Happy second birthday, GDPR.
Two years ago, Europe introduced the world’s toughest data privacy legislation, putting on notice the tech giants of the world who’d grown fat off your personal data.
The General Data Protection Regulation, widely known as the GDPR, is a far-reaching law designed to uphold the right to privacy for Europe’s citizens. It promises to issue bigger fines for data protection violations than have ever been seen before: 20 million euros, or up to 4% of a company’s annual worldwide revenue from the preceding financial year, whichever’s greater.
As of Monday, the second anniversary of when the GDPR took effect, the EU will have handed out only two fines to Silicon Valley tech giants — the first to the local subsidiary of Facebook in Germany, for 51,000 euros, and the second to Google in France over Android, for 50 million euros. That has many impatient privacy advocates asking: What’s taking so long?
The lack of action underscores some of the challenges facing the regulators tasked with ensuring Big Tech is compliant with the GDPR. While the tech giants stock their ranks with small armies of lawyers, much of the oversight falls to just one small, underfunded agency, the Irish Data Protection Commission, thanks to a quirk in European law.
The GDPR’s quiet first two years give a false impression of the impact the law has had on the global stage. The legislation has raised the EU’s profile among regulators and lawmakers around the world and inspired similar regulations in Brazil and India, as well as in California, home to many of the tech giants. Tech companies have had to change their privacy policies and disclosures not only in Europe but around the world, since it doesn’t make sense to observe two sets of privacy standards.
And industry watchers say more moves are coming. The regulators are just taking the time to make sure these sanctions stick.
For now all eyes are firmly fixed on Ireland, the nominated regulator for Apple, Facebook, Google and Twitter, among other tech giants. Because of a rule that funnels complaints to the country where companies have their European headquarters, Ireland is juggling multiple investigations into all those titans (eight into Facebook, three into Twitter, two into Apple, two into Facebook-owned Whatsapp, two into Google and one into Facebook-owned Instagram).
“Many of the world’s biggest tech companies are based in Ireland, so they have an undue burden placed on them by virtue of that,” said Pat Walshe, founder of data protection consultancy Privacy Matters.
All about the money
Ireland’s challenges might start with its caseload, but its other problem is that it’s hugely underfunded given its immense task.
“By no means would I take their lack of published and imposed fines as any kind of inactivity,” said Alex van der Wolk, co-chair of Morrison & Foerster’s global privacy and data security practice. “It’s been very active and I’m sure that they’re dealing with the budget that they have.”
Earlier this year, pro-privacy browser Brave published a report looking into the funding of regulators across Europe. Ireland’s DPC was the seventh-best funded but had a budget of only 16.9 million euros, compared with the best-funded regulator, the UK’s Information Commissioner’s Office, which has a budget nearly four times as large.
The GDPR “is very flexible, and probably as fair as can be for something that has to cover everyone from the big tech companies to a one-man band.”
Katherine O’Keefe, director of training at Castlebridge
The DPC receives less funding from the Irish government than Ireland’s greyhound racing board, according to Brave Chief Policy Officer Johnny Ryan, citing a stat discovered by Daragh O’Brien from Irish data privacy consultancy Castlebridge.
“That [greyhound racing] is not a big thing here, just in case you’re wondering,” said Ryan.
According to Walshe, the DPC needs “significant funding.” With such funding it might have the chance of establishing itself as a center of excellence for tech in Europe — something he believes is much needed in light of the fact that many European data regulators don’t have specialist technical units.
In a statement, the DPC noted that its funding had increased significantly, allowing it to boost its number of staff to 175 this year, up from 30 or so in 2014. “However, this growth will need to continue and we will be seeking additional funding for next year to enable us to do so,” it added.
In October, Ireland’s data protection commissioner, Helen Dixon, expressed her disappointment that the DPC had been afforded less than one third of the additional funding it had requested in the country’s budget and said the watchdog would be forced to reassess its spending allocation for 2020 as a result.
