The leading European Union The Data Protection Agency for most major technologies has released its annual report, which shows a further large increase in complaints submitted under the block's updated data protection framework and highlights the continuing appetite of EU citizens to exercise their rights.
However, what the report does not show is a firm enforcement of EU data protection rules against big tech.
The report relies heavily on statistics to illustrate the amount of work accumulating on the desks in Dublin. It's about decisions on highly anticipated cross-border cases involving technology giants like Apple. Facebook, Google, LinkedIn and Twitter.
The General Data Protection Regulation (GDPR) was applied across the EU in May 2018 and is close to its second birthday. Enforcement acts for technology giants are still very low, even for companies with a global reputation for losing people's privacy.
This is despite the fact that Ireland has carried out a large number of open cross-border investigations into the data practices of platform and adtech giants – some of which stemmed from complaints filed at the time the GDPR came into force.
In the report, the Irish Data Protection Commission (DPC) notes that it has initiated another six legal investigations into GDPR compliance by "multinational technology companies" – increasing the total number of key probes to 21 continues to stack. (Since then, at least two more have been added, with an investigation by Tinder and another one in Google’s location tracking opened this month.)
The report is much less interested in trumpeting the fact that decisions about cross-border cases remain a big fat zero to this day.
Just last week, the data protection agency publicly raised concerns about Facebook's approach to assessing an upcoming product's privacy impact in terms of GDPR requirements – an intervention that delayed the regional launch of Facebook's dating product.
This discrepancy (cross-border cases: 21 – Irish DPC decisions: 0) and the increasing anger of civil rights groups, data protection experts, consumer protection organizations and ordinary EU citizens over the lack of enforcement of flagships in relation to important data protection complaints clearly increase the pressure on the regulator. (There are other examples of GDPR enforcement using large technology. Well, France's CNIL is one of them.)
In its defense, the DPC has a terrible fall burden. As other statistics show, it is important to be in the spotlight – such as saying A total of 7,215 complaints were received in 2019; a 75% increase in the total number (4,113) received in 2018. A full 6,904 of these were treated under the GDPR (while 311 complaints were filed under the Data Protection Acts in 1988 and 2003).
The report also reported 6,069 data breaches, an increase of 71% over the total (3,542) last year.
While in Dublin 457 complaints about cross-border processing were received via the one-stop shop mechanism of the GDPR. (This is the tool the Commission has developed for the 'lead regulator' approach, which is integrated into the GDPR and has landed Ireland in the regulatory hot seat. Other data protection authorities are handing Dublin a lot of paperwork.)
The DPC is bound to go back and forth in cross-border cases because it works with other interested regulators. All of this, as you can imagine, offers a rich opportunity for employed technology giants to add extra friction to the oversight process – by asking them to review and query everything. (Insert the sound of a can being hoofed down the street.)
In the meantime, the agency that is supposed to regulate most of the big tech (and many others) – which writes in the annual report that it increased its full-time employees from 110 to 140 last year – did not receive all the funds required by the Irish government.
So it also has the hard upper limit of its own budget (only EUR 15.3 million in 2019) compared to, for example, USD 46.1 billion in sales of the parent Google alphabet in 2019 as a whole. So, um, do the math.
Nevertheless, the pressure on Ireland is clear that important GDPR enforcement measures will be implemented.
A year of serious enforcement inactivity could be filed under "Litter". But two years without major decisions would not be a good look. (It has already been said that the first decisions will be made earlier this year. So it seems to be hoping that there is something to show for the GDPR's 2nd birthday.)
Top-class complaints that require regulatory action include behavioral ads that run in real-time through programmatic advertising (what the UK data keeper has admitted for half a year has been widely illegal). Cookie consent banners (which remain a Swiss cheese of non-compliance); and adtech platforms cynically enforce user consent by requiring them to be microtargeted with ads to access the ("free") service. (The GDPR stipulates that consent as a legal basis must be released and cannot be bundled with other things, so …)
Full disclosure: theinformationsuperhighway's parent company, Verizon Media (born Eid) is currently being examined by the data protection authority, which is checking whether it meets the transparency requirements of the GDPR according to Articles 12 to 14 of the Regulation.
Commissioner Helen Dixon strives to positively impact the total lack of a large technical privacy bill for 2019 writes in the report: “2020 will be an important year. We are waiting for the ECJ's judgment in the case of SCC data transmission. The data protection authority is launching the first draft decision on big tech investigations as part of the consultation process with other EU data protection authorities, and scientists and the media will continue to do their outstanding work to spotlight bad practices in the area of personal data. "
In further comments to the media, Dixon said: "At the Data Protection Commission, we were busy giving guidelines to organizations in 2019, solving complaints from individuals, conducting larger investigations, reviewing data breaches, exercising our powers of correction and working with our EU and EU counterparts global counterparts and litigation to ensure a definitive approach to applying the law in specific areas.
“Much remains to be done to control the proportionate and correct application of this principle-based law and, if necessary, to enforce the law. However, a good start is half the battle, and the DPC is happy about the foundations laid in 2019. We are already expanding our 140-strong team to meet the requirements of 2020 and beyond. "
There is also a remarkable date this year when the GDPR turns two – because the Commission is due to review the functioning of the regulation in May.
This is a deadline that can help focus on decision making.
According to the DPC report, the largest category of complaints received last year came under the "access requests" question, where those responsible for processing do not disclose (all) personal data on request. This corresponded to 29% of the total. followed by disclosure (19%); fair processing (16%); E-marketing complaints (8%); and right to cancellation (5%).
In the security area, the majority of the notifications received by the DPC related to unauthorized data disclosure (also known as violations) – with a total of 5,188 in the private and public sector, compared to only 108 for hacking (although the second largest category was actually lost or stolen paper with 345).
There were also 161 phishing notifications; 131 notification of unauthorized access; 24 malware notifications; and 17 of ransom.