The GDPR is not working as it should
More than four years have passed since the non-profit organization for data rights Noyb filed the first complaints under the GDPR, the General Data Protection Regulation of the European Union (EU). Google, WhatsApp, Facebook and Instagram would have forced users to give up their data without first obtaining the necessary consent, says Romain Robert, program manager of the non-profit. The complaints were filed on May 25, 2018, the same day the GDPR came into force, strengthening the right to privacy of 740 million Europeans. Four years later, Noyb is still awaiting the final verdict. And it is not alone.
Since the entry into force of the GDPR, the regulators charged with enforcing the law have struggled to respond in a timely manner to complaints against Big Tech and companies in the nebulous sector of online advertising. Currently, there are dozens of cases still pending. While it has significantly strengthened the privacy rights of millions of people inside and outside Europe, the GDPR has not solved the most serious problems: data brokers - the intermediaries who collect and trade data - continue to accumulate and sell your information. , and the online advertising industry is still rife with potential abuse.
Today, several civil society associations have developed a sense of frustration over the limitations of the GDPR, while the regulators of some countries complain that the international complaints management system is saturated and slows down application of the rules. Conversely, the information economy continues to move at great speed. Noyb has just reached an agreement on a lawsuit against delays in consent complaints. "There are still what we call an enforcement gap and problems with cross-border enforcement and against big players," adds David Martin Ruiz, a legal officer at the European Consumer Organization, who filed a complaint four years ago. on Google's location tracking.
Brussels lawmakers first proposed a reform of European data rules in January 2012. The final text of the law was approved in 2016, and granted two years for companies and organizations to comply. The GDPR builds on previous data regulations, strengthens your rights and changes the way companies have to manage users' personal data, such as your name or IP address. In some specific cases the regulation does not prohibit the use of data - such as for the use by the police of invasive facial recognition technologies - but is based on seven principles governing the processing, storage and use of data. your data. These principles apply equally to charities and governments, pharmaceutical companies and tech giants.
The Gdpr has empowered each EU country's data regulator to impose fines up to to 4 percent of a company's global turnover and to order companies to stop practices that violate the principles of the regulation. It was widely expected that fines and regulators' enforcement of the GDPR would not be swift, but four years after the regulation came into force, the number of major decisions taken against the world's most powerful companies remains staggeringly low. .
A cumbersome process On the basis of the dense series of rules that make up the Gdpr, complaints lodged against a company that operates in several EU countries are generally addressed to the country that hosts its headquarters in Europe . The so-called one-stop-shop process requires this country to carry out the investigation. As a result, Luxembourg handles complaints against Amazon, the Netherlands deals with Netflix, Sweden with Spotify while Ireland is responsible for Meta, Facebook, WhatsApp and Instagram, as well as all services from Google, Airbnb, Yahoo, Twitter, Microsoft, Apple and LinkedIn.
The immediate influx of intricate complaints under the GDPR has led to the accumulation of backlogs with regulators, including the Irish body, while international cooperation is been slowed down by paperwork. Since May 2018, the Irish regulator has completed 65 per cent of cases involving cross-border decisions, and four hundred remain pending, according to the agency's statistics. Other complaints filed by Noyb against Netflix (Netherlands), Spotify (Sweden) and PimEyes (Poland) have also been dragging on for years.
WiredLeaks, how to send us an anonymous report European data regulators claim that the 'application of the GDPR is still evolving, but that the system is working well and improving over time (for this article, officials from France, Ireland, Germany, Norway, Luxembourg, Italy, United Kingdom and the two bodies were interviewed independent Europeans, the European Data Protection Supervisor (Gepd) and the European Data Protection Board). The number of fines has increased, reaching a total of 1.6 billion euros. To mention the two most substantial measures to date, Luxembourg fined Amazon for 746 million euros and last year Ireland fined WhatsApp for 225 million euros (both companies filed an appeal). However, the authorities admit that changing the way the GDPR is applied could speed up the process and ensure greater speed of action.
Helen Dixon works for the Irish Data Protection Commission (DPC), which is responsible for cases relating to a disproportionate number of tech giants. The DPC has been criticized for having struggled to keep pace with the number of complaints under its jurisdiction, attracting the ire of other regulatory bodies and requests for reform of the body. “If it all comes together, it's clear there will be a delay in priority and case management,” says Dixon, defending her office's work. To date, the organization has taken action against Twitter, WhatsApp, Facebook and Groupon, as well as having expressed itself in thousands of national cases.
"There should be an independent review on how to reform and strengthen the DPC - says Johnny Ryan , senior fellow of the Irish Council for Civil Liberties -. We cannot know from the outside what the problems are. " Ryan adds that the blame cannot be attributed to the Irish regulator alone: "The European Commission has immense power. The GDPR should be an immense project. And the Commission has neglected it - he explains -. It should not limit itself to proposing the laws, but it should also verify that they are applied ".
