member State as a lever to work against and erode national political will to press for vigorous oversight of their European business at the local authority level.
“In my view, it does take too long to address the key questions around processing of personal data for big tech,” said Jourová giving a keynote speech to the Forum Europe data protection & privacy conference. “Yes, I understand the lack of resources. I understand there is no pan-European procedural law to help the cross-border cases. I understand that the first cases need to be rock-solid because they will be challenged in court.
“But I want to be honest — we are in the crunch time now. Either we will all collectively show that GDPR enforcement is effective or it will have to change. And there is no way back to decentralised model that was there before the GDPR. Any potential changes will go towards more centralisation, bigger role of the EDPB [European Data Protection Board] or Commission.”
Jourová added that the “pressure” to make enforcement effective “is already here” — pointing to debate around incoming legislation that will update the EU’s rules around ecommerce, and emphasizing that, on the Digital Services Act, Member States have been advocating for enforcement change — and “want to see more central role of the European Commission”.
Point being that if there’s political will for structural changes to centralize EU enforcement among Member States, the Commission has the powers to propose the necessary amendments — and will hardly turn its nose up at being asked to take on more responsibility itself.
Jourová’s remarks are a notable step up on her approach to the thorny issue of GDPR enforcement back in summer 2020 — when, at the two year review mark of the regulation entering into application, she was still talking about the need to properly resource DPAs — in order that they could “step up their work” and deliver “vigorous but uniform enforcement”, as she put it then.
Now, in the dying days of 2021 — with a still massive backlog of decisions yet to be issued around cross-border cases, some of which are highly strategic, targeting adtech platforms’ core surveillance business model (Jourová’s speech, for example, noted that 809 procedures related to the OSS have been triggered but only 290 Final Decisions have been issued) — the Commission appears to be signalling that it’s finally running out of patience on enforcement.
And that it is already eyeing a Plan B to make the GDPR truly effective.
Criticism of weak enforcement against tech giants has been a rising chorus in Europe for years. Most recently frustration with regulatory inaction led privacy campaigner Max Schrems’ not-for-profit, noyb, to file a complaint of criminal corruption against the GDPR’s most infamous bottleneck: Ireland’s DPC, accusing the regulator of engaging in “procedural blackmail” which it suggested would help Facebook by keeping key developments out of the public eye, among other eye-raising charges.
The Irish regulator has faced the strongest criticism of all the EU DPAs over its role in hampering effective GDPR enforcement.
Although it’s not the only authority to be accused of creating a bottleneck by letting major complaints pile up on its desk and taking a painstaking ice-age to investigate complaints and issue decisions (assuming it opens an investigation at all).
The UK’s ICO — when the country was still in the EU — did nothing about complaints against real-time-bidding’s abuse of people’s data, for example, despite sounding a public warning over behavioral ads’ unlawfulness as early as 2019. While Belgium’s DPA has been taking a painstaking amount of time to issue a final decision on the IAB Europe’s TCF’s failure to comply with the GDPR. But Ireland’s central role in regulating most of big tech means it attracts the most flak.
The sheer number of tech giants that have converged on Ireland — wooed by low corporate tax rates (likely with the added cherry of business-friendly data oversight) — gives it an outsized role in overseeing what’s done with European’s data.
Hence Ireland has open investigations into Apple, Google, Facebook and many others — yet has only issued two final decisions on cross-border cases so far (Twitter last year; and WhatsApp this year).
Both of those decisions went through a dispute mechanism that’s also baked into the GDPR — which kicks in when other EU DPAs don’t agree with a draft decision by the lead authority.
That mechanism further slowed down the DPC’s enforcement in those cases — but substantially cranked up the intervention the two companies ultimately faced. Ireland had wanted to be a lot more lenient vs the collective verdict once all of the bloc’s oversight...