More and more waves around our data after two years of GDPR
The European Commission sees no reason to modify the GDPR – the General Data Protection Regulation, which came into force the 25th May 2018. Although the review was an obligation, no one expected a proposal for change – usually European legal acts are evaluated only after three years, and data protection is complex enough that trends can be seen only on the longer term.
Even the Commission report had to note that not all possibilities of protecting our data are yet exploited. Although the possibility to levy fines was used and the page enforcementtracker.com knows about 305 cases, our data are still in danger.
The fines also indicate that there is enough to improve. A big Belgian company did not ensure the independence of the data protection officer (interesting number: half a million companies registered that they nominated a data protection officer), others lost data: a pendrive with customer data was lost by Heathrow airport recently and EasyJet customers were also not spared and Twitter account data were also leaked again. While Facebook, Google and also Apple were in the firing line before, the relatively smaller Twitter remained rather unscathed till now as it is smaller and mostly dealing with public posts. We have to remember nevertheless that they suffered of one of the first big data leaks. Trump got annoyed with them as in the wake of the efforts to limit hate and violent speech, they also marked one of his posts as violence. While Google is under attack for its anti-competitive behaviour, Facebook is mainly under fire due to its treatment of personal data. To this adds lately being too liberal in dealing with hate and violent speech and fake news – they also declared that they wouldn’t have done (and in fact didn’t) what twitter did with the posts of the president.
The Trump attack wants to prepare the withdrawal of article 230 of the Communication Decency Act which protected media platforms in the name of free speech.
The attack also alleges to protect the free speech – of the President and of politicians in general. Maybe that is the reason why all big IT firms protested against the plans, although their stakes are different.
Also the COVID-19 and even the movement “Black Lives Matter” were targeted by crooks recently: phishing e-mails pretended to originate from the WHO and the county authorities – the latter alleged to collect information about the movement – but their payload was malware. The Norwegian data protection authority (Norway is not an EU member but member of the European Economic Area and thus subject to the GDPR) ordered recently to suspend the use of the country’s COVID tracking app due to privacy concerns. The face recognition company Clearview has amassed 3 billion photos – and it is stunning what they can do with them. The British Home Office was also reprimanded for transferring witness testimonies illegally to the U.S in a terrorist case because they did not ascertain that there are appropriate safeguards to ensure privacy of the witnesses. The Privacy Shield which replaces an adequacy decision enabling transfer to a certain country without further safeguards (but not without a legal arrangement or contract) is only applicable for companies who register for it, not for public authorities, therefore the legal basis of transfer is questionable.
The Privacy Shield itself is also in limbo in Europe. In the Schrems II case, beyond the fate of the Privacy Shield and the “standard contractual clauses for transfer to third countries” (approved by the European Commission under the directive preceding the GDPR and serving as one of the possible bases for transfer) the Court also has to decide whether public interest of third countries can be a legal reason equivalent to public interest of a European (EEA) country justifying the disclosure of personal data.
Actually transferring data to countries outside the jurisdiction of the GDPR was one of the two topics that were indicated as to be particularly evaluated by the Commission in its report about the General Data Protection Regulation. We also wrote about this - accessible for premium subscribers) but since we also know that the European Court of Justice will announce its judgment in the Schrems-II case the 16th July and then we will know more about which safeguards can be applied further.
The other topic emphasised is international co-operation between the data protection authorities (DPAs) of European countries. Creating a new framework for a meaningful cooperation between the data protection authorities of the EEA instead of the rather informal “Article 29 working group” which was mainly issuing opinions, adding coordination and decision rights to its mandate, was one of the main novelties in the GDPR.
This enabled that both complaining data subjects and data controllers have to deal with only one data protection authority (the “one stop shop” system). Precondition for this system to work is that the practice of different data protection authorities should be harmonised (to avoid “regulatory arbitrage”).
Thus, the authority of the European headquarters of a multinational would be the lead authority and have the responsibility to liaise with the others including the one in the country of a complainant, who would receive the complaint. Good news: the British and the Irish DPA just announced that they will start their first joint investigation – into Clearview, the face recognition company.
One means of harmonisation are the guidances issued by the European Data Protection Board (EDPB), 10 in number between May 2018 and end of 2019. The Board also issued 57 other documents, including individual opinions. No surprise, on the other hand, that where the GDPR gave the right to deviate from the baseline (like in the case of age limit of minors, which is set to 16 years but member states can lower it till 13), different national rules were decided. Also, there is no uniform practice in reconciling the right to information with the right to privacy – another point where the individual countries have a free hand – within the limits of the general principles, some of which were set out in judgments of the European Court of Human rights. The evaluation report deplores these differences.
An interesting development on the subject of the “one stop shop”: while the evaluation of the Commission passed through the internal approval process, the French Supreme Court gave a clean bill to the French DPA, the CNIL, which fined Google (who has its European headquarters in Ireland) to a record 50 million euros about its non-transparent manner of acquiring consent for using user data collected by its Android operating system and transferring them to other companies. It has to be noted that the Irish authority is widely criticised that even after a year-long reorganisation and the takeover of the task of the departed deputy commissioner, still 20 procedures are ongoing without a decision in any one. The argument for bypassing the lead authority, however, was that first, Google Ireland had no relation to the Android-related activity and second, that the privacy statement of Android did not mention Google Ireland. Therefore, maybe this decision is not undermining the one stop shop as much as its critics state. The amount itself is small compared to the fines and the taxes to be repaid, to which Google and Co. are also subject in the area of competition, customer protection and state aid, but very high in the context of data protection.
Beyond transfer to third countries and international cooperation in data protection, the report gives a general overview of almost all developments following the GDPR. A year ago also some numbers and a report were published, the present paper had to take into account the contribution of the EDPB, the Multi-Stakeholder Data Protection Expert Group and other stakeholders like other EU institutions and national data protection authorities. Numbers again: 69% of Europeans over 16 have already heard about the new Regulation and 71% of them knows about the data protection authority of their country.
An indicator of success of the GDPR is its international following – more and more countries align their data protection legislation with it and seek an adequacy decision. Data protection authorities in member states were reinforced, although not all to the same extent. Overall staffing has increased by 42% and their budget by 49%. No surprise that the Luxembourg and Irish authorities were among those getting the most as they will be lead authorities in many cases as a lot of big players in the IT world have their European headquarters there – and as we have seen above, at least for Ireland this is still not enough. The other big “winners” were the authorities of the Netherlands, Iceland (like Norway, only member of the EEA) and Finland.
A lot of the work of these authorities is based on individual complaints and complaints are an important way to force compliance with the regulation. This will be helped by the recent agreement between the Council and the Parliament to enact a system of class action – beyond the already existing legal possibility, support has to be given by the governments and each country has to have at least one registered organisation representing consumers in complaints. An Austrian court already decided consumers can also go to court, not just the overloaded DPA, the German Federal Court of Justice just asked the European Court of Justice to confirm this right (which it established already under the old directive). Moreover, an organisation registered in one member state can represent customers in front of the authorities of any country in the EEA. If we, consumers or data subjects, as we are called in the GDPR, raise our voice for our rights, it will be to the benefit of all.
László S. Szabó, Szabó Consulting