Big Tech take note: In what looks like a meaningful — and long overdue — reforming step, the European Commission has committed to dial up its monitoring of how data protection authorities at the EU Member State level enforce the bloc’s flagship data protection rules — committing to regular checks on “large scale” General Data Protection Regulation (GDPR) cases.
Checks that could help address long standing criticism that enforcement of the GDPR is too weak and plodding to put meaningful checks on Big Tech.
The EU’s executive has responded to its ombudsman saying it will ask all national supervisory data protection authorities to share with it a report — on a “bi-monthly” basis (presumably that’s every two months, rather than 2x per month in this context); so 6x per year — which it describes as “an overview of large-scale cross-border investigations under the GDPR”.
Furthermore, the Commission stipulates these reports will need to include various key details (such as case no.; controller or processor involved; investigation type), along with a summary of the investigation scope (“including which provisions of the GDPR are at issue”); the DPAs concerned; “key procedural steps taken and dates”; and the “Investigatory or any other measures taken and dates.
It has also committed, in its second upcoming report on the application of the GDPR, to provide a report of the information it’s getting back from DPAs. So the Commission will be reporting on the DPAs’ reporting.
While this probably sounds exceedingly dry, it’s actually — potentially — a very big deal.
Thing is, major cross-border GDPR cases have languished for years in regulatory limbo. Such as complaints against Big Adtech business models and behavioral advertising, or over adtech giant Google’s almost impossible to avoid location-tracking, to name two.
There’s also a very long-running complaint that’s called for the suspension of Facebook’s data exports which still hasn’t landed as a final decision. While Apple, Twitter and TikTok all have open GDPR cases pending decisions — in some instances years after an enquiry was opened on paper.
EU privacy campaigners and legal experts have for years argued that — on paper — the GDPR should be protecting consumers from unwanted tracking and profile. Yet they’ve also pointed out these self-same rules are being systematically flouted by tech giants that think they’re big enough to ignore the rules.
The upshot is EU citizens’ rights are steamrollered under the market muscle of major tech platforms and their associated ecosystems of operators — which critics contend extends to regulatory capture of ‘friendly’ DPAs. Especially in certain Member States where there’s a concentration of big tech firms (such as Ireland). Hence the call for closer monitoring of how (or even whether) Member State level authorities are doing the job of enforcing GDPR.
Just today, for example, an EU report on digital advertising and privacy concludes there’s “aneed to increase individuals’ control over how their personal data is used for digital advertising, including how they avoid unwanted targeting” — which points to a gap between EU regulations that it too emphasizes “should” be protecting consumers from such abuse — yet, very evidently, they aren’t.
The issue here is simple: It’s who’s watching the watchmen, argues Dr Johnny Ryan — a senior fellow at the Irish Council for Civil Liberties (ICCL) — the rights group which complained to the European ombudsman over the Commission’s monitoring of Ireland’s implementation of the GDPR.
The Commission has treaty obligations to monitor Member States’ implementation of pan-EU laws but has often seemed reluctant to wade into the fray. And it’s this reluctance to crack an eyelid over plodding DPAs the ICCL challenged via the ombudsman back in November 2021.
