More than 18 months after the European Union began implementing the world’s toughest privacy law, the bloc’s ability to rein in Big Tech is increasingly in doubt amid growing frustration over a lack of enforcement actions and weak cooperation on investigations.
Passed in May 2018, the General Data Protection Regulation (GDPR) was largely viewed as a model for the United States and other nations struggling to find effective limits on data collection by technology companies.
There was little doubt that, given the breadth of the law and the many suspected violations by global tech firms, there would soon be heavy fines or, at least, sanctions that would force Big Tech to change its operating methods.
But that promise has not been fulfilled. Aside from a €50 million fine that France’s privacy regulator imposed on Google in January, there have been no fines or remedies levied at a U.S. giant since the GDPR came into effect. And the two nations most directly responsible for policing the tech sector — Ireland and Luxembourg, where the largest tech firms have their European headquarters — have yet to wrap up a single investigation of any magnitude concerning a U.S. firm.
Now the Irish regulator which oversees Google, Facebook, Microsoft and Twitter, among other giants, says that its first decision will not be delivered until early next year, adding to previous delays.
Probes take time because Europe’s law is untested and cases need to stand up to the scrutiny of all 28 EU nations, as well as in national court.
Ireland and Luxembourg have faced special scrutiny because so many U.S. tech companies have set up shop in those tiny nations, which have actively courted them thanks to a mix of low corporate tax rates and business-friendly regulation. Those close relationships have created a strong degree of economic dependency, particularly in the Irish case, which raises questions as to whether these countries are best suited to regulating Big Tech.
Now, regulators in other countries are speaking out about their doubts. Hamburg’s data protection authority says that the current “one-stop-shop” system, in which many major investigations are carried out by authorities in Dublin or Luxembourg, creates serious bottlenecks and an “unsatisfactory” situation for millions of web users.
“After nearly one and a half year we must concede that we have a huge problem with the enforcement of cross border processing especially by globally acting companies,” a spokesperson for the authority, one of 16 in Germany, told POLITICO, referring to cases that concern web users in more than one country. “It is absolutely unsatisfactory to see that the biggest alleged data protection violations of the last 15 months with millions of individuals [concerned] are far away from being sanctioned.”
Luxembourg’s regulator declined numerous requests for comment. Irish privacy chief Helen Dixon insisted in an interview that the delays have to do with the complexity of enforcing a new law.
Probes take time because Europe’s law is untested and cases need to stand up to the scrutiny of all 28 EU nations, as well as in national court. “It’s going to take as long as it takes to do it properly,” she said, echoing points made by some other senior European data protection officials.
But Dixon’s explanation is not good enough for other regulators, lawyers, privacy campaigners and consumer protection groups around Europe. They argue that the longer Europe takes to enforce its privacy rules against the world’s biggest data-hungry companies, the more Silicon Valley will take advantage of wiggle room, run circles around regulators and undermine the spirit of the EU’s law.
In interviews with officials and privacy specialists around Europe, critics pointed to a range of problems in the bloc’s privacy system including:
— A bureaucratic logjam that has delayed action on dozens of complaints including alleged violations of GDPR in Google’s location tracking and privacy failures on behalf of Facebook, Amazon, Apple, Twitter and others, prompting privacy activists to threaten legal action;
— Lead supervisory authorities in charge of regulating some of the world’s most powerful tech companies that leaned heavily toward “engagement” — or doling out advice on how to stay legal — over investigations and enforcement;
— A lack of transparency and cooperation between European data protection authorities that are meant to work hand-in-hand to enforce the rules, but end up being stymied by divergent national legal systems, cultural differences and an outmoded information exchange system;
— Increasingly glaring differences in how EU watchdogs are interpreting the rules and, at times, breaking out of the one-stop-shop system to create what resembles a patchwork of privacy regimens instead of a single European landscape.
Few doubt that consequential decisions will be forthcoming in 2020. But when the first big calls are made on Google, Facebook and other big players, the critics warn it will only be the start of legal arguments, as European regulators are likely to battle one another over fines and remedies in arguments that could take years to untangle, and which may only get resolved by judges at the European Court of Justice in Luxembourg.
