It’s well established that the European Union has some of the strictest privacy laws in the world, threatening fines of up to 4% of a company’s annual turnover. A lesser-known fact, and one which large tech firms would like to keep quiet, is that the EU hasn’t enforced those rules very strictly.
Since introducing its landmark privacy law known as General Data Protection Regulation (GDPR) in 2018, the EU has delegated the job of policing Big Tech to the nations where the firms have their European headquarters. That puts enormous pressure on countries like Ireland, which hosts several large internet firms that have frequently been accused of flouting privacy law, including Meta Platforms Inc. Ireland has issued roughly 1 billion euros ($1.1 billion) worth of fines against Meta alone in the past five months, but the penalties took years to come about and, in the latest case, Ireland was forced by its European peers to significantly raise it. Ireland has long been a bottleneck for the EU’s enforcement because of the slow pace with which it has processed cases and its relatively business-friendly interpretation of GDPR rules.
But that could well change now that the EU’s executive arm, the European Commission, will require each nation to share an overview of its data-protection investigations six times a year. A country’s regulator will also have to give the Commission an overview of all its large-scale cross-border investigations under GDPR including, critically, all key procedural steps taken with each case, and all investigatory or other measures taken, along with dates for each of these steps and measures, according to a document detailing the Commission’s response to suggestions from the European Ombudsman, seen by Bloomberg Opinion. It signals a toughening stance on privacy, holding the regulators themselves to account for investigating companies properly.(1)
While the Commission does issue a report every two years or so on the general state of GDPR enforcement, (2)the executive arm has not deeply scrutinized the work of each nation’s privacy regulator in such a formal or systemic way. In theory, if national watchdogs don’t comply with the new requirement for information, that nation’s government could face legal action at the European Court of Justice. The privacy regulators have never had their feet held to the fire quite like this.
Ireland, the Netherlands, Luxembourg and France are countries for whom this change is most important. Ireland hosts the largest number of tech firms on its shores, while Uber Technologies Inc. is in the Netherlands, Amazon.com Inc. in Luxembourg and Criteo SA, one of the world’s largest online advertising firms, is in France.
The change appears to be the result of a complaint made to the European Ombudsman by the Irish Council for Civil Liberties, a human rights group that has lodged several objections with the EU about how Ireland’s privacy watchdog has dealt with Facebook.
“Previously you had cases lying dormant for years and privacy law not being applied,” says Johnny Ryan, a senior fellow at the ICCL. “This heralds the beginning of true enforcement, and that means serious European enforcement against Big Tech.”
The EU’s one-stop-shop mechanism, which is bureaucrat-speak for making a single country responsible for policing tech firms, has put privacy advocates in the unusual position of lodging complaints not just against companies but against the regulators themselves for not being strict enough. Austrian privacy campaigner Max Schrems has suggested he’ll take action against Luxembourg’s privacy watchdog because of the long wait over a complaint about Amazon, which has been accused of exposing user information to potential breaches and exploitation.
The European Ombudsman, which investigates administrative complaints about the EU, confirmed it had been told by the European Commission that it would increase its scrutiny of national watchdogs.
Ireland’s Data Protection Commission has argued that its cases take a long time because they are complex, and that while it is inundated with cases with the myriad tech companies under its jurisdiction, it has resolved hundreds of cross-border complaints over the last four years.
But the European Court of Justice has also called out the Irish watchdog for “persistent administrative inertia.” And earlier this month the regulator was forced by Europe’s Data Protection Board to substantially increase a fine against Meta over illegal data processing, from 28 million euros to 390 million euros, after it initially sided with Meta on several aspects of the original complaint which came from Schrems.
With the Commission checking each regulator’s homework, the watchdogs will be forced to work harder and avoid stalling: any years-long delays between the lodging of a complaint and the opening of an inquiry will be in full view of the EU mothership, as will many months passing between rounds of correspondence about a case, or complaints leading to no investigation at all.
The one drawback to this development is that the Commission won’t do its audits in the open; all the information that national privacy regulators share will be kept “strictly confidential.”
Till then we’ll have to make do with what is still a step in the right direction. The renewed scrutiny won’t be public, but at least it will be happening.
More From Bloomberg Opinion:
Meta Will Decide How Painful Its Irish Gut Punch Is: Parmy Olson
Stop the Schadenfreude Over Bloated Tech Layoffs: Lionel Laurent
That Silicon Fence Around China Is Almost Complete: Tim Culpan
(1) According to the document, the Commission’s Department for Justice and Consumers, led by Commissioner Didier Reynders, said it would “request all national supervisory data protection authorities to share with the Commission, on a bi-monthly and strictly confidential basis, an overview of large-scale cross-border investigations under the GDPR with information on the following pre-determined fields: Case number; Controller or processor involved; Investigation type (ex officio or complaint-based); summary of investigation scope (including which provisions of the GDPR are at issue); DPAs concerned; Key procedural steps taken and dates; Investigatory or any other measures taken and dates.”
(2) The Commission’s last such report was published in 2020 and mentioned Ireland once, saying on a general way that resources for privacy enforcement was “uneven between member states.”
This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.
Parmy Olson is a Bloomberg Opinion columnist covering technology. A former reporter for the Wall Street Journal and Forbes, she is author of “We Are Anonymous.”
More stories like this are available on bloomberg.com/opinion
©2023 Bloomberg L.P.