European Digital Rights Organizations Call for Better Enforcement of the GDPR

European digital rights organizations are calling for better enforcement of the GDPR by improving DPA operations.

Europe’s privacy law, the General Data Protection Regulation (or GDPR), was largely hailed as a success story in the world of privacy rights. This is especially true among digital rights organizations operating in Europe. Not only has the GDPR bolstered privacy rights, but it has also caused a ripple effect around the world. A number of nations have taken notice and people started to wonder how other countries can better protect people’s personal information. While some express annoyance at the fact that the GDPR is the reason why we see banners asking users to accept cookies, it has ushered in a new era of respect for privacy rights.

Of course, four years after the law came into force, the privacy picture is far from perfect. An often cited sore spot for the GDPR isn’t the GDPR itself, but rather, how the GDPR is enforced. Enforcement of the GDPR comes in the form of Data Protection Authorities (or DPAs). That aspect came into sharp focus thanks to some of the alleged actions carried out by the Irish DPC. In fact, when European digital rights organization, None of Your Business (NOYB) issued a statement on the recent four year anniversary of the GDPR, DPAs were cited as a real weakness in the GDPR chain.

The question then becomes, how can these weaknesses be fixed? European Digital Rights (EDRi) has posted about this:

Almost four years after the entry into force of the GDPR, we celebrate the collective achievements of the law and take stock of the persisting shortcomings in its enforcement. While new record high fines were handed out in 2021 and an increasing number of decisions have been issued, we observe several barriers to the effective exercise of people’s rights, including their access to remedy and a lack of harmonisation in the enforcement mechanism.

For the rights and requirements of the GDPR to be delivered and realised, DPAs and the EDPB must have the necessary resources to act and national procedures for enforcement must be harmonised. Based on our experience with GDPR implementation and enforcement, we believe that our recommendations would go a long way to improve its enforcement.

An open letter was attached to this. This open letter was signed by several European digital rights organizations including Access Now, Bits of Freedom, La Quadrature du Net, Open Rights Group, NOYB, and, of course, EDRi among others. Here’s part of that open letter (PDF):

We call for the harmonisation of national procedures for the application of data protection rules
• We call on the EDPB to publish detailed information on all national procedural laws applicable to a complaint before DPAs. The information should include, among others, details about the process to file, review and resolve complaints; the definition of what constitutes a complaint and its admissibility criteria; the deadlines at all stages of the complaint procedure; the application of the right to be heard for the complainant; and the conditions applicable to representation of data subjects under Article 80 GDPR.
• We call on the European Commission to carry out a study to compare national procedural laws and analyse how their differences may impede the application and enforcement of the GDPR. Particular attention should be paid to the ability for data subjects to exercise their right to effective remedies and to their practical experiences of filing actions directly in courts or with DPAs.
• We call on the EDPB, with the support of the European Commission, to develop guidance for DPAs with the view to ensure that EU rules for the protection of personal data are applied in a harmonised manner. While DPAs exercise their powers in accordance with specific requirements in their Member State’s procedural law, these laws must comply with the principles of equivalence and effectiveness and may not render excessively difficult or practically impossible the exercise of the rights conferred by the GDPR. In particular, this guidance should ensure that data subjects have a right to be heard throughout all phases of the complaint procedure and have a right to access all documents relevant to their case. This guidance should seek to harmonise or set the deadlines at each stage of a complaint procedure to help streamline the work of DPAs and the resolution of cases.
• We call on the EDPB to develop a single EU-wide complaint template form. This form should be easily accessible on each DPA’s website, it should be available in all official EU languages, and accepted by all DPAs as a valid complaint form. This form would improve the accessibility of the complaint procedure for data subjects and help streamline the work of DPAs, including in cross border cases by helping standardise the way complaints are received.

So, a number of recommendations to reform the system to better protect people’s personal information. At any rate, it seems like a lot of organizations are on board with the messaging here. Specifically, that the GDPR has been a marked improvement on the situation with privacy. One noted aspect in all of this is how record setting fines did occur throughout 2021. This aspect has been well documented with the sharp spike going into 2021 being especially noticeable:

1. Amazon – €746 million
Amazon was handed a mammoth €746 million EU GDPR fine by Luxembourg’s National Commission for Data Protection in July 2021 and it dwarfs all previous breaches. The online retail behemoth has its EU base in Luxembourg and it has come under scrutiny in recent years for compiling data on its customers and partners. Amazon has appealed the fine, stating that it “strongly” disagrees with the Commission’s findings. It isn’t the first time Amazon has fallen foul of data protection regulations. The French Data Protection Authority (CNIL) fined the company €35 million in late 2020 for its alleged failure to provide cookie consent and associated information to users on its website.

2. WhatsApp – €225 million
2021 wasn’t just notable for the biggest GDPR fine on record. It also saw the second-highest financial penalty when WhatsApp was given a massive €225 million fine in August by Ireland’s Data Protection Commission. This was as a result of breaches of transparency and data subject information obligations under articles 12, 13 and 14 of the GDPR. Specifically, WhatsApp came up short in providing information to data subjects “in a concise, transparent, intelligible and easily accessible form, using clear and plain language” and “the purposes of the processing for which the personal data are intended as well as the legal basis for the processing”. As was the case with Amazon, WhatsApp also decided to appeal this decision.

3. – €10.4 million
2021 kicked off with a significant fine for German online electronics retailer On January 8, the data protection commissioner for the German state of Lower Saxony announced that the company would be subject to a €10.4 million fine for violating the GDPR’s data protection rules. For more than two years, had been monitoring its employees and customers with CCTV cameras while the recordings were stored for up to 60 days. While the GDPR does not prohibit the use of CCTV, surveillance must be a legitimate response and conducted with a proper legal basis.

4. Austrian Post – €9.5 million
September saw the largest GDPR fine in Austria’s history when the country’s national post service was slapped with a €9.5 million fine. The company was sanctioned for failing to enable people to make inquiries about stored personal data via email. This was despite the fact that Austrian Post has already made this possible through several mediums such as letter, online forms and customer service. However, the Austrian Data Protection Authority said that the post service should have allowed rights requests to be sent by any medium desired, including email.

Many point to these kinds of statistics as an overall success story of the GDPR. Despite this, though, some critics have pointed out that companies have simply shrugged off these huge fines as a cost of doing business. This, of course, goes back to compliance and DPA’s. Changing the culture and attitudes towards users personal information was never going to be easy. What’s more is the fact that implementing a law isn’t a be-all end-all solution, but rather, a first step towards better protecting users personal information. So, a lot of progress being made, but more work still to be done to iron out the flaws in the system.

Drew Wilson on Twitter: @icecube85 and Facebook.

1 Trackback or Pingback

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: