Hamburg privacy boss calls for overhaul of EU privacy rules

Johannes Caspar said the failure of EU agencies to cooperate had undermined GDPR.

Hamburg privacy boss calls for overhaul of EU privacy rules

Europe’s landmark privacy rules must be overhauled to ensure proper enforcement and protection of people’s rights, Johannes Caspar, a leading German regulator, said ahead of the law’s two-year anniversary.

Failure to enforce the rules against big companies and a lack of cooperation between regulators have fundamentally undermined the General Data Protection Regulation (GDPR), the head of Hamburg’s data protection authority told POLITICO.

“I’m completely critical of the enforcement structure of the GDPR,” said Caspar, whose office is in charge of overseeing the German activities of several Silicon Valley firms. “The whole system doesn’t work.”

His comments come as the bloc’s privacy enforcers have yet to agree on almost any penalties against large firms for potential abuse. The law passed in May of 2018 allows for penalties amounting to as much as 4 percent of a firm’s annual revenues in the event of a breach and has become a template for countries around the world, yet so far no blockbuster fines have been announced.

On Friday, Ireland’s privacy watchdog, in charge of overseeing firms like Google, Facebook, Twitter and Apple, said it had finished an investigation into Twitter, its first major move against a Big Tech company under Europe’s new privacy standards.

“Every month that goes by, another [international] case goes into the case register. We’re postponing them until they are forgotten” — Johannes Caspar, German regulator

The draft decision, details of which were not disclosed, will now be circulated among other European privacy regulators for approval, with a final decision in that case expected late next month. Dublin also said it was close to finishing a separate privacy investigation into WhatsApp, the internet messenger owned by Facebook.

The Twitter decision is unlikely to quell disagreements between Europe’s community of 27 privacy regulators over enforcement against multinationals in technology, banking or other industries. Caspar has been one of the bloc’s most outspoken critics of the current system, under which Ireland’s watchdog is a key player due to the fact that many Silicon Valley firms are based in the country.

So far, France’s data protection agency issued a €50 million fine against Google in early 2019, which the search giant is appealing. The United Kingdom’s regulator also said it would slap British Airways and Marriott International, the hotel chain, with a collective £282 million fine, though the ruling has been mired in legal uncertainty.

Bottomless pit

Caspar said EU agencies must be allowed to work with each other on international cases to avoid delays that can undermine people’s rights.

Under the current system, only the watchdog in the country where the company is legally established has the authority to investigate potential abuses. Other regulators are allowed to weigh in via cooperation mechanisms and must approve the final penalty.

“Time is a core issue in our digital world,” Caspar said. “Every month that goes by, another [international] case goes into the case register. We’re postponing them until they are forgotten.”

Despite his calls for change, Commission officials already have confirmed they will not change the enforcement procedures for Europe’s tough data protection standards as part of an upcoming two-year review.

Officials in Brussels and in EU data protection agencies acknowledge the current regulatory system has not been fully effective in enforcing people’s privacy rights. But they add that the rules have forced many companies to change their behavior.

Caspar told POLITICO the failure to move ahead with high-profile cases against many of Silicon Valley’s largest names was having a knock-on effect on both rivals’ ability to compete and people’s trust in officials’ willingness to uphold their privacy rights.

Ireland currently has more than 20 ongoing investigations into the likes of Facebook, Twitter and Google, but has yet to issue any fines or legally-binding changes to how those companies handle individuals’ data.

The German regulator said the Irish regulator was not to blame for these delays. But he added that his office was reticent to investigate smaller, local companies like Xing, the German social network, when LinkedIn, its largest American rival owned by Microsoft, had yet to be sanctioned in an ongoing case filed with the Irish authority.

“A lot of companies tell us that there’s no fair competition in the market because of the differences in how Europe’s privacy rules are enforced between countries,” he said.

