Digital developments continue to highlight that strong, proportionate and effective data protection has never been more important. This is clear even in the devastating and immediately pressing current crisis that is Covid19. Nevertheless, the GDPR has also some serious flaws.
It is now almost two years on from its coming into application, the European Commission is obliged to conduct a review (GDPR, art. 97(1)) and this post is based on the submission I made to this. Looking to both the medium and long-term future of this important framework, there are two big areas which I argue this review should seek to reform: firstly, the GDPR’s overly acontextual and process-based norms and, secondly, its often ineffective implementation and enforcement including in many cross-border cases. Although these reforms may appear to be in tension, they are in fact positively interlinked. Moreover, each are absolutely critical to ensuring that Europe can achieve the data protection system it deserves.
1. Reforming GDPR Substantive Norms
Whilst the goals of the GDPR are increasingly vital, this instrument (even more so than the Data Protection Directive which proceeding it) “creates an overly bureaucratic environment which often appears illogical and disproportionately burdensome and prescriptive” (Blume and Svanberg, 2013). The wide meaning of ‘processing’ and ‘personal data’ mean that data protection is in acute danger of becoming the “law of everything” (Purtova, 2018). Moreover, despite the regular mantra of risk and other contextual factors in the GDPR text, far too many of its provisions are acontextual. At least as interpreted by the European Data Protection Board (see WP 260 (2018) which was endorsed by the European Data Protection Board (EDPB) at its first plenary), this is true of essentially all of the proactive transparency notice rules applicable to the direct collection of personal data (GDPR, art. 13) and most of the other proactive transparency notice rules too (Ibid, art. 14).
Provisions set down on controller-processor relations in article 28 and record keeping which is “not occasional” in article 30 are similarly acontextual. It is also concerning how many of these and indeed other provisions in the GDPR focus on mandating process rather ensuring concrete results which directly benefit individuals. Indeed, the GDPR contains roughly twice as many such process-based provisions as those focused on final outcomes and the sheer range of these can itself be truly formidable for small controllers in both the public and private sectors. Thus, even apparently quite straightforward processing operations could potentially trigger joint controller arrangements, processor arrangements, record-keeping obligations, data breach arrangements, impact assessment obligations (depending on the list drawn up by the relevant DPA), appointment of a Data Protection Officer and complex rules as regards the international transfer of personal data. Whilst the rationale for most, if not all, of these provisions are understandable, more focus should be placed on ensuring appropriate final results for data subjects rather seeking to mandate one (and not always the most appropriate) means of getting there.
The peremptory nature of many of these rules can result in a poor fit with other fundamental rights including, most notably, freedom of expression. That problem was highlighted by the GDPR’s apparent prohibition on search engines indexing any ‘sensitive’ categories of personal data, as broadly and categorically defined in articles 9 and 10 of the GDPR, unless this is being manifestly made public by the data subject themselves. This specific issue has been tackled by the Court of Justice in GC et al v CNIL (C-136/17) finding that Article 9’s permitting of exceptions “necessary for reasons of substantial public interest, on the basis of Union or Member State law” (GDPR, art. 9(2)(g)) could be invoked by Google even in the absence of any Union or Member State statutory provision providing for this and even apparently as regards criminal-related data as specified in article 10 not 9. In general, this decision is a very reasonable but ad hoc way of seeking to (re)construct the law in the presence of an acute rights problem. Nevertheless, it should not obscure the reality that the GDPR as originally constructed does not ensure an effective rights balance here or indeed in many other areas.
What the GC et al decision does do is suggest an immediate and positive way forward for substantive data protection at a policy and not just judicial level. In sum, the European Commission should encourage Member States to better utilize the derogatory possibilities within the GDPR in order to establish a formally appropriate balance between data protection and other rights and pressing interests. Moreover, as the Court has now indicated, where the GDPR appears silent on the means for ensuring this balance vis-à-vis particular provisions then its other derogatory standards may still indicate applicable tests for designating limitations where strictly necessary.
In this regard, it is the article 23 ‘restrictions’ clause which is the most central, although strangely this is not acknowledged or even mentioned in GC et al itself. Deliberation between Member States should be facilitated in order to encourage policy-learning and (so far as possible) coordination in the use of such derogatory clauses. Nevertheless, it must also be recognised that such an approach cannot provide a full solution to the lack of balance in parts of the GDPR text with the consequent dangers of uncertainty and disproportionality that this engenders. Therefore, the European Commission should also consider a legislative initiative to ensure a better formal substantive reconciliation of rights and interests. Not least for reasons of balance, it would best if this was fused to an initiative to enhance the practical implementation and enforcement of data protection. It is to that second issue that this post will now turn.