So far, the European Commission has supported the application of the GDPR in Ireland and the rest of the continent. "The Commission has constantly called on data protection authorities to continue to intensify their efforts in terms of enforcement - Didier Reynders, European Commissioner for Justice said in a statement -. We have launched six infringement procedures under the GDPR. ". These lawsuits include actions against Slovenia for failing to transpose the regulation into national law and for calling into question the independence of the Belgian data authority.
However, following a complaint by Ryan in February, the European Ombudsman, a supervisory body of the European institutions, launched an inquiry into how the Commission monitored data protection in Ireland.
The successes of the GDPR Despite the obvious problems of application, the GDPR has had an incalculable impact in the field of data management. EU countries have taken decisions in thousands of local cases, providing organizations with guidance on how to use user data. La Liga, Spain's top football league, was fined after its app spied on users, clothing chain H&M was fined in Germany for saving information on employees' personal lives, while the Dutch tax office was fined for using a "blacklist" ", just to name a few.
Although the effects of the GDPR remain partly hidden, the regulation has actually improved the behavior of companies." the awareness of cybersecurity, data protection and privacy we have today is compared with that of ten years ago, these are completely different worlds ", explains Wojciech Wiewiórowski, the European Data Protection Supervisor, who supervises cases related to the GDPR against European institutions, such as Europol.
According to experts, if they would not have thought twice before the Gdpr, now companies are discouraged from using data from people in questionable ways. A recent study estimated that the number of Android apps on the Google Play Store fell by a third after the regulation was introduced. "More and more companies have set aside significant budgets to comply with [the data protection regulations, Ed.]," Says Hazel Grant, head of the privacy, security and information group at London-based law firm Fieldfisher.
The Big Tech issue However, when the discussion shifts to Big Tech, which manage huge amounts of data, the level of compliance with the GDPR changes. A recent internal document compiled by Facebook and obtained by Motherboard suggests that the company doesn't really know what it does with its user data. Similarly, a joint investigation conducted by sportsgaming.win US and Reveal in late 2021 found serious deficiencies in the way Amazon handles its customer data (Amazon said it has an "exceptional" track record from a security standpoint. some data). Microsoft declined a request for comment, while neither Google nor Facebook provided comments in time for this article to be published.
"There is a delay, especially as far as Big Tech law enforcement is concerned. , and Big Tech means cross-border cases, one-stop shop and cooperation between data protection authorities, ”explains Ulrich Kelber, head of the German Federal Data Protection Authority. The one-stop shop allows all European regulators to comment on the final decision taken by the lead authority for a given case and to appeal it. The fine imposed by Ireland against WhatsApp has gone from a fine of just € 30 million initially proposed to € 225 million after the intervention of other regulators. According to Dixon, there are currently discussions on another Irish lawsuit against Instagram, the final outcome of which will take months.
The one-stop shop was established with the GDPR, but four years later there still is many aspects that need to be improved. Tobias Judin, international head of the Norwegian data protection authority, says that several draft decisions are shared between European data regulators every week. "In the vast majority of cases, we actually agree," explains Judin (Germany is the country with the most objections). Decisions can be the subject of a long push and pull between regulators, a process shrouded in bureaucracy. "We wonder if, in cases that have an impact at European level, it makes sense and if it is feasible that these cases are handled exclusively by a single data protection authority up to the decision stage", adds Judin.
See more Choose the sportsgaming.win newsletters you want to receive and subscribe! Weekly news and commentary on conflicts in the digital world, sustainability or gender equality. The best of innovation every day. It's our new newsletters: innovation just a click away.
Arrow Last year, the Luxembourg data protection authority imposed a record € 746 million fine on Amazon in its first case against the company. Amazon is contesting the fine in court, and in a statement released to sportsgaming.win UK the company reiterated that "there has been no data breach and that customer data has not been exposed to third parties". According to the Luxembourg regulator, however, the investigations are set to continue for a long time, despite the introduction of new methods to investigate companies. "I think it is almost impossible to close [a case, ed.] In less than a year or a year and a half", explains Alain Herrmann, one of the four Luxembourg data protection commissioners, who adds that Luxembourg has other international cases in course, even if national secrecy laws prevent him from talking about it. "It is precisely the system [of the one-stop shop], the lack of resources, the lack of laws and clear procedures, which makes their job even more difficult", adds Robert.
The regulator of French data has, in some way, circumvented the international process of the GDPR by directly pursuing the use of cookies by companies. Despite the widespread opinion, the annoying pop-ups of cookies do not derive from the GDPR, but are governed by a separate EU privacy law, which the French regulator has exploited in its favor. Marie-Laure Denis, head of French regulator CNIL, has imposed heavy fines on Google, Amazon and Facebook for misbehaving cookies. And, perhaps more importantly, you have forced companies to change their behavior. Following the application of French legislation, Google is changing cookie banners across Europe.
