Data Protection Day: 41 Years of "Compliance on Paper"?!
Today's Data Protection Day marks the signing of the first pan-European data protection framework (Convention 108) in 1981. Fast-forward 41 years later, the GDPR has become the main pillar of European data protection. Adopted in 2016 with high hopes, the GDPR is now on the verge of succumbing to a death similar to many data protection rules before. They existed on paper, but were hardly enforced in reality.
The theory of European enforcement. Under the GDPR everyone in Europe has the right to file a complaint with their Data Protection Authority (DPA), who should in turn enforce citizens' fundamental right to privacy. The “one-stop-shop” cooperation-mechanism for cross-country cases should ensure that customers see their rights enforced just as effectively when their data is processed by a company in another Member State.
The GDPR’s enforcement vacuum. Many citizens who have tried to exercise their rights under the GDPR are disappointed. Some DPAs do not process complaints at all. Procedures get “forgotten” or are lost in the system connecting the national DPAs. In many cases, there is just radio silence for years. Even though performance highly differs among the DPAs, noyb gets similar messages from frustrated citizens throughout the EU. After all, the system is only as strong as its weakest link.
Only 15% of noyb’s cases decided within one year - no pan-European cases. So far, noyb has filed 51 individual cases with DPAs in Europe. Only six of these complaints were decided, another three were partly decided. All of them were purely national cases, where there was no need for European cooperation. Not a single pan-European case was decided under the "one-stop-shop" mechanism until this day. While some cases were just filed recently and may need more time, others were filed more than a year ago. As yet, only five of those 34 longer-standing cases are fully decided. This means that 85% of all cases older than a year are still waiting for a decision. Some cases were lost between authorities. In other cases, authorities did not even respond to emails or phone calls. The inglorious winners for the longest duration are four cases that were filed on 25.5.2018 on “forced consent”. After 3 years and 8 months, the Irish “lead” authority still has not issued a final decision.
“You can clearly see that we are usually left without any answer. Some authorities are black boxes. It is impossible to understand what is happening to our complaints. While national cases show some results, we have not seen a single decision once different Member States had to work together under the "one-stop-shop" mechanism. The overview shows how frustrating, ineffective and complicated the enforcement of European fundamental rights can be.” - Romain Robert, Program Director at noyb.
On today’s “Data Protection Day” noyb has published a list of all 51 “individual” complaints it has filed since the GDPR came into force:
Two waves, 523 complaints, one decision. noyb filed two rounds of “parallel complaints” that may be more challenging for DPAs, but also allow them to streamline the decision process. Of the 101 complaints from August 2020 on EU-US data transfers, after 1.5 years, one case on Google Analytics was partly decided (1%). An additional 422 complaints from August 2021 on cookies banners have not seen a single decision so far. In many cases there seems to be little more than a confirmation of the receipt of the complaint.
European institutions raise similar concerns. The European Parliament expressed its concerns about the insufficient level of GDPR enforcement and the Commission even warned to push for a more centralized approach if improvements weren’t made. An EDPS conference on the issue appointed for June leaves no doubt that 2022 will have a focus on GDPR enforcement.
“We hope that this overview on our complaints will foster the discussions expected to take place this year. We think that including concrete cases in the analysis can add to the list of already identified problems with enforcement” - Romain Robert, Program Director at noyb
Focus on enforcement and procedural rights. The experience of the past 3.5 years means that the role of noyb as a GDPR enforcement organization became even more relevant. Besides focusing on lawsuits against regulators that do not handle complaints within reasonable time, noyb will also engage in direct actions against companies, including through collective action - even though this is usually much more expensive. While the directive on collective redress will be implemented in all Member States by the end of 2022, noyb is already officially qualified to start representative actions in Belgium. Together with PrivacyFirst, we also founded the foundation “CUIC” (Consumers United In Court) in the Netherlands to file similar actions.
“Despite our dissatisfaction with enforcement, noyb stays dedicated to support DPAs and complainants interested in a better enforcement of the law. 41 years after the convention, we all have to work together to make privacy a reality.” - Romain Robert, Program Director at noyb.
With this in mind, noyb wishes all of you a happy Data Protection Day!