“This is something that is a matter of great concern,” said Katherine O’Keefe, director of training at Castlebridge. “The underfunding of regulators is systemic across Europe as well. So it is something that … could very quickly become a crisis over the next couple years, I would expect, if we don’t address it.”
Ireland’s lack of action on the tech giants is frustrating some GDPR advocates who want to show the world that the regulation can have significant impact. Germany’s federal data commissioner, Ulrich Kelber, hit out at the DPC earlier this year, describing its failure to take action “unbearable.”
Rather than place the burden on Ireland alone, Kelber suggested enforcing GDPR using a pan-European approach.
Dixon rejected Kelber’s criticism, and in an interview with The New York Times defended the DPC, saying that its output doesn’t reflect the effort it’s putting into investigating cases and establishing procedures for enforcing the GDPR.
Ireland’s data protection commissioner, Helen Dixon.
From inaction to enforcement
Last week, the Irish DPC finally announced its first action, a fine of 75,000 euros — but it wasn’t against a big tech company. Instead it was against Ireland’s public children and family agency Tusla.
There are several things that can be taken away from this. The first, according to O’Keefe, is that the DPC is asserting its independence by showing it’s not afraid to fine public bodies. Secondly, it’s a demonstration of its commitment to treating GDPR complaints equally, whether they relate to public authorities or private companies.
The other big takeaway is that the DPC has found its feet and is moving from the investigation to the enforcement phase of several cases. “The DPC has been focusing on ensuring they have the procedural aspects of investigation and enforcement clear before they take a very large step,” said O’Keefe.
That very large step could hit the ground at any moment now. At the end of last week, the DPC made a major announcement that it had submitted a draft decision on a Twitter case to EU authorities.
“In addition to submitting this draft decision to other EU supervisory authorities, we have this week sent a preliminary draft decision to WhatsApp Ireland Limited for their final submissions which will be taken in to account by the DPC before preparing a draft decision in that matter also,” said Deputy Commissioner Graham Doyle in a statement.
The DPC said it has also completed an inquiry into how Facebook processes personal data, and has now moved into the decision-making phase. In addition, it’s sent draft inquiry reports to the complainants and companies concerned in two further cases, one involving Facebook-owned WhatsApp and one involving Instagram, also owned by Facebook.
“We are seeing a movement from investigation into enforcement which suggests that the regulator now sees they have sufficient clarity on procedural aspects so that they don’t end up with a very large misstep at the start,” said O’Keefe.
It’s in the interests of the DPC to get things right — or as right as is possible — the first time around. The tech giants will inevitably appeal any decisions taken against them, potentially keeping the Irish courts busy for years to come. With massive budgets and huge legal firepower at the companies’ disposal, the regulator will need to fully prepare itself to fight when the appeals flood in.
Scarier than fines
Any demands for tech companies to make behavioral changes will be big news. Fines make for good headlines, but they aren’t the only enforcement option available to regulators, and they’re definitely not the outcome that scares Big Tech the most.
Take Google’s GDPR fine of 50 million euros. It sounds like a lot, but in reality amounts to a mere fraction of the company’s daily revenue.
“No regulator wants its decision to be overturned, so they are taking their time.”
Alex van der Wolk, co-chair of Morrison & Foerster’s global privacy and data security practice
Regulators also have the power to stop companies either temporarily or permanently from collecting and processing data. This has the potential to completely disrupt their business models and force them to make major changes to their core products.
“If they could prove that it’s proportionate to impose a restriction on processing of a big tech company, then you could imagine the shockwaves that would send,” said Walshe.
We’ve gotten our first glimpse of this already. Facebook was mere days away from rolling out its Facebook Dating in Europe on Feb. 13 when regulators stepped in and told the company to put the launch on ice. According to the DPC, it’s awaiting a response to questions it submitted to Facebook following a review of the company’s documentation. Facebook didn’t respond to a request for comment.
