After 12 years at the helm of the Hamburg data protection commission, Johannes Caspar is stepping down. The privacy commissioner returns to academia disillusioned with the EU’s General Data Protection Regulation (GDPR), calling it “broken” and lamenting infighting that he feels ultimately renders it ineffective in regulating big tech firms.
Known as one of the toughest privacy commissioners in the region, Caspar expressed frustration with the “one stop shop” model that requires input and consensus from multiple data protection authorities. Much of the ire toward GDPR enforcement centers on Ireland, which ends up playing a central role in cross-border decisions involving big tech firms due to so many being headquartered within its borders.
GDPR “broken” by infighting, vague rules
Much was made of the maximum fines allowed under the GDPR when it went into force in 2018, with companies facing the prospect of losing 2% to 4% of their annual global revenue for serious violations. No fines have come anywhere near that mark as of yet. Not only that, but cases that were initiated as long ago as 2018 remain pending.
Expressing frustration with this state of affairs, Caspar pointed to a backlog of 28 cases against big tech firms in Ireland as a central sign of GDPR dysfunction. He sees infighting among privacy commissioners as a central reason for delayed decisions and eventual disappointing fines, with the door being opened to this by rules that have vague wording and leave too much room for interpretation.
The “one stop shop” model that the GDPR establishes manages to be a problem from both ends; lead authorities such as the Irish DPA can have too much power to stall out or influence a case, but the process is also slowed down by requirements that other DPAs weigh in and consent to final decisions. For its part, Ireland has said that it needs to take longer than usual with its big tech cases because of the scope of the investigations and the potential large fine amounts.
Caspar has been at the center of a 2021 case against WhatsApp that involved forcing users to agree to new privacy terms that might be in violation of the GDPR. Hamburg issued an emergency three-month ban on the collection of this data in May and asked an EU panel to issue a ruling that would apply across the entire region and extend the ban indefinitely.
Privacy commissioners may soon have more autonomy
As the former Hamburg privacy commissioner points out, there has yet to be a substantial fine against a big tech firm from the Irish DPA. Ireland only just got to issuing its first fine of this sort late last year, a $547,000 penalty to Twitter over unwitting disclosure of private tweets. Germany was among the most vocal of the nations in expressing dissatisfaction over this eventual fine amount, with reports that it had expected to fine Twitter multiple millions of dollars for the offense.
Caspar said that in addition to eroding public faith in the system and frustrating privacy commissioners, backlogs in the Irish case docket cascade into delays for other data protection authorities. Investigations of smaller organizations may be held up while similar cases involving their larger rivals are still in the pipeline. Caspar gave the example of German social media firm Xing, an investigation which is awaiting precedent to be set by an ongoing case against LinkedIn that is currently backlogged in Ireland.
Some help may be on the way for similarly beleaguered privacy commissioners, however. The EU Court of Justice (CJEU) recently ruled that nations may (in certain circumstances) act directly to address GDPR violations in their own court systems even if the perpetrator is headquartered in another country. This may be possible in situations where the nation can establish an “emergency need” for the legal action; an example given was a recent case in Italy in which children were harmed by a trending “challenge” on TikTok. The wording of this ruling is somewhat vague in itself, however, potentially creating more of the same argument and distraction that Caspar has warned about.
More substantial GDPR fines have been levied against big tech firms and major international corporations, but they have come from countries other than Ireland. France’s CNIL has been the most active in this regard, hitting Google and Amazon with fines in the tens of millions of euros over data privacy issues. And while it was still an EU member and compliant with GDPR terms, the UK’s ICO fined British Airways and Marriott International millions of pounds each for data breaches that leaked massive amounts of customer information. At this point all of the EU privacy commissioners have issued at least one GDPR fine, but less than a dozen countries have been particularly active or issued fines of substance against large companies.