How the ‘toughest ever’ data protection law GDPR failed?

The European Union’s General Data Protection Regulation (GDPR) is four years old. The regulation, which first came into force on 25 May 2018, provides EU citizens with strict guidelines for the protection and management of personal information and applies to any company that processes EU citizens’ data, regardless of the company’s location, with a very broad scope .

Since its promulgation, the GDPR has been regarded as the “strictest” data protection law in history, and Wired magazine once described its “GDPR as setting the foundation for global data protection for the next decade, and it will almost limit the use of personal data by tech companies All aspects of making money are regulated and restricted.”

Four years later, Wired’s latest article titled “How GDPR Failed” addresses its predicament: The world’s leading data law has indeed changed the way businesses operate, but it has implications for tech giants. management effect is still quite limited.

Inefficient adjudication

In terms of implementation, the total amount of GDPR adjudication against the world’s major data companies is still very low.

For example, more than 1,400 days have passed since NOYB, a non-profit data rights organization, filed its first lawsuit under the GDPR. The charges have largely targeted well-known manufacturers, including Google and Facebook, for forcing them to give up personal data without the proper consent of users. This historic complaint appeared on May 25, 2018, the day the GDPR came into force, but four years later, NOYB has not been able to wait for a final judgment, and this is by no means an exception.

According to the relevant provisions in the GDPR, when a company operating in various EU countries receives a lawsuit, the case is usually transferred to the country where its European headquarters is located. This so-called one-stop mechanism requires the country where the European headquarters is located to lead the investigation. For example, the lawsuit against Amazon falls on the small country of Luxembourg; the Netherlands deals with Netflix; Sweden has Spotify; Yahoo, Twitter, Microsoft, Apple and LinkedIn.

A slew of complex early-stage GDPR lawsuits have put enormous pressure on Irish regulators, and cross-border collaboration has been slowed by cumbersome paperwork. **According to statistics released by the regulator itself, Irish regulators have completed 65% of cross-border adjudication cases since May 2018, with a total of 400 pending cases. **The cases brought by NOYB against Netflix (Netherlands), Spotify (Sweden) and PimEyes (Poland) are typical of years of delay.

With the extension of the GDPR implementation time, the amount of fines has also continued to increase, and now totals 1.6 billion euros (about 1.7 billion US dollars). The biggest of these was Luxembourg’s 746 million euro fine on Amazon last year. In addition, Ireland also issued a fine of 225 million euros to WhatsApp. (Both companies said they would file further appeals.)

Helen Dixon is a member of the European GDPR Enforcement Core, Ireland’s Data Protection Commission (DPC), specializing in the management of various large technology companies. For a long time, the Data Protection Commission has been unable to digest the large number of complaints received within its mandate, and its incompetence has even caused dissatisfaction with other regulators, and various sectors have called for reform of the Commission. But Dixon also has its own difficulties. “If everything is in front of you at the same time, then to maintain such an important legal framework, we can only deal with matters according to priorities, and the speed is naturally not ideal.” She also mentioned, The Data Protection Commission needs to clarify the complex legislative thinking of GDPR from the ground up, and many new cases and new processes related to it have no simple answers at all.

Dixon further explained, “I think for the first four years of the GDPR, the Irish Data Protection Commission has played a very effective role. In fact, the Commission has established a new legal framework, and in a short period of time it has have been linked together, as well as several major sanctions in the form of fines and corrective measures.” Indeed, over the years the Data Protection Commission has taken action against Twitter, WhatsApp, Facebook and Groupon in thousands of national cases past measures.

Moreover, the point of GDPR is not only to impose fines and order companies to change, but also to trigger business activities in the right direction. Experts believe that without GDPR, businesses would still misuse people’s data as recklessly as before. A recent study estimated that the number of Android apps on the Google Play Store has fallen by a third since the inception of GDPR, citing the ineffectiveness of these takedowns to protect user privacy.

It’s hard for tech companies to comply

But for the big tech giants with vast amounts of data, GDPR compliance is another order of magnitude.

As it stands, Meta (formerly Facebook) is still struggling to comply with GDPR. For example, an internal Facebook document obtained by foreign media “Motherboard” suggests that the company itself is not very clear about how it handles user data.

According to Facebook engineers, they are working to track where user data is going through its systems. However, regulations such as the EU’s GDPR restrict how platforms like Facebook can use their user data. GDPR law states that personal data must be “collected for specific, explicit and lawful purposes and shall not be further processed in a manner inconsistent with those purposes”.

This means that each piece of data, such as a user’s location or religious orientation, can only be collected and used for a specific purpose, not others. Facebook has been criticized for using its users’ phone numbers in its “People You May Know” feature. The company eventually had to stop the practice after it was discovered.

Its engineers also used an image metaphor to illustrate Facebook’s predicament:

Imagine you have a bottle of ink in your hand. This bottle of ink is a mixture of various user data (3PD, 1PD, SCD, European, etc.). You pour this bottle of ink into a lake (our open data system; our open culture)…and it goes…everywhere. How do you put the ink back in the bottle? How do you organize it again so that it only flows where allowed in the lake? (3PD refers to Third Party Data; 1PD refers to First Party Data; SCD refers to Sensitive Category Data).