Since the entry into force of the GDPR, the regulators charged with enforcing the law have struggled to respond in a timely manner to complaints against Big Tech and companies in the nebulous sector of online advertising. Currently, there are dozens of cases still pending. While it has significantly strengthened the privacy rights of millions of people inside and outside Europe, the GDPR has not solved the most serious problems: data brokers - the intermediaries who collect and trade data - continue to accumulate and sell your information. , and the online advertising industry is still rife with potential abuse.
Today, several civil society associations have developed a sense of frustration over the limitations of the GDPR, while the regulators of some countries complain that the international complaints management system is saturated and slows down application of the rules. Conversely, the information economy continues to move at great speed. Noyb has just reached an agreement on a lawsuit against delays in consent complaints. "There are still what we call an enforcement gap and problems with cross-border enforcement and against big players," adds David Martin Ruiz, a legal officer at the European Consumer Organization, who filed a complaint four years ago. on Google's location tracking.
Brussels lawmakers first proposed a reform of European data rules in January 2012. The final text of the law was approved in 2016, and granted two years for companies and organizations to comply. The GDPR builds on previous data regulations, strengthens your rights and changes the way companies have to manage users' personal data, such as your name or IP address. In some specific cases the regulation does not prohibit the use of data - such as for the use by the police of invasive facial recognition technologies - but is based on seven principles governing the processing, storage and use of data. your data. These principles apply equally to charities and governments, pharmaceutical companies and tech giants.
The Gdpr has empowered each EU country's data regulator to impose fines up to to 4 percent of a company's global turnover and to order companies to stop practices that violate the principles of the regulation. It was widely expected that fines and regulators' enforcement of the GDPR would not be swift, but four years after the regulation came into force, the number of major decisions taken against the world's most powerful companies remains staggeringly low. .
A cumbersome process On the basis of the dense series of rules that make up the Gdpr, complaints lodged against a company that operates in several EU countries are generally addressed to the country that hosts its headquarters in Europe . The so-called one-stop-shop process requires this country to carry out the investigation. As a result, Luxembourg handles complaints against Amazon, the Netherlands deals with Netflix, Sweden with Spotify while Ireland is responsible for Meta, Facebook, WhatsApp and Instagram, as well as all services from Google, Airbnb, Yahoo, Twitter, Microsoft, Apple and LinkedIn.
The immediate influx of intricate complaints under the GDPR has led to the accumulation of backlogs with regulators, including the Irish body, while international cooperation is been slowed down by paperwork. Since May 2018, the Irish regulator has completed 65 per cent of cases involving cross-border decisions, and four hundred remain pending, according to the agency's statistics. Other complaints filed by Noyb against Netflix (Netherlands), Spotify (Sweden) and PimEyes (Poland) have also been dragging on for years.
WiredLeaks, how to send us an anonymous report European data regulators claim that the 'application of the GDPR is still evolving, but that the system is working well and improving over time (for this article, officials from France, Ireland, Germany, Norway, Luxembourg, Italy, United Kingdom and the two bodies were interviewed independent Europeans, the European Data Protection Supervisor (Gepd) and the European Data Protection Board). The number of fines has increased, reaching a total of 1.6 billion euros. To mention the two most substantial measures to date, Luxembourg fined Amazon for 746 million euros and last year Ireland fined WhatsApp for 225 million euros (both companies filed an appeal). However, the authorities admit that changing the way the GDPR is applied could speed up the process and ensure greater speed of action.
Helen Dixon works for the Irish Data Protection Commission (DPC), which is responsible for cases relating to a disproportionate number of tech giants. The DPC has been criticized for having struggled to keep pace with the number of complaints under its jurisdiction, attracting the ire of other regulatory bodies and requests for reform of the body. “If it all comes together, it's clear there will be a delay in priority and case management,” says Dixon, defending her office's work. To date, the organization has taken action against Twitter, WhatsApp, Facebook and Groupon, as well as having expressed itself in thousands of national cases.
"There should be an independent review on how to reform and strengthen the DPC - says Johnny Ryan , senior fellow of the Irish Council for Civil Liberties -. We cannot know from the outside what the problems are. " Ryan adds that the blame cannot be attributed to the Irish regulator alone: "The European Commission has immense power. The GDPR should be an immense project. And the Commission has neglected it - he explains -. It should not limit itself to proposing the laws, but it should also verify that they are applied ".
