Tech

We have a huge problem: European regulator despairs over lack of enforcement

More than 18 months after the European Union began implementing the worlds toughest privacy law, the blocs ability to rein in Big Tech is increasingly in doubt amid growing frustration over a lack of enforcement actions and weak cooperation on investigations.

Passed in May 2018, the General Data Protection Regulation (GDPR) was largely viewed as a model for the United States and other nations struggling to find effective limits on data collection by technology companies.

There was little doubt that, given the breadth of the law and the many suspected violations by global tech firms, there would soon be heavy fines or, at least, sanctions that would force Big Tech to change its operating methods.

But that promise has not been fulfilled. Aside from a €50 million fine that Frances privacy regulator imposed on Google in January, there have been no fines or remedies levied at a U.S. giant since the GDPR came into effect. And the two nations most directly responsible for policing the tech sector — Ireland and Luxembourg, where the largest tech firms have their European headquarters — have yet to wrap up a single investigation of any magnitude concerning a U.S. firm.

Now the Irish regulator which oversees Google, Facebook, Microsoft and Twitter, among other giants, says that its first decision will not be delivered until early next year, adding to previous delays.

Probes take time because Europes law is untested and cases need to stand up to the scrutiny of all 28 EU nations, as well as in national court.

Ireland and Luxembourg have faced special scrutiny because so many U.S. tech companies have set up shop in those tiny nations, which have actively courted them thanks to a mix of low corporate tax rates and business-friendly regulation. Those close relationships have created a strong degree of economic dependency, particularly in the Irish case, which raises questions as to whether these countries are best suited to regulating Big Tech.

Now, regulators in other countries are speaking out about their doubts. Hamburgs data protection authority says that the current “one-stop-shop” system, in which many major investigations are carried out by authorities in Dublin or Luxembourg, creates serious bottlenecks and an “unsatisfactory” situation for millions of web users.

“After nearly one and a half year we must concede that we have a huge problem with the enforcement of cross border processing especially by globally acting companies,” a spokesperson for the authority, one of 16 in Germany, told POLITICO, referring to cases that concern web users in more than one country. “It is absolutely unsatisfactory to see that the biggest alleged data protection violations of the last 15 months with millions of individuals [concerned] are far away from being sanctioned.”

Luxembourgs regulator declined numerous requests for comment. Irish privacy chief Helen Dixon insisted in an interview that the delays have to do with the complexity of enforcing a new law.

Critics point to a range of problems in the blocs privacy system including a bureaucratic logjam that has delayed action on dozens of complaints including alleged violations of GDPR in Googles location tracking and privacy failures | Denis Charlet/AFP via Getty Images

Probes take time because Europes law is untested and cases need to stand up to the scrutiny of all 28 EU nations, as well as in national court. “Its going to take as long as it takes to do it properly,” she said, echoing points made by some other senior European data protection officials.

But Dixons explanation is not good enough for other regulators, lawyers, privacy campaigners and consumer protection groups around Europe. They argue that the longer Europe takes to enforce its privacy rules against the worlds biggest data-hungry companies, the more Silicon Valley will take advantage of wiggle room, run circles around regulators and undermine the spirit of the EUs law.

In interviews with officials and privacy specialists around Europe, critics pointed to a range of problems in the blocs privacy system including:

— A bureaucratic logjam that has delayed action on dozens of complaints including alleged violations of GDPR in Googles location tracking and privacy failures on behalf of Facebook, Amazon, Apple, Twitter and others, prompting privacy activists to threaten legal action;

— Lead supervisory authorities in charge of regulating some of the worlds most powerful tech companies that leaned heavily toward “engagement” — or doling out advice on how to stay legal — over investigations and enforcement;

— A lack of transparency and cooperation between European data protection authorities that are meant to work hand-in-hand to enforce the rules, but end up being stymied by divergent national legal systems, cultural differences and an outmoded information exchange system;

— Increasingly glaring differences in how EU watchdogs are interpreting the rules and, at times, breaking out of the one-stop-shop system to create what resembles a patchwork of privacy regimens instead of a single European landscape.

Few doubt that consequential decisions will be forthcoming in 2020. But when the first big calls are made on Google, Facebook and other big players, the critics warn it will only be the start of legal arguments, as European regulators are likely to battle one another over fines and remedies in arguments that could take years to untangle, and which may only get resolved by judges at the European Court of Justice in Luxembourg.

To understand the growing frustration, critics say, it helps to look over some of the more prominent complaints that have piled up since GDPR came into effect and remain unresolved | John Thys/AFP via Getty Images

The irony, argue these same critics, is that after plenty of crowing about Europes comprehensive approach to privacy, its in the United States, where regulators have hit Facebook with a $5 billion fine over the Cambridge Analytica scandal, that enforcement has been the quickest on privacy.

“Europe has great laws on paper. But where are the enforcements? Wheres the beef?” said Thomas Shaw, an Ireland-based American privacy lawyer who has authored several books on data protection.

