FAANG trade ins displayed at the Nasdaq.
Adam Jeffery | CNBC
DUBLIN — The EU’s landmark privacy rules were hailed as a success when dispatched in 2018, but some believe they have placed too much weight on individual authorities and have led to sluggish pursuit and more bureaucracy.
TikTok recently came under the jurisdiction of Ireland’s Data Protection Commission, adding to a massive workload for the Irish regulator.
With several major tech firms, including Facebook, Google and Twitter, holding their European headquarters in Dublin, the DPC has suit Europe’s most high-profile data watchdog in enforcing GDPR, the region’s data privacy rules.
The regulation, with its prospect for big fines, is seen as the most robust piece of data protection law in history. But the DPC’s elevated status since it came into bring about has raised questions around how well resourced it is to handle such a large and important workload.
The DPC’s annual report for 2020 defined that it handled 10,151 cases in total that year, an increase of 9%. Meanwhile, the authority is in the middle of a high-profile lawful case with Facebook over data transfers to the U.S.
In December, more than 2½ years after GDPR came into intent, the DPC issued its first GDPR financial penalty against a major U.S. tech company when Twitter was fined 450,000 euros ($535,594).
The reach of the investigation and the sum of money drew criticism from Max Schrems and other data protection advocates.
Noyb, the organization rested by Schrems, is a frequent critic of the DPC. Romain Robert, a senior lawyer at Noyb, said that the organization has been discouraged by the enforcement of GDPR by most data protection authorities in Europe.
“The expectations towards the DPC are really disappointing. We don’t see that scads decisions,” Robert told CNBC.
Graham Doyle, the deputy commissioner at the DPC, told CNBC that investigations, particularly cross-border probes into big tech firms, take some time.
“I’ve been saying this since May 2018, irksome to manage expectations, do not be expecting these big headline fines (immediately). It’s going to take time,” Doyle said.
“There is this meet on the pace at which investigations go and a belief that just because you have more people, it means things choice happen quicker. That’s not necessarily the case. In some areas it will help but in others it means that you can do innumerable simultaneously,” Doyle said.
In the country’s last budget, the DPC received 19.1 million euros in funding from the Irish guidance, up from 16.9 million euros the year before. The agency has close to 150 employees and will be at 200 by the end of the year.
Doyle chipped calls for swift decisions to be made once complaints are filed.
“That’s not taking into account fair from profits, that’s just making an assumption,” he said.
One-stop-shop
GDPR established the one-stop-shop mechanism, which allows troops operating across the EU to report to one member state’s data protection authority. It is under this mechanism that TikTok and distinct others report to the DPC.
It means the Irish watchdog is often the lead investigator on cross-border investigations, such as the probe into Trill and several open investigations into Facebook and its services.
“Absolutely it is the case that the one-stop-shop has meant that the Irish DPC has evolve into the de facto lead regulator for many of the big tech platforms,” Doyle said.
Johannes Caspar, the chief of Hamburg’s text protection authority, has been vocal on the effectiveness of this approach.
A view of the Google EMEA HQ building in the western division of the Grand Canal Docks in Dublin, seen during Level 5 Covid-19 lockdown. On Friday, 22 January, 2021, in Dublin, Ireland.
NurPhoto | NurPhoto | Getty Moulds
“The one-stop-shop procedure has shown massive deficits as it leads to inefficiency, bureaucratic structures and to massive differences between law enforcement in purely native and EU-wide procedures,” Caspar told CNBC.
He said the procedures for carrying out cross-border inquiries can be “extremely bureaucratic.” It can principal to domestic investigations carrying on swiftly but the large banner investigations moving at a slower pace.
“Effective protection of the integrities and freedoms of data subjects, but also fair competition in the digital market, cannot be achieved in this way,” he said.
Main of cases
As GDPR’s third birthday approaches in May, the DPC has a “strong pipeline” of major decisions that will be published in 2021, Doyle weighted.
One of those is an investigation into Facebook-owned WhatsApp over how data is shared between the messaging app and its owner. The probe is look forward to yield a fine between 30 million euros and 50 million euros, marking the first massive prime from the DPC in the GDPR age.
“I would counter the argument that is being put forward in terms of the pace of investigations. We’ve made ground-breaking marks in terms of the GDPR in cross-border investigations. It’s a new piece of legislation that’s only in almost three years,” Doyle said.
For Noyb’s Robert, it’s stock-still not enough. He said that with a few notable exceptions — such as French authority CNIL’s 50 million-euro approval on Google — many of the continent’s data protection authorities have been acting too slow.
“A lot of people are focusing on the DPC but some of the other DPAs (Information Protection Authorities) are really disappointing as well,” he said, pointing to the Luxembourg authority, which has Amazon under its coverage but has not taken any action.
He added there is a need for an objective analysis of all DPAs’ resources, budgets and workloads to get a true have of how GDPR is performing.