Big changes coming for GDPR enforcement on Big Tech in Europe?

Big Tech take note: In what looks like a meaningful — and long overdue — reforming step, the European Commission has committed to dial up its monitoring of how data protection authorities at the EU Member State level enforce the bloc’s flagship data protection rules — committing to regular checks on “large scale” General Data Protection Regulation (GDPR) cases.

Checks that could help address long standing criticism that enforcement of the GDPR is too weak and plodding to put meaningful checks on Big Tech.

The EU’s executive has responded to its ombudsman saying it will ask all national supervisory data protection authorities to share with it a report — on a “bi-monthly” basis (presumably that’s every two months, rather than 2x per month in this context); so 6x per year — which it describes as “an overview of large-scale cross-border investigations under the GDPR”.

Furthermore, the Commission stipulates these reports will need to include various key details (such as case no.; controller or processor involved; investigation type), along with a summary of the investigation scope (“including which provisions of the GDPR are at issue”); the DPAs concerned; “key procedural steps taken and dates”; and the “Investigatory or any other measures taken and dates.

It has also committed, in its second upcoming report on the application of the GDPR, to provide a report of the information it’s getting back from DPAs. So the Commission will be reporting on the DPAs’ reporting.

While this probably sounds exceedingly dry, it’s actually — potentially — a very big deal.

Thing is, major cross-border GDPR cases have languished for years in regulatory limbo. Such as complaints against Big Adtech business models and behavioral advertising, or over adtech giant Google’s almost impossible to avoid location-tracking, to name two.

There’s also a very long-running complaint that’s called for the suspension of Facebook’s data exports which still hasn’t landed as a final decision. While Apple, Twitter and TikTok all have open GDPR cases pending decisions — in some instances years after an enquiry was opened on paper.

EU privacy campaigners and legal experts have for years argued that — on paper — the GDPR should be protecting consumers from unwanted tracking and profile. Yet they’ve also pointed out these self-same rules are being systematically flouted by tech giants that think they’re big enough to ignore the rules.

The upshot is EU citizens’ rights are steamrollered under the market muscle of major tech platforms and their associated ecosystems of operators — which critics contend extends to regulatory capture of ‘friendly’ DPAs. Especially in certain Member States where there’s a concentration of big tech firms (such as Ireland). Hence the call for closer monitoring of how (or even whether) Member State level authorities are doing the job of enforcing GDPR.

Just today, for example, an EU report on digital advertising and privacy concludes there’s “a need to increase individuals’ control over how their personal data is used for digital advertising, including how they avoid unwanted targeting” — which points to a gap between EU regulations that it too emphasizes “should” be protecting consumers from such abuse — yet, very evidently, they aren’t.

The issue here is simple: It’s who’s watching the watchmen, argues Dr Johnny Ryan — a senior fellow at the Irish Council for Civil Liberties (ICCL) — the rights group which complained to the European ombudsman over the Commission’s monitoring of Ireland’s implementation of the GDPR.

The Commission has treaty obligations to monitor Member States’ implementation of pan-EU laws but has often seemed reluctant to wade into the fray. And it’s this reluctance to crack an eyelid over plodding DPAs the ICCL challenged via the ombudsman back in November 2021.

That complaint has now led to agreement from the Commission that it will improve how it’s keeping tabs on GDPR enforcement more generally (so not just keep specials tabs on Ireland). And led to what looks to be, per the above list, a solid basis for overseeing DPAs administration of their duties — and at least putting the EU’s executive in a position to identify inconsistencies or other investigatory shenanigans.

(Whether the Commission will act robustly on reports that will be confidential is another matter; but at least it won’t be able to pretend problems don’t exist — and it also knows that its watchman, the ombudsman, is on its case with eyelids open.)

In a press release today, the ICCL lauds the development — dubbing the Commission move a Europe-wide “overhaul” of the GDPR.

“The European Commission’s new commitment should transform Europe’s data and digital enforcement,” argues Ryan in a statement. “Previously, big cases lay dormant for years. Now, we should see acceleration in investigation and enforcement, and it will be clear where the European Commission needs to take swift action against Member States that fail to apply the GDPR. This heralds the beginning of true enforcement of the GDPR, and of serious European enforcement against Big Tech,

“I think it makes the GDPR real,” Ryan also told TechCrunch — adding that if the Commission’s changes also apply retrospectively, i.e. to the large existing slate of Big Tech cases, that’ll be “even better”.

Ireland’s Data Protection Commission (DPC) typically attracts the most criticism over its approach to GDPR. Not only for how much time it may take on an enquiry but whether it even actually investigates the issue being complained about.

One oft complained about tactic is for the regulator to follow up a complaint (or complaints) by opening up what it refers to an “own volition enquiry” — which allows it to set the terms of reference. And, critics contend, to narrow the scope and/or entirely avoid the crux of a complaint. Creative reframing of enquiries is the ‘straw man’ of regulatory (in)action — deflecting and rerouting the claimed scrutiny in a way that can sidestep the core issue and ensure any damage to the target business is kept to a minimum. In short, it’s a mockery of genuine oversight.

A recent example is a decision against WhatsApp by the DPC — some 4.5 years after a series of complaints were raised over the legal basis Facebook-owner Meta claims to run behavioral advertising across a number of its services.