* * *

To understand the growing frustration, critics say, it helps to look over some of the more prominent complaints that have piled up since GDPR came into effect and remain unresolved, prompting several parties to consider legal action that would force regulators to get moving.

On the day the law came into force, Austrian privacy lawyer Max Schrems filed four lawsuits against Facebook, Google, Instagram and WhatsApp, respectively, over the idea that they were “forcing” users to agree to have their personal data harvested in order to be able to use services. These suits, which were first filed with regulators in France, Germany, Austria and Belgium, were subsequently all forwarded to the Irish Data Protection Commission — which became Europes “lead” regulator for all the firms concerned overnight — for further processing.

A year and a half later, Schrems and the other lawyers in his “None of Your Business” (noyb.eu) group are still waiting for decisions, and considering legal action that would prompt the Irish regulator to get moving on their claims.

An investigation into one of their complaints, against Facebook, was “completed” by Ireland over the summer, but its still stuck in a review process between noyb.eu and Facebooks lawyers, according to Gaëtan Goldberg, one of Schrems associates. Asked for an update on the status of that complaint, Irish privacy chief Dixon said it had yet to reach her desk and was outside her legal purview as Irish Data Protection Commissioner for the moment.

Another sore point is how well, or how poorly, Europeans are working together to enforce a bloc-wide privacy regulation that is meant to be a gold standard for the world.

Schrems and his colleagues say they are bound by confidentiality rules and cannot discuss the 66-page report on Irelands probe, which looks into whether Facebook users gave users a real choice over having their data collected if they wanted to use the platform. But people familiar with their thinking say they are less than satisfied with the outcome, and could bring objections through the Austrian court system.

On all of noyb.eus other complaints, including an additional volley against Amazon and Apple filed in January of this year, there is no clear end in sight.

Schrems said the slow pace fits in with what he describes as the Irish regulators track record of avoiding enforcement.

He points to an ongoing case before Europes top court, which started way back in 2013. Schrems at the time complained to the Irish regulator that the data of European Facebook users would not be safe from snooping if it was sent on to the United States. Instead of ruling on the matter, the Irish authorities kicked it up to the Court of Justice of the European Union in Luxembourg, which is due to issue a final ruling in the case next summer, seven years after the original complaint. In a hearing about the case earlier this year and an opinion from its advocate general in December, the court was critical of the Irish decision to pass on the case.

“All cases are still stuck with the Irish, some with no response for more than 1.5 years now,” said Schrems, who was behind a lawsuit that brought a major transatlantic data flow agreement, Safe Harbor, crashing down and is also a complainant in proceedings against its successor, Privacy Shield.

The slow pace fits in with a track record of easygoing treatment of Facebook from before the GDPR era, when the Irish regulator had next to zero power to sanction firms, Schrems and other critics say.

After granting the social media giant a clean bill of health on privacy following a three-month audit in 2011, the Irish Data Protection Commission went on to advise Facebook on how to comply with the GDPR in the run-up to the law coming online, several people familiar with the matter said, including on controversial matters like its facial recognition tool for matching photos online — which other regulators have singled out as being problematic under EU rules.

Critics also complain about the lack of transparency and cooperation between European data protection authorities that are meant to work hand-in-hand to enforce the rules, but end up being stymied by divergent national legal systems | Kena Betancur/AFP via Getty Images

Luxembourgs regulator is, if anything, less transparent than its Irish counterpart.

Located on “rue du Rock n Roll” in a town far from the countrys administrative center, the regulator that watches over Amazon, eBay and Paypal in the European Union did not respond to multiple requests for comment, and provided no information about any investigation into those companies in its public statements.

“We have blockage situation,” added Schremss colleague Goldberg in a phone conversation, referring to the GDPRs one-stop-shop mechanism that gave lead oversight authority to Ireland and Luxembourg due to the companies choice to locate their main establishment in those countries. “My fear is that this [bottleneck] will ultimately have a chilling effect on individuals seeking to assert their privacy rights.”

Another long-waiting party is La Quadrature du Net, a French digital rights group that filed no fewer than seven lawsuits against five Big Tech companies just a few days after GDPR came online. One of the cases, concerning Googles Android mobile operating system, resulted in the French CNIL regulator hitting the search giant with a €50 million fine in January of 2019 for breaching GDPR by failing to obtain legally valid consent for gathering their data for ad personalization.

Others remain in limbo. Luxembourgs data protection authority has reached out to Amazon over La Quadratures complaint, the company confirmed to POLITICO, yet decisions still seem to be a distant prospect.

“We have very little information on how things are progressing,” said Arthur Messaud, a lawyer for the French group.

* * *

After an initial volley of complaints which took aim at the beating heart of Silicon Valleys data collection model, others have followed that target different aspects of Big Techs privacy practices.

An umbrella group of European consumer protection organizations, BEUC, filed a complaint last November against Google over alleged privacy failures in the way it tracks users location, while Johnny Ryan, an executive at web browser Brave, complained to Irelands privacy regulator in September, 2019, over what he called a “GDPR workaround” that was allowing the search giant to collect data on users without valid consent.

“In a constantly moving digital world, we cant wait for years to see Google take action to fix abusive practices” — Finn Lützow-Holm Myrstad, Director of Digital Policy at Norways consumer protection agency

Both cases are pending, and several complainants told POLITICO they were considering further legal action to force data protection authorities to get moving via whats called an “urgency procedure” in the GDPR. Speaking to the International Grand Committee on Disinformation and Fake News, a gathering of politicians held in Dublin in November, Ryan said that he could sue regulators to push things along.

Noyb.eus representatives said they also had been considering additional legal action, while BEUC — which represents 42 consumer groups across 32 countries — wrote in a sharply worded open letter in late November that Europes data protection authorities need to get moving.

“When companies break the law, consumers need to be able to rely on enforcement bodies to get their rights respected,” wrote the groups Director General, Monique Goyens, in a thinly veiled reference to the Irish enforcement body investigating the groups complaints.

Finn Lützow-Holm Myrstad, Director of Digital Policy at Norways consumer protection agency, said that after the letter was published, Irelands privacy regulator invited members of BEUC to Dublin to discuss changes it said the search giant had made in response to the complaint. But these changes have yet to be made public, and the case took nearly a year to be addressed — too long, Lützow-Holm Myrstad said, in todays world.

“In a constantly moving digital world, we cant wait for years to see Google take action to fix abusive practices,” he wrote in response to emailed questions.

Irelands Dixon, who told U.S. Congress in May it was likely that Silicon Valley companies had violated the GDPR, acknowledges the impatience. Having said that she would hand down a first draft decision in a case involving WhatsApp in December, Dixon now says that decision will not be forthcoming until “early in the new year.”

“Were all impatient,” she said. The problem was that there was nothing her office could do to speed up the clock on legal procedures that granted companies a right of response.

In the case of the WhatsApp probe — in which the company is suspected of having failed to give users enough information about how their personal data was being shared with parent company Facebook — lawyers for the firm had raised objections, which needed to be taken into account.

“We are getting wary of quoting timelines and mentioning end of the year, start to next month, because its simply not a process that we control end-to-end,” she said in November on the sidelines of a privacy conference in Brussels. “This is a novel and new procedure that we are going to step through at EU level, where a controller raises a legitimate concern, or puts something on the table to say… We do have to pause and answer those queries carefully.”

As of late November, Dixon said she had yet to decide whether WhatsApp has, in fact, breached the GDPR. If and when she does, her first decision is likely to subject Europes privacy enforcement system to its first real stress test because other regulators will get to weigh in on decisions that concern millions of web users and are expected to push back against the Irish ruling.

So far, open disagreements have been kept to a minimum. According to the umbrella organization that gathers all EU privacy regulators, regulators have made decisions in 70 cases that concerned data subjects in more than one country — or what are known as “cross-border cases” in the European Unions 28-member bloc. But every case had been resolved via a consensus decision, never once triggering a dispute resolution mechanism in the GDPR that would allow one watchdog to voice concern.

Hamburgs more recent comments — citing “unacceptable” delays — suggest frustration over WhatsApp and other pending data protection matters is reaching a boiling point | Amy Osborne/AFP via Getty Images

For Andrea Jelinek, the Austrian privacy chief who chairs the umbrella group of EU privacy regulators, the unbroken record of decision-via-consensus amounts to proof that Europes enforcement system is working. Those cases “were not that glamorous but they were important.”

But if Europes regulators have sung from one hymn-sheet, it could also be that those decisions were narrower in scope and did not concern a powerful tech company. That is likely to change when Dixon hands down her draft decision in the WhatsApp case.

If Dixons decision is perceived as too friendly to the company, the first pushback could come from Hamburg. The regulator in Northern Germany has repeatedly underscored concerns about WhatsApp and Facebook, citing two court decisions ordering the two entities to stop sharing data.

“After the transmission of user data between WhatsApp and Facebook was stopped, they [Facebook] took the entry into force of the GDPR as an opportunity to return to their former practice,” the regulators chief told POLITICO last year.

Hamburgs more recent comments — citing “unacceptable” delays — suggest frustration over WhatsApp and other pending data protection matters is reaching a boiling point. And Hamburg is not alone, as Ulrich Kelber, the head of Germanys federal privacy watchdog, voiced concerns in November that Ireland may lack sufficient funding to carry out its frontline mission to regulate Big Tech. In November, according to heise.de, he warned about “misery” at Irelands data protection regulator, and offered to provide Ireland formal help from German authorities.

A spokesman for the Irish regulator said the two countries had agreed to enhance their cooperation, but the Irish regulators funding shortage is real. In 2020, the budget increased by only €1.6 million to €16.9 million — “less than one third of the funding that the DPC requested in its budget submission” to the Irish government, Dixon complained in October. The shortfall was particularly problematic in light of the watchdogs workload, which included more than 7,000 complaints, almost 5,000 breaRead More – Source