For Ryan, the biggest threat to tech companies lies within Article 5 of the GDPR, which stipulates that companies may not use data for anything other than the purpose for which it was originally collected.
“Big Tech has a habit of having what I refer to as an internal data free-for-all,” said Ryan. “With things like purpose limitation, if they are enforced, Big Tech changes overnight. There will be appeals and there’ll be court cases, but the blood will be in the water.”
Whether these powers are used and the sanctions stick could have a knock-on effect on Europe’s reputation in the global arena, according to Ryan.
Europe doesn’t boast Big Tech superpowers like China and the US, but what it does have right now is “regulatory influence,” with the GDPR as one of the shining jewels in its crown. If the law doesn’t stand up, Europe’s influence could take a major hit, Ryan said.
But the GDPR also has unlikely and powerful allies among some of the very entities it’s designed to regulate. The one thing American tech giants fear more than regulation is regulation coming out of China, which might explain their increasingly public embrace of privacy standards designed at home or cooked up by close allies of the US.
GDPR: Here’s what you need to know
In a conversation with European Commissioner Thierry Breton this week, Facebook CEO Mark Zuckerberg described tech as having a choice between embracing regulatory frameworks coming out of Western democracies or those coming out of countries like China, which allow for more state interference and put less focus on human rights. He name checked the GDPR as an example of regulation having a positive influence on the rest of the world.
But a central tenet of the GDPR is empowering people to challenge and complain when they feel their rights are being impinged on. No matter how much a company extends GDPR policies to users in other countries, it won’t give those users the same recourse afforded to Europeans if their countries don’t also have the ability to investigate complaints, enforce sanctions and ultimately hold those collecting and processing data to account.
But there’s good reason for them to use it as a blueprint, as California did in its privacy law. In spite of the seemingly slow progress and the struggles regulators have been facing in enforcing the legislation, there’s one thing everyone — companies, governments, regulators and privacy advocates — seems to agree on: that the baseline legislation is solid and fit for purpose.
“It is very flexible, and probably as fair as can be for something that has to cover everyone from the big tech companies to a one-man band,” said O’Keefe.
In the near and distant future…
The European Commission is set to release its own report on the progress of the GDPR in June, but it’s likely to reiterate the point that’s been made from the beginning, which is that progress was always going to be slow and that the law was never designed as a quick fix.
It’s important to remember that privacy in Europe is still in its adolescence, said van der Wolk. It takes years to establish procedures for investigations, enforcement and dealing with the fallout from the appeals process.
“We haven’t seen any courts actually confirm or overturn some of these regulatory decisions, and I fully appreciate that no regulator wants its decision to be overturned, so they are taking their time,” he said. “But really, for me, that is the next step in the maturing process.”
For those eager to see some serious action on Big Tech, the wait could soon be over, as the DPC gears up to announce its first decision on Twitter, which is likely to be swiftly followed by decisions on WhatsApp and Facebook. Onlookers are hoping that action will amount to more than just another fine. “A meaningful enforcement action would require changes in behavior,” said O’Keefe. “That is the power that the DPC and the other regulators have, and that’s what we need to be looking for.”
There are also several previously unforeseen factors that could affect how the GDPR story plays out in coming months and years. Brexit is one, COVID-19 another.
The pandemic is proving to be a particular challenge for regulators, which are struggling to come to a cross-border consensus on how it should apply to coronavirus-related surveillance technologies, such as contact-tracing apps and temperature scanning. Like almost every sector, some regulators have also had to slow down or even hit pause on their day-to-day work — the UK’s ICO, for example, isn’t accepting new complaints.
Data protection regulations have been around a lot longer than the GDPR, and at no point have they been taken seriously as a threat. The arrival of the GDPR has, at the very least, shifted that threat up a notch, enabling serious sanctions against those who violate people’s right to privacy. At best, it could be a gold-standard piece of legislation that will inspire change in the tech industry for years to come.