Brave, a maker of a pro-privacy browser, has lodged complaints with the European Commission against 27 EU Member States for under resourcing their national data protection watchdogs.
It’s asking the European Union’s executive body to launch an infringement procedure against Member State governments, and even refer them to the bloc’s top court, the European Court of Justice, if necessary.
“Article 52(4) of the GPDR [General Data Protection Regulation] requires that national governments give DPAs the human and financial resources necessary to perform their tasks,” it notes in a press release.
Brave has compiled a report to back up the complaints — in which it chronicles a drastic shortage of tech expertise and budget resource among Europe’s privacy agencies to enforce the region’s data protection framework.
Lack of proper resource to ensure the regulation’s teeth are able to clamp down on bad behavior — as the law drafters’ intended — has been a long standing concern.
In the Irish data watchdog’s annual report in February — aka the agency that regulates most of big tech in Europe — the lack of any decisions in major cross-border cases against a roll-call of tech giants loomed large, despite plenty of worthy filler, with reams of stats included to illustrate the massive case load of complaints the agency is now dealing with.
Ireland’s decelerating budget and headcount in the face of rising numbers of GDPR complaints is a key concern highlighted by Brave’s report.
Per the report, half of EU data protection agencies have what it dubs a small budget (sub €5M), while only five of Europe’s 28 national GDPR enforcers have more than 10 “tech specialists”, as it describes them.
“Almost a third of the EU’s tech specialists work for one of Germany’s Länder (regional) or federal DPAs,” it warns. “All other EU countries are far behind Germany.”
“Europe’s GDPR enforcers do not have the capacity to investigate Big Tech,” is its top-line conclusion.
“If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities,” said Dr Johnny Ryan, Brave’s chief policy & industry relations officer, in a statement. “Robust, adversarial enforcement is essential. GDPR enforcers must be able to properly investigate ‘big tech’, and act without fear of vexatious appeals. But the national governments of European countries have not given them the resources to do so. The European Commission must intervene.”
It’s worth noting that Brave is not without its own commercial interest here. It absolutely has skin in the game, as a provider of privacy-sensitive adtech.
Ryan has also been a key instigator of a number of strategic GDPR complaints — such as those filed against certain widespread adtech industry practices. Enforcement against programmatic advertisement’s use of real-time bidding would very likely be of commercial benefit to Brave, given its engineered to operate a different model.
But such commercial interest in robust and active GDPR enforcement doesn’t undermine Brave’s core beef — aka: that regulatory inaction is linked to DPA under-resourcing.
Indeed, the UK’s ICO has itself, er, blogged multiple times about the systemic problem of unlawful adtech — repeatedly calling for the industry to reform. But not actually doing anything when it doesn’t.
It’s just this sort of ‘soft soap’ from regulators — words, instead of firm GDPR enforcement — that’s in Brave’s sights. Nor is it alone in complaining about the lack of GDPR ‘bite’; independent privacy campaigns and researchers have dubbed ongoing regulatory inaction as a “disastrous” failure that’s undermining the rule of law.
We reached out to the Irish Data Protection Commission, the European Data Protection Board (EDPB), the European Data Protection Supervisor (EDPS) and the European Commission for comment on Brave’s report and to ask whether they believe GDPR is functioning as intended.
A major milestone is looming with the regulation’s two year birthday falling next month — which will be concentrating minds within EU institutions.
A spokesman for the EDPS pointed us to this joint document with the EDPB — which was adopted in mid February, ahead of this wider evaluation process for GDPR.
In a section of the document on enforcement the assessment finds “increased attention and effort toward enforcement of data protection laws by most SAs” [supervisory authorities], with the EDPB noting that: “The new enforcement tools provided by the GDPR and the SAs made use of a wide range of corrective measures, i.e. not only administrative fines but also warnings and reprimands”.
On fines specifically, the evaluation notes that between May 25, 2018 and November 30, 2019, a total of 22 EU/EEA data protection agencies made use of this corrective power — with 785 fines issued overall (although around 110 of which relate to infringements that predate GDPR coming into force).
“Only 8 SAs have not imposed any administrative fine yet although most of them have ongoing proceedings that might lead to imposing an administrative fine in the near future,” they further note.
In terms of what fines have been issued for, the write that most related to principles relating to processing of personal data (Art. 5 GDPR); lawfulness of processing (Art. 6 GDPR); valid consent (Art. 7 GDPR); processing of special categories of personal data (Art. 9 GDPR); transparency and rights of the data subjects (Art. 12 to 22 GDPR); security of processing and data breaches (Art. 32 to 34 GDPR).
We’ll update this report with any other responses to Brave’s report. We’ve also asked the Commission if it will be instigating infringement proceedings against any Member States.
As noted above, the Commission will publish a review of GDPR next month, as the regulation reaches its second anniversary. And while plenty of compliance activity is undoubtedly taking place, away from flashy headlines — such as data impact assessments; and accelerated data breach notifications — which will be provide plenty of filler for the looming Commission report, the biggest ongoing criticism attached to GDPR is the lack of perceived action over major cross-border complaints. And, therefore, the lack of enforcement against major platforms and tech giants.
A $57M fine for Google by France’s CNIL back in January 2019 stands as something of a lone exception on the major-financial-penalties-for-tech-giants front.
However, fines seems a poor lever to spur reform of resource-rich tech giants. Just look at the $5BN fine Facebook negotiated with domestic regulators in the US — a tiny price-tag for its earlier flouting of US regulatory requirements. tl;dr fines — even record-breaking ones — are a line of business expense for platforms operating at this level.
So it’s worth noting some high profile interventions/warnings by EU DPAs — which did not involved any actual financial penalties — have netted some tangible changes to how voice assistant AI systems function.
Last summer, for example, it emerged that the Hamburg data protection authority, in German, had informed Google of its intention to use Article 66 powers of the GDPR to begin an “urgency procedure” — which allows a DPA to order data processing to stop if it believes there’s “an urgent need to act in order to protect the rights and freedoms of data subjects”.
Just the warning that it was about to unbox that power appeared to be enough to spark action from Google which suspended manual (human) audio reviews of Google Assistant across the whole of Europe.
There were similar process changes from Apple and Amazon — following regional press and regulatory attention. (Global changes, in the case of Apple.)
So the picture around GDPR enforcement is a little more nuanced than just ‘hey DPAs, show us the money’.
Nonetheless, Ireland remains an obvious ‘one-stop’ bottleneck for the functioning of regulation — making the agency an eye-catching pinata for those who like to claim GDPR isn’t working.
The DPC cannot remain in this critical limbo forever, of course, no matter how concerned it evidently is that its decisions stand up to tech giants’ lawyerly nitpickings and future judicial review.
Decisions in the more than 20 cross-border cases stuck on its desk — including complaints against Apple, Facebook, Google, LinkedIn, Twitter and TechCrunch’s own parent, Verizon Media, to name a few — must flow eventually. And, per earlier comments, pretty quickly now — given the first decisions were slated for ‘early’ this year. (Expect the coronavirus crisis to provide some cover for any further administrative delay.)
Whatever those crux decisions look like, critics will still be able to shoot back that they’ve come too late to be truly effective, though.