So far, the European Commission has supported the application of the GDPR in Ireland and the rest of the continent. "The Commission has constantly called on data protection authorities to continue to intensify their efforts in terms of enforcement - Didier Reynders, European Commissioner for Justice said in a statement -. We have launched six infringement procedures under the GDPR. ". These lawsuits include actions against Slovenia for failing to transpose the regulation into national law and for calling into question the independence of the Belgian data authority.
However, following a complaint by Ryan in February, the European Ombudsman, a supervisory body of the European institutions, launched an inquiry into how the Commission monitored data protection in Ireland.
The successes of the GDPR Despite the obvious problems of application, the GDPR has had an incalculable impact in the field of data management. EU countries have taken decisions in thousands of local cases, providing organizations with guidance on how to use user data. La Liga, Spain's top football league, was fined after its app spied on users, clothing chain H&M was fined in Germany for saving information on employees' personal lives, while the Dutch tax office was fined for using a "blacklist" ", just to name a few.
Although the effects of the GDPR remain partly hidden, the regulation has actually improved the behavior of companies." the awareness of cybersecurity, data protection and privacy we have today is compared with that of ten years ago, these are completely different worlds ", explains Wojciech Wiewiórowski, the European Data Protection Supervisor, who supervises cases related to the GDPR against European institutions, such as Europol.
According to experts, if they would not have thought twice before the Gdpr, now companies are discouraged from using data from people in questionable ways. A recent study estimated that the number of Android apps on the Google Play Store fell by a third after the regulation was introduced. "More and more companies have set aside significant budgets to comply with [the data protection regulations, Ed.]," Says Hazel Grant, head of the privacy, security and information group at London-based law firm Fieldfisher.
The Big Tech issue However, when the discussion shifts to Big Tech, which manage huge amounts of data, the level of compliance with the GDPR changes. A recent internal document compiled by Facebook and obtained by Motherboard suggests that the company doesn't really know what it does with its user data. Similarly, a joint investigation conducted by sportsgaming.win US and Reveal in late 2021 found serious deficiencies in the way Amazon handles its customer data (Amazon said it has an "exceptional" track record from a security standpoint. some data). Microsoft declined a request for comment, while neither Google nor Facebook provided comments in time for this article to be published.
"There is a delay, especially as far as Big Tech law enforcement is concerned. , and Big Tech means cross-border cases, one-stop shop and cooperation between data protection authorities, ”explains Ulrich Kelber, head of the German Federal Data Protection Authority. The one-stop shop allows all European regulators to comment on the final decision taken by the lead authority for a given case and to appeal it. The fine imposed by Ireland against WhatsApp has gone from a fine of just € 30 million initially proposed to € 225 million after the intervention of other regulators. According to Dixon, there are currently discussions on another Irish lawsuit against Instagram, the final outcome of which will take months.
The one-stop shop was established with the GDPR, but four years later there still is many aspects that need to be improved. Tobias Judin, international head of the Norwegian data protection authority, says that several draft decisions are shared between European data regulators every week. "In the vast majority of cases, we actually agree," explains Judin (Germany is the country with the most objections). Decisions can be the subject of a long push and pull between regulators, a process shrouded in bureaucracy. "We wonder if, in cases that have an impact at European level, it makes sense and if it is feasible that these cases are handled exclusively by a single data protection authority up to the decision stage", adds Judin.
See more Choose the sportsgaming.win newsletters you want to receive and subscribe! Weekly news and commentary on conflicts in the digital world, sustainability or gender equality. The best of innovation every day. It's our new newsletters: innovation just a click away.
Arrow Last year, the Luxembourg data protection authority imposed a record € 746 million fine on Amazon in its first case against the company. Amazon is contesting the fine in court, and in a statement released to sportsgaming.win UK the company reiterated that "there has been no data breach and that customer data has not been exposed to third parties". According to the Luxembourg regulator, however, the investigations are set to continue for a long time, despite the introduction of new methods to investigate companies. "I think it is almost impossible to close [a case, ed.] In less than a year or a year and a half", explains Alain Herrmann, one of the four Luxembourg data protection commissioners, who adds that Luxembourg has other international cases in course, even if national secrecy laws prevent him from talking about it. "It is precisely the system [of the one-stop shop], the lack of resources, the lack of laws and clear procedures, which makes their job even more difficult", adds Robert.
The regulator of French data has, in some way, circumvented the international process of the GDPR by directly pursuing the use of cookies by companies. Despite the widespread opinion, the annoying pop-ups of cookies do not derive from the GDPR, but are governed by a separate EU privacy law, which the French regulator has exploited in its favor. Marie-Laure Denis, head of French regulator CNIL, has imposed heavy fines on Google, Amazon and Facebook for misbehaving cookies. And, perhaps more importantly, you have forced companies to change their behavior. Following the application of French legislation, Google is changing cookie banners across Europe.