The irony, argue these same critics, is that after plenty of crowing about Europe’s comprehensive approach to privacy, it’s in the United States, where regulators have hit Facebook with a $5 billion fine over the Cambridge Analytica scandal, that enforcement has been the quickest on privacy.
“Europe has great laws on paper. But where are the enforcements? Where’s the beef?” said Thomas Shaw, an Ireland-based American privacy lawyer who has authored several books on data protection.
* * *
To understand the growing frustration, critics say, it helps to look over some of the more prominent complaints that have piled up since GDPR came into effect and remain unresolved, prompting several parties to consider legal action that would force regulators to get moving.
On the day the law came into force, Austrian privacy lawyer Max Schrems filed four lawsuits against Facebook, Google, Instagram and WhatsApp, respectively, over the idea that they were “forcing” users to agree to have their personal data harvested in order to be able to use services. These suits, which were first filed with regulators in France, Germany, Austria and Belgium, were subsequently all forwarded to the Irish Data Protection Commission — which became Europe’s “lead” regulator for all the firms concerned overnight — for further processing.
A year and a half later, Schrems and the other lawyers in his “None of Your Business” (noyb.eu) group are still waiting for decisions, and considering legal action that would prompt the Irish regulator to get moving on their claims.
An investigation into one of their complaints, against Facebook, was “completed” by Ireland over the summer, but it’s still stuck in a review process between noyb.eu and Facebook’s lawyers, according to Gaëtan Goldberg, one of Schrems’ associates. Asked for an update on the status of that complaint, Irish privacy chief Dixon said it had yet to reach her desk and was outside her legal purview as Irish Data Protection Commissioner for the moment.
Another sore point is how well, or how poorly, Europeans are working together to enforce a bloc-wide privacy regulation that is meant to be a gold standard for the world.
Schrems and his colleagues say they are bound by confidentiality rules and cannot discuss the 66-page report on Ireland’s probe, which looks into whether Facebook users gave users a real choice over having their data collected if they wanted to use the platform. But people familiar with their thinking say they are less than satisfied with the outcome, and could bring objections through the Austrian court system.
On all of noyb.eu’s other complaints, including an additional volley against Amazon and Apple filed in January of this year, there is no clear end in sight.
Schrems said the slow pace fits in with what he describes as the Irish regulator’s track record of avoiding enforcement.
He points to an ongoing case before Europe’s top court, which started way back in 2013. Schrems at the time complained to the Irish regulator that the data of European Facebook users would not be safe from snooping if it was sent on to the United States. Instead of ruling on the matter, the Irish authorities kicked it up to the Court of Justice of the European Union in Luxembourg, which is due to issue a final ruling in the case next summer, seven years after the original complaint. In a hearing about the case earlier this year and an opinion from its advocate general in December, the court was critical of the Irish decision to pass on the case.
“All cases are still stuck with the Irish, some with no response for more than 1.5 years now,” said Schrems, who was behind a lawsuit that brought a major transatlantic data flow agreement, Safe Harbor, crashing down and is also a complainant in proceedings against its successor, Privacy Shield.
The slow pace fits in with a track record of easygoing treatment of Facebook from before the GDPR era, when the Irish regulator had next to zero power to sanction firms, Schrems and other critics say.
After granting the social media giant a clean bill of health on privacy following a three-month audit in 2011, the Irish Data Protection Commission went on to advise Facebook on how to comply with the GDPR in the run-up to the law coming online, several people familiar with the matter said, including on controversial matters like its facial recognition tool for matching photos online — which other regulators have singled out as being problematic under EU rules.
Luxembourg’s regulator is, if anything, less transparent than its Irish counterpart.
Located on “rue du Rock ‘n’ Roll” in a town far from the country’s administrative center, the regulator that watches over Amazon, eBay and Paypal in the European Union did not respond to multiple requests for comment, and provided no information about any investigation into those companies in its public statements.
