GDPR five years on: ‘Firms just don’t fear enforcement’

GDPR_2020Privacy campaigner Max Schrems has used the fifth anniversary of GDPR to launch a scathing attack against the lack of enforcement action, insisting that “behind closed doors, companies are very open about the fact that they don’t fear the authorities at all”.

Schrems’ organisation NOYB, whose campaign against Meta-owned Facebook actually precedes the launch of GDPR, has even criticised this week’s ruling which saw the tech giant slapped with a record €1.2bn (£1bn) fine and ordered to stop processing EU users data in the US, insisting it is an example of enforcement “not working”.

NOYB said that while a €1.2bn fine (that was strategically delayed until the week of the five years of GDPR) may grab headlines, it is actually reflective of enforcement not working.

The organisation argues that not only did it take more than ten years for the Irish DPC to reach a first decision (which will now be appealed), the case also required them to engage in three sets of litigation against the Irish DPC to force it to do its job. This included the Court of Justice of the EU (CJEU) and the EDPB telling the Irish DPC three times to effectively handle the case. The cost of this litigation is estimated at more than €10m.

Schrems added: “The GDPR had very strong political backing. Five years into the GDPR, we see a lot of resistance by authorities and courts to enforce the law.

“The legislator has spoken, but the national courts and authorities constantly find new ways not to listen. It often feels like there is more energy spent in undermining the GDPR than in complying with it.

“While companies know that Ireland is the ‘go to’ jurisdiction for non-enforcement, there is hardly a ‘go to’ jurisdiction for citizens, as there are enforcement issues in basically all member states.”

NOYB argues that while an exceptional fine grabs international headlines, its much larger database of cases shows that data protection authorities (DPAs) largely do not enforce the GDPR in due time.

Of the more than 800 cases that NOYB has filed in the past year, 85.9% are not decided and more than 58% are waiting for a decision for more than 18 months. The GDPR, however, requires companies to comply with requests within one month and national laws that often require decisions within three to six months.

Schrems commented: “In many jurisdictions you get a decision after two years at best – that is if you ever get a decision. The practice is simply miles away from the intention of the legislator to have a free and easy way to complain. We waste most of our time chasing case managers, files and authorities.”

In addition to long delays, cases that have been closed have largely been settled or withdrawn by the parties (roughly 6% in NOYB’s case) or there has been some other outcome (3.4%), like the company leaving the EU market. In only 3.9% of all cases, has there been a legal determination by the DPA.

Schrems continued: “Many authorities try everything to avoid a decision. They often just ‘close’ cases without a decision or negotiate with the companies, begging them to be so nice as to comply with the law. There is hardly a straight forward penalty for a straight forward violation of the law.”

NOYB claims that companies have simply learned to ignore the GDPR. While the industry had initially thrown a tantrum about the regulation and its high fines, the past years have shown that this deterring effect has quickly washed off. The reality, according to NOYB, is that the legislator has been unable to simply legislate an enforcement culture and GDPR has often become a mere paper tiger.

Schrems concluded: “Reality has shown that the EU was unable to legislate an ‘enforcement culture’. The more aggressive companies have quickly understood that consequences largely only exist on paper and continued with their business models. Behind closed doors, companies are very open about the fact that they don’t fear the authorities at all. It is mainly the already reasonable companies that invested in compliance.

“After five years, the time for guidance and grace periods is clearly over. If there is no general deterrence, the authorities likely lose control over the situation again. The European Commission proposed a new regulation to fix procedural issues. Clear procedural rules are a good idea, but need to be comprehensive to actually fix the problem.”

Related stories
GDPR five years on: The death knell for lazy marketing?
Meta ruling blows US data transfers out of the water
GDPR four years on: €1.6bn in fines but issues remain
Data regulators wield big stick as GDPR fines top €1bn
Decision Marketing at 10: How GDPR changed the world
GDPR three years on: ‘The aperitif to a cookieless world’
GDPR two years on: EU chiefs finally admit funding issue
GDPR one year on: Data is now a major boardroom issue
GDPR zero hour: Now the hard work begins say experts