Why the EU’s General Data Protection Regulation (GDPR) risks turning into a paper tiger

Ireland’s Data Protection Commission (DPC) has just announced two new GDPR inquiries. One of them concerns Tinder, as a result of “concerns raised by individuals both in Ireland and across the EU”. The other inquiry will examine Google’s processing of location data and the transparency surrounding that processing. The issue is whether consent to share users’ location data was freely given, and whether consumers were tricked into accepting privacy-intrusive settings. Although it’s good news that Google is being investigated here, the European consumer organization BEUC points out that some of its members made an initial complaint to the DPC about this issue back in November 2018:

Google collects users’ location data notably through the features ‘location history’ and ’web & app activity’, which are integrated into all Google user accounts. The company uses various tricks and practices to ensure users have these features enabled and does not give them straightforward information about what this effectively entails.

In November 2019, BEUC sent another letter to the DPC, noting: “One year after these complaints were filed, it has yet not been decided whether Google infringed the GDPR.” As Monique Goyens, Director General of BEUC, said:

Considering the scale of the problem, which affects millions of European consumers, this investigation should be a priority for the Irish data protection authority. As more than 14 months have passed since consumer groups first filed complaints about Google’s malpractice, it would be unacceptable for consumers who trust authorities if there were further delays. The credibility of the enforcement of the GDPR is at stake here.

It’s not just delays with one investigation that are a concern: the same is true of many others. In a short note marking the first year of the GDPR, the DPC said it was carrying out 19 cross-border investigations into multinational technology companies and their compliance with the GDPR. In its annual report for 2018, the DPC listed 15 of them: ten involved Facebook, two each for Twitter and Apple, and one concerning LinkedIn. The reason for this huge workload is that these companies have their EU headquarters in Ireland, and so under the GDPR, it’s the local data protection authority – the DPC – that is supposed to investigate alleged privacy problems for the whole of the EU. But the unbalanced concentration of top Internet companies in Ireland is proving to be a real problem for the GDPR, as Germany’s federal data commissioner said recently:

“None of the cross-border cases under new data protection rules have been addressed,” Mr Kelber told The Irish Times. “This touches largely on cases where the headquarters of the company is in Ireland – but not only.”

The German regulator suggested this was because the DPC was “insufficiently equipped for its task”. Last year, the DPC was allocated an extra €1.6 million (about $1.75 million) in the Irish budget, a third of the extra money it sought, bringing its total funding to €16.9 million ($18.6 million). But privacy expert Max Schrems disagreed. He wrote on Twitter: “just talking about budget is too little however, other [data protection authorities] get much more done with *way* less resources and [personnel]. The DPC needs to implement efficient procedures ASAP!” He pointed out another serious problem in Ireland: too few judges to handle all the GDPR cases coming through: “Simplest way to show that Ireland will be unable to enforce #GDPR: They don’t even have enough judges for appeals of 4k cases/year.” He noted that Ireland has around one judge per 28,000 people, whereas Germany has one judge per 3,800 people.

This problem has been evident for a while. A 2019 article on Politico pointed out that the GDPR may be the “world’s toughest standard for data privacy“, but the failure by the DPC – what Politico calls “its chief enforcer” – to impose fines weakens it greatly, since there are no serious consequences for breaking this EU law.

Things are likely to get worse, not better, as new GDPR infringements are spotted. For example, a recent academic paper explores consent management platforms (CMPs), which allow Web sites to obtain permission when they collect and process users’ personal data. But the researchers found that “dark patterns” – essentially, design tricks – are frequently being used to obtain consent: “The results of our empirical survey of CMPs today illustrates the extent to which illegal practices prevail, with vendors of CMPs turning a blind eye to – or worse, incentivising – clearly illegal configurations of their systems.”

The apparent scale of this abuse means that complaints to data protection authorities in the EU are likely, including to the DPC. Because the problem is generic, rather than specific to one online site, it will require coordinated action by data protection authorities across the EU, which will tie up resources at the already-stretched DPC, slowing it down even more. Ironically, that might encourage other Internet companies to move their European headquarters to Ireland, in the cynical hope that it will be years before any GDPR problems are dealt with there. Meanwhile, healthy profits can be generated to offset any future fines.

If the EU wants the GDPR to fulfil its potential, and not be crushed under its own weight, it’s time a centralized data protection agency was created somewhere in the EU. It would need to be well-funded by all EU member states so that it can deal with this growing problem of backlogged cases. Without a strong and efficient enforcement arm, there is a serious risk of the GDPR turning into a weak and irrelevant paper tiger.

Featured image by Merlyn Barrer.