GDPR: anniversaries, reports and open letters, but no fines
With so much of the world’s focus still on the global Covid-19 pandemic and its effects on everything from social interaction to the economy, one might be forgiven for putting concerns over data protection to the back of one’s mind.
However, the news that the identities of historical abuse survivors in Northern Ireland have been circulated via email by the Historical Abuse Inquiry (HIA) has once again demonstrated the need for data protection and regulation measures that are effective.
The news comes as the Irish Data Protection Commission (DPC) announced the submission of a draft decision “to other concerned Supervisory Authorities, in accordance with Article 60 of the GDPR, in relation to an inquiry it has completed into Twitter International Company, a data controller based in Ireland. This own-volition inquiry was commenced by the DPC following receipt of a data breach notification from the controller. The draft decision focusses on whether Twitter International Company has complied with Articles 33(1) and 33(5) of the GDPR.”
That was last Friday (22/05/2020), and today, 25 May 2020, the two year anniversary of the enforcement date of the General Data Protection Regulation (GDPR), the DPC’s actions have drawn sharp, detailed and considered criticism from NOYB, Max Schrems’ European Centre for Digital Rights, which has taken the unprecedented step of writing a open letter to “the European Data Protection Authorities, the European Data Protection Board, the European Commission and the European Parliament,” to say “we are deeply concerned about the approach the Irish Data Protection Commission (DPC) has taken in three high profile cases against Facebook, Instagram and WhatsApp.”
Schrems points out that this report is merely a step in a six-stage process that could see it being more than three years before any real finding is acted upon, namely a punitive fine for perceived breaches of regulation.
By contrast, Schrems cites the French data protection authority, CNIL, which “was able to single-handedly issue a €50 million fine against Google within seven months. In contrast, after two years, the DPC has completed the first of six steps last week in the cases against Instagram and WhatsApp, while highly disturbing actions were taken in the first two steps of the DPC’s ‘six step procedure’ in the case against Facebook”.
To be honest, Schrems has a point.
While the Irish Data Protection Commissioner Helen Dixon has always resisted sensationalist efforts to act in haste, her tendency to ensure that all ‘I’s are dotted ‘T’s crossed has led to a perception of inaction, or at the very least ineffective action, that has been interpreted as allowing the tech giants in question to race ahead of the market and effectively bypass the regulations.
In its open letter, NOYB provides detailed arguments for its case and in particular, Facebook’s GDPR “consent bypass”.
Schrems also highlights the fact that the content of the reports from the Irish DPC are still undisclosed, until they are reviewed by other data protection authorities.
All of which leaves the DPC here in a deeply unenviable position.
Tasked with keeping the tech giants, all of which have vast monetary, technical and legal resources at their disposal, compliant — the DPC here has a team of around 130 and a budget of less than €17 million.
Dixon has demonstrated herself, and her leadership of the commission here, to be nothing other than efficient and diligent, and yet, the need for swift action is in stark contrast. While it is absolutely necessary that any action taken by a data protection authority (DPA), is properly investigated, adjudicated and implemented, it is also required to be timely, efficient and responsive to the needs of the data subjects – none of which is happening, according to Schrems and NOYB.
Two years after the implementation date, there can be no doubt that GDPR has done more to support awareness and implementation of data protection and rights than any other regulation in history. However, despite its being adopted as a model around the globe, it is deeply flawed if it is effectively unenforceable due to the complexities of any judgement that comes from it.
If it is takes three years or more to actually hand out a fine from it, then what use is it? Even with its provision for massive fines, if a defendant can tie up proceedings with endless appeals before compliance, then surely it is a paper tiger.
Despite the current projected timelines for fines being confirmed by many commentators over the last year or so, it does nothing to tackle the perception of inaction, that could and has been interpreted by some as inaction bordering on facilitation.
If Ireland is to remain at the forefront of regulating the tech giants that are domiciled here, the authorities need to act in a more efficient, transparent and, ultimately, swift manner. While haste is not advised, results are expected and demanded.
Alas, we still watch this space.