ICCL: GDPR hinders crackdown on tech giants
Europe is incapable of cracking down on big technology companies. Large and important privacy matters mainly end up on the board of the Irish regulator. That in turn leaves too many things lying around. Moreover, the budget of most European regulators is insufficient and there are too few specialists who can act against the tech companies. This seriously affects the enforcement of European privacy legislation.
Current privacy regulations are paralyzing
The Irish civil rights organization makes no mistake about it. Europe is currently not in a position to control and bring to order large (mainly American) tech companies. Three-and-a-half years after the introduction of the GDPR, the enforcement of European privacy laws and regulations has become paralyzed.
The Irish Data Protection Commission (DPC) is a bottleneck in the fight against Big Tech across the EU, the ICCL writes in its report. According to the civil rights movement, 98 per cent of cases submitted to the DPC are unresolved. European regulators are not prepared for the digital age. For example, there are too few specialists who can determine exactly what tech companies do with the personal data of European citizens. Only 9.7 per cent of all employees at national regulators have the specialist knowledge to investigate this.
Another factor that leaves a lot to be desired in the GDPR enforcement policy is the budget. More than half of all European supervisors have 5 million euros or more available each year to deal with privacy matters. Germany accounts for 32 per cent of the total EU budget.
Ireland is a major cause of bottleneck
According to the ICCL, the one-stop shop is the main reason that Europe is unable to act against tech companies such as Google, Amazon, Apple and Facebook. This principle means that the regulator of the country where the head office of the company in question is located must investigate the matter. Since most tech companies are based in Dublin, most privacy-related and anti-competitive matters end up on the DPC’s board. In addition, one in five cases (21 per cent) is referred to the Irish regulator.
“No other GDPR enforcement agency in the EU can step in if the Irish DPC takes its lead in cases against major tech companies headquartered in Ireland. As a result, the EU’s GDPR enforcement against Big Tech has been crippled by Ireland’s failure to submit draft decisions in cross-border cases.
Too little budget and technically skilled staff
It is not fair to put the blame entirely on the Irish. Together with Spain, Germany, the Netherlands, France, Sweden and Luxembourg, Ireland accounts for almost three-quarters of all GDPR complaints submitted in Europe (72 per cent). In other words, a small group of Member States is responsible for handling the bulk of all privacy matters and complaints.
In addition, the budget of most supervisors is insufficient. The good news is that the total budget for national regulators increased by 81.9 per cent to EUR 294.6 million between 2016 and 2021. In contrast, the annual increase since 2018, when the GDPR came into effect, has been steadily declining. Nine national regulators have to manage with a budget of fewer than 2 million euros.
Finally, the ICCL notes that the European supervisors employ too few technically skilled personnel. Of the 3,014 full-time employees, only 293 are technical specialists. That is less than one in ten employees. Only five Member States employ ten tech specialists or more. The lion’s share of member states (fifteen) has only four or fewer specialists on board.
Recommendations for tougher action against Big Tech
The civil rights movement ends with a number of recommendations. To start with, she believes that the Irish regulator should be reformed and strengthened. The government must make more money available so that the DPC can increase its capacity. In addition, more weight should be given to the decisions of the DPC. Instead of providing advice, the body should place more emphasis on enforcement.
In addition, the ICCL proposes that the European Commission takes stronger action against the Member States that do not take the protection of personal data seriously enough. Finally, the day-to-day management of the EU must better enforce the application of the GDPR. The European Data Protection Board (EDPB) and national regulators should publish a quarterly report updating the Commission on the development of current cases.
The ICCL investigated 164 major cases filed with the DPC between May 2018 and May 2021. Only four cases were actually addressed by the Irish regulator during this period. One of these is the investigation into WhatsApp. Recently, the DPC announced that it had imposed a fine of 225 million euros on the chat service for violating the GDPR. Initially, the fine was considerably lower, somewhere between 30 and 50 million euros. Eight European regulators objected to this. The DPC then decided to increase the fine to 225 million euros.
Catch up on more articles here
Follow us on Twitter here