“We have to cooperate in the structure of enforcement,” Caspar added. “We have to be disappointed because the main mechanism for safeguarding rights is the deterring effect of the law.”

Source : Politico EU More   

What's Your Reaction?


Next Article

Two years into new EU privacy regime, questions hang over enforcement

Here's how the region's new data protection rules have panned out.

Two years into new EU privacy regime, questions hang over enforcement

As Europe’s flagship privacy law celebrates its second birthday, a question still dogs regulators: Where is the big-ticket enforcement?

Since May, 2018, European privacy watchdogs have levied just over €150 million in fines under the General Data Protection Regulation, or GDPR.

Collectively, regulators’ budgets to police and enforce the rules now stand at almost €300 million, an amount far lower than what many officials would like. Almost 300,000 complaints have been filed against everyone from Facebook and Google to mom-and-pop stores across the 27-country bloc.

But two years since the EU’s flagship privacy regime came online, Silicon Valley’s biggest names remain largely unscathed despite a volley of complaints. Ireland, which plays hosts to many of these tech giants, announced Friday it had finalized an investigation into Twitter, its first targeting a Silicon Valley firm.

The decision has been submitted to other EU regulators who must approve it. A final decision and possible fine are due next month.

The Netherlands is still investigating Netflix, while Luxembourg’s privacy authority, which has jurisdiction over Amazon and Paypal among others, has yet to issue a single enforcement notice.

“I’m completely critical of the enforcement structure of the GDPR,” Johannes Caspar, head of Hamburg’s data protection agency, told POLITICO. “The whole system doesn’t work.”

David vs. Goliath

Part of the problem is clunky cooperation between EU officials.

Under the region’s new privacy laws, the watchdog where a company is headquartered is responsible for investigating all possible infractions by that firm across the bloc. But some authorities, notably those in Germany, have criticized the system as ineffective and ultimately unfit to protect Europeans’ privacy rights. They have suggested the creation of a pan-European regulator to rein in Big Tech.

But such a wholesale change is beyond the scope of the European Commission’s upcoming evaluation of the rules, which is expected on June 10. More likely is a call for greater use of existing cooperation mechanisms, including a monthly meeting among regulators in Brussels.

“One of the problems with the GDPR is that it has become the law of everything,” said Helen Dixon, the Irish privacy regulator, in an interview with POLITICO. “It’s drawing data protection authorities into making an awful lot of decisions that impact societies and individuals that appear to go well beyond the data processing.”

The coronavirus crisis has piled extra pressure on regulators as governments have turned to data gathering techniques, from contact-tracing smartphone apps to thermal cameras for temperature checks, to halt the virus’ spread.

Regulators have offered vastly different responses to those activities.

One theme unites all regulators, however — a lack of resources.

Amazon’s global revenue exceeded €257 billion last year, but the Luxembourg authority overseeing its EU operations has a budget just shy of €5.5 million, with 43 employees.

The Irish watchdog’s annual budget of around €15 million is mostly pocket change compared with the billions earned annually by Facebook, Google and Microsoft. Almost every EU agency is understaffed and underfunded for the job they have been tasked with under the new rules.

Against that backdrop, it’s easy to see why watchdogs are cautious. Their legal firepower is no match for the deep bench of lawyers that international companies can throw at lengthy appeals.

Such costly missteps are already part of the legal landscape. Record multimillion-pound fines announced last summer by the U.K.’s data protection authority have yet to materialize, and look almost certain to be much lower than initially proposed. Courts have overturned privacy penalties in Poland, Belgium and Bulgaria, fueling worries within agencies of potential future missteps.

“One of the biggest mistakes that we can do is to go fast with some things and to lose it in judicial review,” said European Data Protection Supervisor Wojciech Wiewiórowski when he took office back in December. “If we fail judicial review, not because of the merit of the case, but because of some formality that was done wrongly on the road for the lack of the process and the proceedings, it would be disaster.”

Source : Politico EU More   

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies.