Is DPA enforcement in the EU deficient by design?
This was the provocative question, posed by Dr Orla Lynskey, Associate Professor of Law, London School of Economics, at the European Data Protection Supervisor’s Conference which I attended in Brussels 16 and 17 June. Enforcement issues apply in all the countries developing new EU-inspired privacy laws, such as in Canada, California, Mongolia and Thailand.
Enforcement models under EU law are indeed under review and so it is important to identify the challenges and opportunities which they represent, said Leonardo Cervera Navas, Director, Office of the European Data Protection Supervisor (EDPS). He suggested that one should distinguish challenges which apply to one Data Protection Authority (DPA) from those which are structural to the whole system. He asked which challenges can be fixed under the current system and which might need a different approach to achieve the GDPR’s goals? “The EDPS strategy is to advance the effective protection of the fundamental rights to privacy and data protection of our citizens.”
My own insights also provide a regulator and consumer perspective on enforcement, which companies should understand to more effectively represent their interests in relation to the DPAs, in particular countries and on specific issues.
It is well-known that the GDPR is one Regulation applying across the European Economic Area (EEA) and has the benefit for all parties that it imposes a consistent set of principles, individual rights and company duties across the region. But in practice, there are many differences between the way the GDPR is enforced across the 30 EEA Member States, as was explained by several speakers at the conference.
The European Data Protection Board’s One-Stop-Shop is a work in progress. In theory, it would have been more cost-efficient, for example, to have conducted one European Data Protection Board investigation into Clearview, the US-based facial recognition software company instead of separate ones in France, Greece and Luxembourg - plus outside the EU, in the United Kingdom, Australia and Canada. But the sanctions in the form of fines are always imposed by the national DPAs so they have to investigate and provide evidence of breaches of the law in each jurisdiction separately.
Three perspectives on enforcement
Ulrich Kelber, Germany’s Federal Data Protection Commissioner explained that DPAs need to monitor compliance, as accountability is essential.
Ursula Pachl, Deputy Director General, BEUC, the European Consumer Organisation developed this point: “We need strong European institutions and credibility in our institutions by effective enforcement. The GDPR has not met these expectations.”
Max Schrems, founder of noyb, the leading privacy advocacy group, declared that there are procedural problems when pursuing complaints. He knows of 50 cases in which DPAs had been unable to give their decisions for a period of up to five years, even when they speak the same language as the complainant! Also, it costs €30 to take a complaint to a court in Austria but can be up to €5,000 in other EU countries. Pursuing a legal case can cost €100,000, although when noyb wins, these costs are refunded.
For an example of procedural problems from the privacy rights perspective, Romain Robert, Program Director, noyb, told me that his team is reviewing the procedures necessary when making a complaint to a national DPA. They are often fundamentally different, for example regarding access to documents and the right to apply for certain actions by the DPAs. In response, noyb is establishing a Netherlands branch which will have standing to pursue a collective action case there.
There was an incomplete response to noyb’s access request to Sweden’s DPA regarding Spotify. On 22 June, noyb took action by filing a complaint with the Administrative Court to appeal against the DPA’s decision. The DPA’s view is that the “right to a complaint” under Article 77 GDPR, which should give everyone free access to enforcement, is only a right to “petition” the authority.
Taking a positive perspective, Kelber gave the example of Spain’s DPA which imposes many fines each year showing that “the GDPR gives us everything we need,” although every country has its procedural obstacles. He gave the example of Germany where there are difficulties in imposing a fine on a company compared with an individual. There is a need to identify the strategic cases with an impact on others in a sector or wider society.
In the Facebook case (PL&B International Report December 2019), Kelber told the conference that he had visited Andreas Mundt, the President of the Bundeskartellamt, Germany’s Federal Cartel Office in Bonn and they agreed that the latter would be the more effective regulator.
On the issue of the European Commission (EC) trying to achieve consistency across the EU by asserting the primacy of EU law over national law, Paul Nemitz, Principal Advisor in the EC’s Directorate General for Justice and Consumers, pointed out that it does not bring infraction proceedings against national courts. This is the reason why points of law are resolved by referring them to the Court of Justice of the EU. He recommends that DPAs should look to competition law regulators for inspiration by recruiting public prosecutors and/or competition law enforcers.
For the foreseeable future, companies will face major differences between DPAs in EU Member States. In general, DPAs in Eastern Europe lack resources to work as effective regulators. By contrast, in Germany there are regulators in each of the 16 Lander (states). Companies tend to build relationships with their Land DPAs. The role of Data Protection Officer is well established, and companies resource them for independent advice to management, education and training in their organisations.
In short, DPA enforcement may be deficient in practice, although not by design.
Many of these issues were addressed at Winds of Change, PL&B’s 35th Anniversary Conference in Cambridge last month. If you attended in person or online, you can now see full videos of the sessions. If not, you can register for online access and then see the full videos. If you want a taste of the sessions, you can see the programme, video clips, photos and more. Save the date for next year’s conference 3-5 July 2023, again at St. John’s College, Cambridge.
Meanwhile, on 3 October, we have organised a Roundtable in London on International Transfers aspects of the UK’s Data Protection and Digital Information Bill, published last month, which will provide a Memo to the Minister with your constructive comments. We look forward to meeting you there.
Publisher, Privacy Laws & Business