2. Reforming GDPR Implementation and Enforcement
One reason that the normative issues above rarely get the airtime which they formally deserve is that implementation and enforcement of data protection has been depressingly limited in Europe (and indeed globally). Moreover, with ever increasing digitization, the gap between the law on the books and the implementation and enforcement on the ‘virtual’ ground is almost certainly increasing. It is beyond the scope of this submission to provide an exhaustive analysis of this poor implementation and limited enforcement. Nevertheless, the 2019 investigation by the UK Information Commissioner’s Office into just one type of processing, namely ‘real time bidding’ in the adtech sector, provides a useful snapshot of the almost unfathomable scale of the problems. In sum, this ICO investigation made findings (p. 23) that inter alia:
- “Any processing of special category data [set out in Article 9 of the GDPR] is taking place unlawfully as explicit consent is not being collected (and no other condition applies).”
- “Processing of non-special category data is taking place unlawfully at the point of collection due to the perception that legitimate interests can be used for placing and/or reading a cookie or other technology”
- “The profiles created about individuals are extremely detailed and are repeatedly shared among hundreds of organisations for any one bid request, all without the individuals’ knowledge.”
- “Thousands of organisations are processing billions of bid requests in the UK each week with (at best) inconsistent application of adequate technical and organisational measures to secure the data in transit and at rest, and with little or no consideration as to the requirements of data protection law about international transfers of personal data.”
- “Individuals have no guarantees about the security of their personal data within the ecosystem.”
Despite this, even as regards the large-scale gathering of special personal data through commercial third-party tracking cookies there has been no deployment by the ICO of any of its formal corrective or sanctioning powers in relation to this issue either before or after the coming into force of the GDPR.
Moreover, it should be recognised that many DPAs subject to the GDPR have done even less than the ICO. After all, this DPA did at least did carry out this admirable (even if extremely concerning) study and undertake further informal follow-up. One reason for this general lack of action is a paucity of regulatory resources. Indeed, a recent report by the start-up company Brave (2020) highlighted that half of the EU’s national DPAs have a budget of €5m or less (p. 5). The resources allocated are nowhere near sufficient for regulators to effectively carry out the entirety of their formidable supervisory responsibilities. This, therefore, needs addressing as a matter of urgency.
However, it is not the only factor at play. Additionally, many DPAs have developed a culture over a long period of time which, rather than seeking to achieve transparent and comprehensive regulation, prioritises a highly discretionary and selective approach. This would include the UK DPA which, as the Brave report also highlighted, is in fact by far the best (albeit still far from sufficiently) funded DPA subject to the GDPR. For example, writing in August 2017 on the cusp of the coming into force of this instrument, the UK Information Commissioner proudly stated:
“Issuing fines has, and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisation concerned”.
Neither the ICO institutionally nor the Information Commissioner herself should be criticised for being unique in this approach. As highlighted by, for example, Vinocur (2019) and Kobie (2020), they manifestly are not. However, it remains the case that the acute problem for data subjects in this approach is that it effectively leaves them without regulatory redress even in relation to serious and/or significant and systematic problems. Thus, 16 out of 17,300 cases translates into less than one in a thousand cases resulting in a fine even though only approximately one-third (p. 18) resulted in a finding that no action was required on the part of the controller.
Moreover, whilst fines are far from the only enforcement tool for DPAs within the GDPR they are clearly accorded a central position (see GDPR, recital 148 and art. 83) and so a significant increase in their use rather than a broad continuation of the status quo is absolutely necessary here. In any case, at least in the UK there is no indication that the scale of deployment of the other corrective powers the GDPR sets out (Ibid, art. 58(2)) has been significantly different (see the following EDPB document at p. 10).
These general patterns are also far from unique to the UK. For example, not just the ICO but a number of other regulators including the Croatian, Estonian, Irish, Finnish and Luxembourgish DPAs recently reported that as of early 2020 they have issued no fines at all under the GDPR (see documents here). However, if data protection is to be genuinely achieved then this must change very significantly. Therefore, the European Commission should mount an initiative to ensure that Member States provide for DPAs which comprehensively fulfil their many tasks as laid down in article 57 of the GDPR. This must certainly include ensuring that each supervisory authority is “provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers” (GDPR, art. 52(4)). However, it must also involve strengthening DPA accountability mechanisms so as to ensure that independent organs including courts and tribunals can effectively ensure that DPAs are indeed fulfilling their tasks and deploying their powers to the extent appropriate (for more on this topic see my working paper on DPA accountability on SSRN).
3. Reforming GDPR Cooperation and Consistency
One way in which the GDPR to date appears to have made regulatory enforcement more rather than less difficult is through its imposition of a harmonized cooperation and consistency mechanism for at least private-sector cross-border processing. This new mechanism must be coordinated by a “lead supervisory authority”, defined as the DPA in whose physical jurisdiction the relevant controller or processor has a main or single establishment (GDPR, art. 56). In contrast, despite uncertainty on this persisting over more than a decade, the Data Protection Directive 95/46 allowed for direct local enforcement against even multinationals with main establishments within the Union, so long as the relevant processing took place ‘in the context of the activities’ of a local establishment (see Unabhangiges Landeszentrum fur Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH (C-210/16)).
The new mechanism means a single DPA is now the “sole interlocutor” for many big tech multinationals as regards most of their essential cross-border processing decisions. Thus, most notably, either the Irish or Luxembourg DPAs have this role and responsibility as regards Amazon, eBay, Google Ireland, Facebook Ireland, LinkedIn and Paypal. However, despite the many serious concerns which have been lodged within the consistency mechanism against a number of these controllers, it was reported in late 2019 that neither of these DPAs have proved able to “wrap up a single investigation of any magnitude” against any of them (see Vinocur (2019)). Four more months on, this remains the case and ipso facto no corrective action has been forthcoming here either (see, especially on the track-record of the Irish DPA, Kobie (2020)). Such a lack of momentum in enforcement risks making the GDPR largely toothless and ineffective.
The GDPR does in fact allow for processing operations even in these cases to continue to handled locally in situations both of urgency (GDPR, art. 66(1)) and/or where the concrete processing at issue “substantially affects data subjects only in [the local] Member State” (Ibid, art. 56(2)). Additionally and as a quid pro quo for the new role of the lead supervisory authority, the GDPR grants any concerned DPAs (which is very widely defined (Ibid, art. 4(22)) the ability to be involved in joint operations (GDPR, art. 62) and ultimately for the EDPB collectively to decide on a consistent approach which will also bind the lead DPA (GDPR, art. 63-66). However, almost two years on, these formal cooperation and consistency mechanisms have yet to be used (Vincour, 2019; Kobie, 2020). Whilst informal cooperation and consensus building are clearly important, the combined lack of final effective action and of formal escalation must be of serious concern. Moreover, a number of especially German DPAs have increasingly questioned whether the current cooperation and consistency mechanism can operate fairly and efficiently at all (Vincour, 2019; Kobie, 2020).
Although the pressure so far seems to be for some kind of pan-EU data authority, what seems most glaring is that, for example, German regulators directly responsible to some 83 million EU citizens are generally granted no more (and given the role allocated to the ‘lead supervisory authority’ often less) formal role than, say, the Luxembourg DPA which is only directly responsible to approximately 600,000 EU citizens. That such divergences of over 130 times magnitude are not directly taken into account in any way seems wrong and, when put alongside the possibility of regulatory arbitrage amongst critically important controllers (and processors), even more concerning.
In light of the above, the European Commission should mount an initiative to ensure that especially lead but also concerned DPAs are made much more accountable for fulfilling the monitoring, enforcement and investigatory tasks allocated (GDPR, art. 57) especially in the coordinated area of cross-border processing (art. 56). Where a lead supervisory authority is unable to handle a concern expeditiously then it should be obliged to adopt a facilitative stance as regards any urgent (art. 66(1)) and/or principally local (art. 56(2)) aspects which can then be handled by the local DPA. Irrespective of this, lengthy delays on finalising initial decisions on serious and/or significant and systemic cross-border issues and the failure to trigger the formal mechanisms of the GDPR in such circumstances cannot be considered sustainable and so must be addressed and corrected. Looking to longer term change, the European Commission should look at a more thorough reform so that the formal influence of a DPA in the consistency mechanism better reflects the number of EU citizens that the relevant regulator is directly responsible to.
4. A Joined-Up Approach to GDPR Reform
My call, on the one hand, for a more contextual formulation of substantive data protection norms and, on the other, for much more thorough and consistent enforcement might seem to be in contradiction. After all, one points to a more ‘liberal’ approach whilst the other suggests there is a need to be considerably ‘stricter’. In fact, these suggestions are each other’s natural complement. At least in part, the formally excessive and sometimes illogical nature of European data protection provides ideological succour for a highly discretionary and sometimes even arbitrary approach to be taken to implementation and enforcement by both many controllers and ultimately also a number of DPAs. In contrast, the careful and proportionate formulation of norms can ungird increased respect for the law, better general implementation and a clearer guidepost to those areas which do require strong and robust enforcement. Ultimately, the most serious long-term risk for regulation is that
enforcement of data protection rights and obligations will likely become [yet more] selective, determined by priority lists and shortcuts that the data protection authorities would develop to cope with the workload, including the ‘compliance surrogates’. Selective enforcement and the pretence of compliance will reinforce each other, ridiculing data protection law, and depriving its protection of meaning. (Purtova (2018))
Staving off such a dystopia of data misgovernance will certainly require insisting on a transparent, effective and comprehensive regulatory enforcement. However, it will also and as importantly mandate a much more thoughtful and sensitive approach to be taken to the specification of applicable norms. European data protection’s future doesn’t have to be formally acontextual and practically largely ineffective. A truly visionary European Commission GDPR review can address both of these problems and, thereby, provide real leadership in this ever more important space.
David Erdos is Deputy Director of the Centre for Intellectual Property and Information Law (CIPIL) and also WYNG Fellow in Law at Trinity Hall, University of Cambridge.