A recent letter from the advocacy group European Digital Rights (EDRi) highlights a troubling gap in the ability of EU countries to enforce GDPR terms, leading to a pattern of uneven fines and actions in the privacy’s laws early years. The lack of resources is preventing some DPAs from following up on their cases, particularly when large multinational tech companies are involved.
Uneven GDPR enforcement plagues DPAs
The EDRi letter calls for urgent action from the EU Commission and the European Data Protection Board (EDPB) along with all of the national data protection authorities (DPAs). The letter cites not only a lack of resources in some member states, but also accuses some DPAs of misapplying the GDPR. The group calls for complementary and supporting legislation as the primary means of addressing these issues.
The letter cites abuse of consent as a particular problem, observing frequent deceptive design in notification systems. Consent notifications are being bundled into terms of service and sub-pages that do not meet the GDPR’s clarity requirements, and the letter also notes that economic pressure sometimes sways users to accept terms that they otherwise would not.
Further, data subjects do not appear to have sufficient access to behavior profiles that are generated by collected data; such profiles become their own sort of protected data and are subject to GDPR access and correction requirements.
Data minimization principles are also not always being followed. This principle requires organizations to limit data collection to personal information that is “necessary” for the purpose at hand, but leaves some wiggle room by not being very specific as to what that means. Article 5 defines necessary data as being “adequate, relevant and limited.” This is an area in which the DPA is expected to exercise its judgment and act in good faith, something that might be put to the side if it is operating with a lack of resources.
Lack of resources and political issues
The first regulatory problem that EDRi observes is a simple lack of resources provided by member states to their DPAs. The letter does not name specific countries, but urges the EDPB and EU Commission to initiate infringement procedures against states that are not providing DPAs with adequate resources to enforce GDPR terms.
In some cases, EDRi feels that member states and their DPAs are being intentionally evasive. Here the organization gets more specific about problem states. EDRi actually characterizes “most” states as either misusing exemptions or some other aspect of the GDPR in some way.
One of the central issues is that most member states have not applied the “collective complaints” provision found in Article 80 (paragraph 2), which allows non-governmental organizations to bring GDPR complaints on behalf of an impacted group. The report notes that this makes it considerably more difficult to hold large tech companies to account when the violations are systemic.
The letter notes that the GDPR enforcers in some member states have been politicized to target journalists and activists. It specifically calls out Poland, Hungary, Slovakia and Romania for this type of activity.
In general, EDRi finds that member states are applying overly broad exemptions under Article 23. This article allows for derogations in certain situations, such as national security or in the interest of protecting public institutions.
Other issues include the overbroad interpretation of conditions in Article 6 and the exploitation of loopholes in Article 9, which carve out exception conditions in which explicit consent to process sensitive personal data is not required.
Fixing the problem
In terms of immediate remedies, EDRi suggests the use of Article 66 in cross-border cases where a particular state may not be acting appropriately. This “urgency procedure” can be invoked when there is an immediate need to protect the rights of data subjects, creating the possibility of obtaining a binding decision from the EDPB that must then be followed by reticent DPAs.
However, many of these issues (particularly those involving a lack of resources) would need to be addressed with supporting legislation. The EDRi letter calls for these issues to be addressed in the upcoming Digital Services Act (DSA). Slated to be passed in Q4 2020 by the European Commission, this act will create a new legal framework for the regulation of digital services throughout the EU.
The letter also renews the call for an ePrivacy Regulation, something the group originally petitioned for in 2019. This regulation would specifically address problems created by business models that profit from surveillance of customers, and was originally drafted as a response to the Cambridge Analytica incident.
A recent report from Brave, the company behind the popular privacy-focused internet browser of the same name, characterizes the GDPR as being “in danger of failing” due to a widespread lack of resources. The report found that member state DPA budgets had dropped 9% since 2019, and that half of the national data protection regulators had annual budgets of under €5 million. The Irish data protection agency, which takes point on international cases due to the presence of so many tech industry headquarters in the country, is particularly impacted by a lack of resources that makes it difficult to properly investigate big tech companies.