The EU’s landmark privacy rules were hailed as a success when launched in 2018, but some believe they have placed too much weight on individual authorities and have led to sluggish activity and more bureaucracy.
TikTok recently came under the jurisdiction of Ireland’s Data Protection Commission, adding to a hefty workload for the Irish regulator.
With several major tech firms, including Facebook, Google and Twitter, holding their European headquarters in Dublin, the DPC has become Europe’s most high-profile data watchdog in enforcing GDPR, the region’s data privacy rules.
The regulation, with its possibility for big fines, is seen as the most robust piece of data protection law in history. But the DPC’s elevated status since it came into effect has raised questions around how well resourced it is to handle such a large and important workload.
The DPC’s annual report for 2020 outlined that it handled 10,151 cases in total that year, an increase of 9%. Meanwhile, the authority is in the middle of a high-profile legal case with Facebook over data transfers to the U.S.
In December, more than 2½ years after GDPR came into effect, the DPC issued its first GDPR financial penalty against a major U.S. tech company when Twitter was fined 450,000 euros ($535,594).
The length of the investigation and the sum of money drew criticism from Max Schrems and other data protection advocates.
Noyb, the organization founded by Schrems, is a frequent critic of the DPC. Romain Robert, a senior lawyer at Noyb, said that the organization has been frustrated by the enforcement of GDPR by most data protection authorities in Europe.
“The expectations towards the DPC are really disappointing. We don’t see that many decisions,” Robert told CNBC.
Graham Doyle, the deputy commissioner at the DPC, told CNBC that investigations, especially cross-border probes into big tech firms, take some time.
“I’ve been saying this since May 2018, trying to manage expectations, do not be expecting these big headline fines (immediately). It’s going to take time,” Doyle said.
“There is this focus on the pace at which investigations go and a belief that just because you have more people, it means things will happen quicker. That’s not necessarily the case. In some areas it will help but in others it means that you can do more simultaneously,” Doyle said.
In the country’s last budget, the DPC received 19.1 million euros in funding from the Irish government, up from 16.9 million euros the year before. The agency has close to 150 employees and will be at 200 by the end of the year.
Doyle countered calls for swift decisions to be made once complaints are filed.
“That’s not taking into account fair procedures, that’s just making an assumption,” he said.
GDPR established the one-stop-shop mechanism, which allows companies operating across the EU to report to one member state’s data protection authority. It is under this mechanism that TikTok and several others report to the DPC.
It means the Irish watchdog is often the lead investigator on cross-border investigations, such as the probe into Twitter and several open investigations into Facebook and its services.
“Absolutely it is the case that the one-stop-shop has meant that the Irish DPC has become the de facto lead regulator for many of the big tech platforms,” Doyle said.
Johannes Caspar, the chief of Hamburg’s data protection authority, has been vocal on the effectiveness of this approach.
“The one-stop-shop procedure has shown massive deficits as it leads to inefficiency, bureaucratic structures and to massive differences between law enforcement in purely national and EU-wide procedures,” Caspar told CNBC.
He said the procedures for carrying out cross-border inquiries can be “extremely bureaucratic.” It can lead to domestic investigations carrying on swiftly but the large banner investigations moving at a slower pace.
“Effective protection of the rights and freedoms of data subjects, but also fair competition in the digital market, cannot be achieved in this way,” he said.
Pipeline of cases
As GDPR’s third birthday approaches in May, the DPC has a “strong pipeline” of major decisions that will be published in 2021, Doyle said.
One of those is an investigation into Facebook-owned WhatsApp over how data is shared between the messaging app and its owner. The probe is expected to yield a fine between 30 million euros and 50 million euros, marking the first massive fine from the DPC in the GDPR age.
“I would counter the argument that is being put forward in terms of the pace of investigations. We’ve made ground-breaking steps in terms of the GDPR in cross-border investigations. It’s a new piece of legislation that’s only in almost three years,” Doyle said.
For Noyb’s Robert, it’s still not enough. He said that with a few notable exceptions — such as French authority CNIL’s 50 million-euro sanction on Google — many of the continent’s data protection authorities have been acting too slow.
“A lot of people are focusing on the DPC but some of the other DPAs (Data Protection Authorities) are really disappointing as well,” he said, pointing to the Luxembourg authority, which has Amazon under its umbrella but has not taken any action.
He added there is a need for an objective analysis of all DPAs’ resources, budgets, and workloads to get a true sense of how GDPR is performing.