Data Protection Day: Are Europeans really protected?
European Data Protection Day on 28 January commemorates the signing of the first pan-European data protection framework (Convention108) in 1981. Today, 42 years later, the GDPR is seen as the central law in European data protection and is meant to enable citizens to exercise their fundamental right to privacy. Initially hailed - and feared - as an enforcement tool, the GDPR is on the verge of suffering the same fate as its predecessors by simply being ignored.
GDPR enforcement only in theory. The GDPR aims to give all users in Europe control over their personal data. Everyone has the right to find out what data a company has on them, how it is processed, and the right to stop unlawful processing. In practice, however, users have been harassed primarily with cookie-banners and pop-ups that leave no choice but to say "yes". These Europeans who have tried to exercise their right to data protection have often been bitterly disappointed. noyb regularly receives messages from frustrated users from across the EU: procedures get delayed, complaints are dismissed without further investigation by authorities, or are abandoned altogether. Users' rights ultimately end up in the trash.
Conflict between law and regulators. The GDPR has been victim to a lack of enforcement and stalling tactics by big tech companies over the past 4.5 years. Even when the authorities make decisions and fine companies, cases can drag on for years due to appeals and filibusters by tech companies. Even with the occasional high penalty, breaking the law pays off for "big tech". While the enforcement of the GDPR varies widely across Europe, even the more active data protection authorities face major challenges, as cross-border cases require cooperation between the authorities (one-stop-shop).
Max Schrems, Chairman noyb: "Even the active authorities are often at a loss, since the enforcement of the GDPR is only as strong as its weakest link."
Obstacle to enforcement. Authorities such as the Irish Data Protection Authority (DPC) are a critical factor when it comes to the implementation of the GDPR, as the majority of American tech companies have their European headquarters there. Ireland has long been considered a "bottleneck" in the EU-wide enforcement of the GDPR; on one hand, because of the extremely slow speed with which cases are processed and, on the other hand, because the authority often pursues a "business-friendly" interpretation of the law:
It was only after the European Data Protection Board (EDPB) issued a binding decision in noyb's 4.5-year-old case on Facebook's bypass of the GDPR that the Irish DPC took action. It announced a fine of 390 million Euro and ordered Meta to obtain valid consent for personalized advertising. In these 4.5 years, the DPC has often sided with Meta and has now also issued a significantly reduced penalty. The other authorities had to repeatedly (unanimously) overrule the DPC.
Besides Ireland, Luxembourg is known for hosting the headquarters of large companies such as Amazon, eBay and Paypal, which gives the Luxembourg authority a crucial role as a regulatory power. Similar to Ireland, noyb has been waiting since 2019 for a decision in a complaint concerning Amazon's violation on the right to access, which is why noyb must now take legal action against the authority.
Besides the 'big' tech hubs in the EU, there are also many national curiosities. For example, the French and Swedish authorities deny that users are parties to proceedings. The Bavarian authority does not give access to files. The Polish authority requires complaints to be submitted digitally, but only allows files to be physically copied in Warsaw. The Austrian authority uses a national clause to close massive amounts of proceedings because the company allegedly solved the problem. The Bulgarian authority has ignored any communication by e-mail, phone or mail for years. German courts overturn decisions of the authorities, while a lawsuit against the authority in Ireland can quickly cost € 100,000.
764 complaints not decided. Since the GDPR came into force in May 2018, noyb has filed 848 individual complaints with different data protection authorities across Europe. Only 10% (84 complaints) of the cases were decided by the competent authorities, most of which were closed or a settlement was found with the company as it had remedied the breach. Some cases have only been partially decided. Approximately 15 cases are currently before the national courts because the authorities did not decide within the legal deadline or noyb appealed the decision.
Due to the inactivity of the authorities and the lack of procedural law, many proceedings are being shifted to the national courts, which often do not have the necessary knowledge of the GDPR. Decisions are often overturned due to avoidable procedural errors. For many users, going to court is not financially possible. Law firms know this and deliberately overload authorities and courts with endless complaints and hundreds of pages of submissions.
Max Schrems: "This year, the GDPR will be applicable for five years. So far, many companies are successfully cheating their way out of it, as there is only little enforcement. The promises of the GDPR to make data protection effective and simple are failing due to the national authorities in the member states, which have so far failed to bring about effective enforcement."