The Irish regulator ended up being instructed by the European Data Protection Board (EDPB) to find a series of breaches of the GDPR — some of which it alone had declined to find in its preliminary decision on the complaint back in 2021– but in one of its final decisions, against WhatsApp, the DPC was accused by the complainants of not investigating a core element of its complaint: i.e. whether WhatsApp processes users’ metadata for ad targeting (and, if so, whether it has a valid legal basis for doing that).

The DPC did not investigate that issue and also ignored a follow-on instruction by the EDPB to investigate it — claiming the Board was overreaching its jurisdiction. It also said it would challenge that component of the Board’s instruction in court. So instead of robustly investigating the legality of Meta’s ad-targeting — which had been raised by complaints dating all the way back to May 2018 — the DPC simply chose not to look — doing so at the end of a very long enquiry process where it also had the opportunity to investigate and didn’t. (And that’s just one instance of scores of complaints about its ’round-the-houses’ approach to ‘enforcing’ GDPR.)

Over that same set of complaints, the Irish regulator was also accused of further letting Meta massively off the hook — by not fining it the maximum amount possible for failing to have a valid legal basis for its core behavioral ads business.

The days of regulatory dither and ‘creative inaction’ by EU Member States which may feel they have a political interest in not annoying Big Tech companies headquartered on their soil may — finally — be numbered if the Commission starts to do a proper (i.e. active) job of overseeing DPAs’ GDPR enforcement.

The Commission should care about this. And not just because of its core duty to uphold EU treaties — but also because the GDPR is a cornerstone of a far wider and more ambitious digital regulatory program it’s been setting out in recent years; laying out wide-ranging rules for data governance and data reuse with the aim of accelerating regional innovation in artificial intelligence.

So if the GDPR is shown to not be working that risks bringing the whole carefully constructed EU digital edifice crumbling down — and at a time when the Commission is taking on a major new oversight role for larger platforms and tech giants (via the Digital Services Act and Digital Markets Act).

Which means the EU’s executive has plenty of very good reasons to d something about the problem of failed GDPR enforcement. Far better than any superficial PR wins it may want to accrue by claiming GDPR enforcement is working just fine.

Still, some question marks over this reforming step remain.

As well as the question of whether the Commission’s changes to how it will monitor GDPR enforcement will apply retrospectively (or not), there’s a more basic question of when exactly this new world order will be implemented? For now, that’s not clear.

EU citizens have already spent years waiting to see action on GDPR complaints — having to watch tech giants continuing to enrich themselves at the expense of their rights in the meanwhile. So there really is no time to lose for the Commission to locate a higher gear here. However when we asked it when it will be implementing the changes — and whether they will be retrospective or not — a Commission spokeswoman declined comment.

There is also a question over how exactly the Commission will define “large scale” in this context — and whether or not its reporting requirements will capture all cross-border GDPR cases, or just a subset.

Furthermore, there could be some wiggle room for regulators to reach non-public agreements with tech giants, i.e. as another route to cynically closing GDPR cases down (and end any reporting requirements in the process).

But given all the criticism over (and attention on) lax GDPR enforcement already, DPAs surely can’t hope to try their luck with a fresh repackaging of inaction — not unless they are actually extracting meaningful reforms in an agreed resolution with a company targeted for complaints. (And, well, if they’re achieving the latter no one would need to complain!)

The EU’s ombudsman reached its decision on the ICCL complaint in December — after a year long enquiry.

In an eight-page decision on whether the Commission collects sufficient information to monitor Ireland’s implementation of the GDPR, Dr Emily O’Reilly wrote that “EU citizens are entitled to expect that the European Commission collects sufficient information to monitor the application of that legislation”.

She went on to welcome the fact she found the Commission reportedly receiving “bi-monthly” reports from the DPC on the handling of “big tech” cases but suggested there was room for more improvement — such as maintaining a table of “pre-determined fields” containing key details and key steps taken, as the Commission has now committed it will.

If it were not to apply this “specific targeted monitoring measure”, the Ombudsman concluded she “would have had serious doubts as to the adequacy of the information that the European Commission relies on”. So, again, there’s not going to be any way back from this formalized monitoring process for the Commission — a standard is being set and required.

In a separate GDPR enforcement related development the Commission mentioned in its work program last year, it has also said it will be presenting a proposal to improve cooperation between data protection authorities on cross-border GDPR cases — so further changes are afoot which may help tackle delays kicked up by disputes between DPAs who fail to agreed on how to enforce against tech giants.

Again, there’s no concrete timings attached to this development — beyond a pledge from the Commission to come with a proposal this year. (But it would then need the other EU institutions to weigh in and agree any changes.)

Never one to waste a PR opportunity, in a joint speech this week, the EU’s president, Ursula von der Leyen, and justice commissioner, Didier Reynders, pitched the move as the Commission wanting to “further strengthen the enforcement of the GDPR”, as they spun it — writing that, working together with the EDPB, they’ve “started looking into ways to further enhance cooperation in cross-border cases”, and “will present a proposal this year to further harmonise relevant procedures for DPAs”.

Big changes coming for GDPR enforcement on Big Tech in Europe? by Natasha Lomas originally published on TechCrunch