But Facebook was quick to deny that it didn’t know what to do with the data. Similarly, a joint investigation by WIRED and Reveal in late 2021 found serious flaws in the way Amazon handles customer data. (But Amazon emphasizes that it has a “good” tradition of protecting data.)

Ulrich Kelber, head of Germany’s federal data protection watchdog, believes that “GDPR is still struggling to bind big tech companies. After all, big tech’s cases are definitely cross-border, which requires a one-stop mechanism between multiple data protection agencies. Collaborate.” For such cases, the one-stop mechanism allows European regulators to comment on, or even challenge, the final decision of the lead agency. For example, Ireland’s fine on WhatsApp has also increased from an initial €30 million to €225 million after other regulators stepped in.

Changing the way GDPR works

The One Stop Mechanism is based on the GDPR, and over the past four years, the GDPR itself has exposed many parts that need improvement. Tobias Judin, the international head of the Norwegian data protection agency, mentioned that they need to circulate several draft rulings each week among European data regulators. “In most cases, the other side will agree,” Judin said. (But Germany has raised the most dissenting views.) These rulings often require multiple back-and-forths between regulators and are heavily influenced by bureaucracy. “We are also considering whether it makes sense and is feasible to have a single national data protection authority handle cases that affect multiple European countries at the same time.”

The French data regulator is more inclined to directly pursue how companies use cookies, thereby bypassing the cumbersome cross-border GDPR process. **Although it may seem like the same thing, annoying cookie prompts are not actually governed by the GDPR, but by the EU’s separate e-Privacy Act. France saw just that, with Marie-Laure Denis, head of its regulator CNIL, slapped with hefty fines over cookie policies targeting Google, Amazon and Facebook. What’s more, the case made big companies change their behavior. Following this enforcement, Google changed its cookie notification style across Europe.

“We’re seeing a real and concrete evolution of the digital ecosystem, and that’s a trend we’d like to see,” Denis said, explaining that CNIL will next look at how mobility is governed under the Electronic Privacy Act Data collection on the app and manage cloud data transfers in accordance with the GDPR. Denis believes that cookie enforcement is not simply to avoid the lengthy process of GDPR, but to effectively solve the problem. “We still believe in the GDPR enforcement system, it’s just that we need to enforce it better and faster.”

Over the last year, calls to change the way GDPR works have grown louder. Viviane Redding, a politician who proposed GDPR in 2012, talked about this topic in May last year, and said that “for major events, law enforcement should be more concentrated.” Under the voice, Europe has successively passed two major digital regulations: Digital Services Act and Digital Markets Act. These laws are more focused on competition and internet security and are enforced differently than the GDPR. In some cases, the European Commission directly investigates big tech companies. From this point of view, it seems that the enforcement of GDPR has indeed fallen behind the mainstream of the times, and it has also confirmed the inefficiency of implementation raised by politicians before.

to be perfected

A redesign of the GDPR may seem unnecessary, but a small tweak might help improve enforcement. At a recent meeting of data regulators convened by the European Data Protection Board, countries agreed to set fixed deadlines and timetables for some cross-border cases and said they would try to “jointly” carry out certain investigations.

According to Massé from Access Now, a small change to the GDPR would be enough to significantly improve a series of major enforcement challenges. Legislation should ensure that all data protection authorities handle complaints in the same way (including using the same forms), clearly define how the one-stop mechanism will work, and ensure that national procedures work seamlessly together. In short, it should at least clarify how individual countries should implement GDPR enforcement.

Data watchdogs also largely support this view. Denis from France believes that regulators should speed up the sharing of information on cross-border cases so that national regulators can build an informal consensus on the basis of the same understanding. “For example, the Commission can look at the resources submitted to the data protection authority, after all EU member states are obliged to provide the data protection authority with the adequate resources necessary to carry out their duties. ” And compared with the big tech companies, the regulators are investigating resources and enforcement personnel There are serious deficiencies in all aspects, so it is even more imperative to get through the isolated island.

Dixon, from Ireland, also stressed that “it would be better if a specific legal instrument could be issued for the GDPR, clearly specifying certain process and procedural issues.” She added that the new regulations should also provide information on access to documents during investigations, Whether the plaintiff in the lawsuit has the right to participate in the investigation and the method of translation will respond. “There has been no consensus answer to these questions, which has resulted in long delays and deep dissatisfaction on all sides.”

Civil society groups have also warned that without some strong enforcement changes, the GDPR may ultimately fail to stop bad practices by big tech companies, let alone raise privacy awareness. Ryan believes that “the immediate target that needs to be addressed is the big tech companies. If we can’t get these tech companies, people’s privacy and data rights will never be guaranteed.”

Four years on, Massé said she was dissatisfied with the effect of the GDPR, but still hopeful. ” GDPR has not brought the desired effect, but what we should do is to continue to improve it, not to rush it into the garbage heap of history.

Reference link:

https://www.wired.com/story/gdpr-2022/

https://www.vice.com/en/article/akvmke/facebook-doesnt-know-what-it-does-with-your-data-or-where-it-goes

The text and pictures in this article are from InfoQ

loading.gif

This article is reprinted from https://www.techug.com/post/how-did-gdpr-the-strictest-data-protection-law-in-history-fail.html
This site is for inclusion only, and the copyright belongs to the original author.

Leave a Comment