“We have blockage situation,” added Schrems’s colleague Goldberg in a phone conversation, referring to the GDPR’s one-stop-shop mechanism that gave lead oversight authority to Ireland and Luxembourg due to the companies’ choice to locate their main establishment in those countries. “My fear is that this [bottleneck] will ultimately have a chilling effect on individuals seeking to assert their privacy rights.”
Another long-waiting party is La Quadrature du Net, a French digital rights group that filed no fewer than seven lawsuits against five Big Tech companies just a few days after GDPR came online. One of the cases, concerning Google’s Android mobile operating system, resulted in the French CNIL regulator hitting the search giant with a €50 million fine in January of 2019 for breaching GDPR by failing to obtain legally valid consent for gathering their data for ad personalization.
Others remain in limbo. Luxembourg’s data protection authority has reached out to Amazon over La Quadrature’s complaint, the company confirmed to POLITICO, yet decisions still seem to be a distant prospect.
“We have very little information on how things are progressing,” said Arthur Messaud, a lawyer for the French group.
* * *
After an initial volley of complaints which took aim at the beating heart of Silicon Valley’s data collection model, others have followed that target different aspects of Big Tech’s privacy practices.
An umbrella group of European consumer protection organizations, BEUC, filed a complaint last November against Google over alleged privacy failures in the way it tracks users’ location, while Johnny Ryan, an executive at web browser Brave, complained to Ireland’s privacy regulator in September, 2019, over what he called a “GDPR workaround” that was allowing the search giant to collect data on users without valid consent.
“In a constantly moving digital world, we can’t wait for years to see Google take action to fix abusive practices” — Finn Lützow-Holm Myrstad, Director of Digital Policy at Norway’s consumer protection agency
Both cases are pending, and several complainants told POLITICO they were considering further legal action to force data protection authorities to get moving via what’s called an “urgency procedure” in the GDPR. Speaking to the International Grand Committee on Disinformation and Fake News, a gathering of politicians held in Dublin in November, Ryan said that he could sue regulators to push things along.
Noyb.eu’s representatives said they also had been considering additional legal action, while BEUC — which represents 42 consumer groups across 32 countries — wrote in a sharply worded open letter in late November that Europe’s data protection authorities need to get moving.
“When companies break the law, consumers need to be able to rely on enforcement bodies to get their rights respected,” wrote the group’s Director General, Monique Goyens, in a thinly veiled reference to the Irish enforcement body investigating the group’s complaints.
Finn Lützow-Holm Myrstad, Director of Digital Policy at Norway’s consumer protection agency, said that after the letter was published, Ireland’s privacy regulator invited members of BEUC to Dublin to discuss changes it said the search giant had made in response to the complaint. But these changes have yet to be made public, and the case took nearly a year to be addressed — too long, Lützow-Holm Myrstad said, in today’s world.
“In a constantly moving digital world, we can’t wait for years to see Google take action to fix abusive practices,” he wrote in response to emailed questions.
Ireland’s Dixon, who told U.S. Congress in May it was likely that Silicon Valley companies had violated the GDPR, acknowledges the impatience. Having said that she would hand down a first draft decision in a case involving WhatsApp in December, Dixon now says that decision will not be forthcoming until “early in the new year.”
“We’re all impatient,” she said. The problem was that there was nothing her office could do to speed up the clock on legal procedures that granted companies a right of response.
In the case of the WhatsApp probe — in which the company is suspected of having failed to give users enough information about how their personal data was being shared with parent company Facebook — lawyers for the firm had raised objections, which needed to be taken into account.
“We are getting wary of quoting timelines and mentioning ‘end of the year, start to next month,’ because it’s simply not a process that we control end-to-end,” she said in November on the sidelines of a privacy conference in Brussels. “This is a novel and new procedure that we are going to step through at EU level, where a controller raises a legitimate concern, or puts something on the table to say… We do have to pause and answer those queries carefully.”
As of late November, Dixon said she had yet to decide whether WhatsApp has, in fact, breached the GDPR. If and when she does, her first decision is likely to subject Europe’s privacy enforcement system to its first real stress test because other regulators will get to weigh in on decisions that concern millions of web users and are expected to push back against the Irish ruling.
So far, open disagreements have been kept to a minimum. According to the umbrella organization that gathers all EU privacy regulators, regulators have made decisions in 70 cases that concerned data subjects in more than one country — or what are known as “cross-border cases” in the European Union’s 28-member bloc. But every case had been resolved via a consensus decision, never once triggering a dispute resolution mechanism in the GDPR that would allow one watchdog to voice concern.
For Andrea Jelinek, the Austrian privacy chief who chairs the umbrella group of EU privacy regulators, the unbroken record of decision-via-consensus amounts to proof that Europe’s enforcement system is working. Those cases “were not that glamorous but they were important.”
But if Europe’s regulators have sung from one hymn-sheet, it could also be that those decisions were narrower in scope and did not concern a powerful tech company. That is likely to change when Dixon hands down her draft decision in the WhatsApp case.
If Dixon’s decision is perceived as too friendly to the company, the first pushback could come from Hamburg. The regulator in Northern Germany has repeatedly underscored concerns about WhatsApp and Facebook, citing two court decisions ordering the two entities to stop sharing data.
“After the transmission of user data between WhatsApp and Facebook was stopped, they [Facebook] took the entry into force of the GDPR as an opportunity to return to their former practice,” the regulator’s chief told POLITICO last year.
Hamburg’s more recent comments — citing “unacceptable” delays — suggest frustration over WhatsApp and other pending data protection matters is reaching a boiling point. And Hamburg is not alone, as Ulrich Kelber, the head of Germany’s federal privacy watchdog, voiced concerns in November that Ireland may lack sufficient funding to carry out its frontline mission to regulate Big Tech. In November, according to heise.de, he warned about “misery” at Ireland’s data protection regulator, and offered to provide Ireland formal help from German authorities.
A spokesman for the Irish regulator said the two countries had agreed to enhance their cooperation, but the Irish regulator’s funding shortage is real. In 2020, the budget increased by only €1.6 million to €16.9 million — “less than one third of the funding that the DPC requested in its budget submission” to the Irish government, Dixon complained in October. The shortfall was particularly problematic in light of the watchdog’s workload, which included more than 7,000 complaints, almost 5,000 breach notifications more than 40,000 requests for guidance from organizations in 2019, her statement read.
In her interview with POLITICO, Dixon underscored that the budget shortfall would not affect investigations or the regulator’s ability to carry out expensive litigation against Big Tech companies known for “flooding the zone” with battalions of lawyers, drowning regulators in procedural moves.
Under new President Ursula von der Leyen, the bloc’s executive arm has pledged to assert Europe’s “digital sovereignty” — a concept that involves using antitrust law to look into questions of data monopolies.
But observers of European privacy rules are concerned, noting that even if the litigation budget is cordoned off, a lack of funding for a crucial update of outdated IT systems and human resources operations could have an impact on the regulator’s functioning as a whole.
In a complaint sent to the European Commission in October, Daragh O’Brien, a Dublin-based privacy consultant, urged EU authorities to intervene to make sure that privacy regulations were being properly enforced. “It is their function [the European Commission’s] to oversee how Member States are implementing EU law,” he wrote in a blog post.
Among other problems, he underscored that the Irish regulator badly needed upgrades, noting “file size restrictions and the inability to manage basic file sharing capabilities.”
“For email and case management they are using the same basic technology I began my career administering in a telco back in 1997,” he added.
O’Brien did not respond to requests for comment.
* * *
Another sore point is how well, or how poorly, Europeans are working together to enforce a bloc-wide privacy regulation that is meant to be a gold standard for the world. Under the current system, any investigation that concerns users in more than one country can prompt investigative assistance from other countries. But the system that connects the regulators, the IMI, or Internal Market Information System, is not up to the task of managing cooperation across borders, several officials complained.
More than 20 years old, it was originally conceived to share information about Europe’s internal market, and isn’t suited to handling the high volume of complaints that has come with the GDPR. “This is really yesterday’s technology, which slows everything down,” said one German data protection official who asked not to be named.
Even so, regulators insist they are doing plenty of collaboration.
A spokesperson for the French data protection authority spoke of “active cooperation” on investigations. The Irish regulator cited a list of ongoing modes of collaboration with other regulators including monthly gatherings of privacy authorities in Brussels, bilateral information exchanges, on-site visits to Dublin by regulators in third countries and an incipient collaboration with the Spanish regulator on an investigation.
And yet, a spokesman for the Irish said that neither the Irish regulator nor any other had yet launched a “joint investigation” — a formal process that would involve sending officials from one regulator to help out another on site, and could enable better resourced regulators, like the Information Commissioner’s Office in London, to lend legal and investigatory firepower to the Irish.
Reasons invoked for not doing so included language barriers, disparities between judicial systems in different EU countries and legal restrictions in some states.
But Bojana Bellamy, President of the Centre for Information Policy Leadership, offered up another: cultural differences.
Liberal regulators in northern EU countries like Ireland would not see eye-to-eye with their more legalistic German colleagues or statist French, and therefore would not want them looking over their shoulders. And while such differences have long existed, they are growing more pronounced.
“Some lines have been broken, and there is mistrust” between regulators, said Bellamy, whose group counts Google and Facebook as members.
In the absence of a centralizing force, regulators are starting to forge ahead with their own national actions, raising the possibility of patchwork decision-making that the GDPR sought to avoid with the “one stop shop” provision that designated each firm’s headquarters country as lead regulator.
Hamburg’s authority in August took the rare step of triggering an urgency procedure to protect the privacy rights of its citizens in a case involving Google’s voice assistant. The move, which prompted the German regulator to call a temporary halt to human processing of voice recordings by Google, suggested Hamburg could not wait for the lead supervisory authority, in this case Ireland, to act.
In a separate case, Belgium’s privacy regulator has asked Europe’s top court to clarify when a national regulator is able to move forward with an investigation of concern to people in the country. The case stretches back to 2015, when the Belgian authority ordered Facebook to stop using a tool to track users on third-party websites, only to see the decision overturned by a court which argued that Ireland, not Belgium, was the firm’s main regulatory port of call in Europe.
By appealing to the European Court of Justice, Belgium wants to know just how far its own authority stretches under the one-stop-shop.
In France, the U.K., Germany, Spain and elsewhere, regulators are rolling out differing positions on matters such as GDPR fining guidelines, limits on web browser cookies and facial recognition.
Critics point a finger at the European Data Protection Board (EDPB), which is meant to coordinate action between regulators, as needing to step up. In its annual review of the GDPR, the European Commission said that the EDPB should take on a stronger oversight role to forge common policy positions, a position that the Council of the European Union — which gathers all EU states — echoed in December.
Asked if it was time to reevaluate the one-stop-shop, an official at France’s CNIL regulator said that question would come up after the first major decisions were handed down.
But Jelinek said her office has no legal mandate to do more. Ultimately, the problem could land at the doorstep of the originator of the GDPR, the European Commission. Under new President Ursula von der Leyen, the bloc’s executive arm has pledged to assert Europe’s “digital sovereignty” — a concept that involves using antitrust law to look into questions of data monopolies.
But already, European data protection officials are bristling at having their turf trampled on. In a chat with POLITICO, incoming European Data Protection Supervisor Wojciech Wiewiórowski — who’s in charge of policing EU institutions — sent a clear signal that privacy regulators wanted antitrust enforcers to stay on their patch.
That leaves the agencies to decide among themselves whether reform of the GDPR’s current statutes is needed, and whether action should be taken to prod the lead authorities. The biggest players are hedging their bets. Asked if it was time to reevaluate the one-stop-shop, an official at France’s CNIL regulator said that question would come up after the first major decisions were handed down.
“These procedures will be an occasion to evaluate the cooperation mechanisms foreseen by the regulation, and any need to improve them,” the official said.
Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email [email protected] to request a complimentary trial.