How can the General Data Protection Regulation (GDPR) be effectively enforced so as to uphold fundamental rights and freedoms and at the same time, allow for the free flow of data within the Union? This is a question I have been pondering since well before Monday’s publication of the Irish Council for Civil Liberties’s (ICCL) 2021 report on the enforcement capacity of Data Protection Authorities (DPAs). In the report, the ICCL came down heavily on the Irish DPA and stated that the European Commission “has the duty to intervene” to ensure enforcement of the GDPR. I provided a comment to Luca Bertuzzi (EurActiv) on the matter, which has inspired the blog below. (Read “Ireland’s privacy watchdog accused of paralyzing GDPR enforcement” here.)
But I don’t want to focus on the report here. Instead, I want to highlight the multitude of challenges that DPAs face on an everyday basis. Not only are DPAs called upon to enforce the GDPR, to handle complaints lodged with them and to investigate possible infringements of the GDPR, to monitor and enforce the application of the law, they must also promote awareness of data protection and privacy on the part of the public, advise national parliaments, governments, and other institutions, cooperate with other DPAs and provide mutual assistance, monitor relevant developments that impact the protection of personal data, approve BCRs, encourage the development of certification mechanisms and data protection seals and marks, review certifications, contribute to the European Data Protection Board, and develop practical guidelines, the list goes on.
It holds true that enforcement of the GDPR by national DPAs is the key factor that impacts the efficacy of the GDPR and therefore, the ability of the law to effectively protect the rights and freedoms of EU citizens when it comes to data protection and privacy. It is also true that in light of the unique position of the Irish DPA as the Lead Authority for global leaders in tech (e.g., Microsoft, Facebook, Google, Apple, TikTok, etc.), the Irish Authority needs to step up its game. At the same time, however, it must be acknowledged that European DPAs are largely underfunded and overwhelmed with complaints that they simply cannot manage due to a lack of sufficient resources. More resources for Authorities would mean more highly skilled employees (with the necessary legal, IT, ethics, legal design, and data visualization knowledge) to investigate complex data processing activities and alleged acts of non-compliance and to promote awareness among the public. Therefore, instead of pointing fingers at Data Protection Authorities for their “failures”, now is the time to put pressure on national governments to endow Authorities with the funds necessary for them to carry out their key functions, including but not limited to enforcement.
In this respect, it is worth noting that Art. 52(4) GDPR calls upon member states to “ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers…”.
Despite my observations above, I have witnessed an increase in what can be defined as a perceived lack of enforcement of the GDPR, with various organizations and figures commenting on this very issue – specifically with reference to the failure of the Irish and Luxembourgish Data Protection Authorities to issue fines for GDPR compliance shortcomings. Since these initial complaints culminated in late spring of this year, the Luxembourgish DPA has issued a number of relevant decisions and sanctions, including its fine to Amazon of 746 million Euro; and in recent weeks we learned of the Irish DPA’s final decision to fine WhatsApp 225 million Euro following the European Data Protection Board’s “Binding decision 1/2021 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding WhatsApp Ireland under Article 65(1)(a) GDPR”. I would also point out that while the WhatsApp fine may be the most significant fine issued by the aforementioned Authority – it is not the only one to date.
Given these recent actions, I do not think that previous accusations of failure to act can be presumed as coming from a conscious unwillingness of Data Protection Authorities – such as the Irish one – to exercise GDPR enforcement powers.
I would also like to recall the important role that privacy organizations and associations are playing in GDPR enforcement – see my blog on Two-sided enforcement here. In recent weeks, we have borne witness to the fruits of Art. 80 and Rec. 142 GDPR – organizations are now actively patrolling the internet to identify potential violations of the GDPR and reporting them to DPAs – meaning that fewer violations will go unnoticed. This form of activism on the part of organizations like noyb, La Quadrature du Net, and others will without a doubt help ensure that the GDPR is enforced, pushing companies to improve their data protection compliance posture.
So instead of playing the blame game when it comes to enforcement, let’s tackle the problem at its roots and push for more resources for EU DPAs so they can carry out their tasks (which consist of more than just enforcement!) as they are meant to – with top-notch and knowledgeable personnel in the legal, ethics, IT, legal design, and data visualization fields.