Big Tech might see more enforcement action as EU's GDPR turns two

As the EU marks the second anniversary of the General Data Protection Regulation — its strict data-protection rules — large US tech companies that have so far mainly avoided significant fines should prepare for closer regulatory enforcement in the months ahead.

Privacy experts had anticipated greater enforcement activity by the law’s second anniversary, and companies based outside the EU caught by the GDPR have yet to see any enforcement. But one sign the tide is turning came late Friday when Ireland announced major progress on its first Big Tech probes.

Frequent low-level fines have dominated the landscape in many EU countries in the past year, with privacy advocates deploring regulators’ lack of coordination and weak government support for national data-protection authorities.

But now tech companies are closely watching the conclusion of more than two dozen Irish investigations into companies such as Twitter and Facebook-owned WhatsApp.

On Friday, Twitter became the first US tech giant being probed by the Irish Data Protection Commission to enter the GDPR’s "one-stop shop" process for cross-border cases, when the watchdog forwarded its decision to peers at the European Data Protection Board, the umbrella body for the bloc's national regulators. The move represents the most high-profile test yet of how the process works.

WhatsApp also saw a major advance in one of its two Irish probes as the Dublin-based regulator sent its keenly watched draft decision to the company.

It’s all a sign that more serious GDPR enforcement has started to take off, after regulators at first focused mainly on advice and guidance to companies.

— Modest enforcement —

There's a widespread perception that the EU has, until now, generally seen low levels of GDPR enforcement. The regulation allows enforcers to levy fines of up to 20 million euros ($21.8 million) or 4 percent of a company's annual global turnover, whichever is higher.

For many companies, it means they're unclear what their risks are, and if there’s no real step-up in enforcement, they’ll carry on as normal, in breach of the law’s requirements.

Irish companies, for example, haven’t yet had a clear sign of the Irish Data Protection Commission’s enforcement approach. The Irish DPC only recently issued its first local GDPR fines, and on a government-run agency. The proposed fine on Twitter remains confidential while it goes through a review process from other EU privacy regulators under the GDPR’s "one-stop shop" mechanism.

“In Ireland, companies are sitting and waiting, because they generally take a very commercial view," David Fagan at Irish practice Business Legal, which mainly represents smaller businesses, told MLex. “They are not interested in what the law says. They are interested in what the practical outcome is."

The idea of modest enforcement has been put into sharp focus by the fact that some of the high-profile cases with the biggest impact on individuals’ privacy will take years to resolve through national and EU courts. Cooperation among the bloc's enforcers on cross-border cases through the "one-stop shop" can be lengthy. So far, case handling has been slow, which puts its effectiveness into question.

Under the "one-stop shop," investigations into complaints are led by the national regulator where the company has its EU base, known as its place of "main establishment," supported by input from other domestic “concerned” authorities.

Johannes Caspar, the data-protection regulator of the German state of Hamburg, said the mechanism has led to a shift of responsibility, with only a few supervisory authorities in the EU dealing with large global data processors. Caspar called for deadlines in long procedures and for the possibility for other authorities to step in earlier on in investigations.

“Concrete time limits, such as a three-month deadline, should significantly shorten the currently unsatisfactory processing times for the submission of draft decisions by lead authorities,” Caspar said.

Under the GDPR, national watchdogs can ask colleagues to take certain actions, or to start an “urgency procedure” if another authority is inactive.

Austrian civil-rights group Noyb, which filed three complaints against Facebook on May 25, 2018, said in an open letter today that the European Commission should take legal action against Ireland.

“With about 10,000 complaints in two years and no fines at all against private actors, it is obvious that Ireland does not effectively implement EU law,” the group said in a statement today.

The Irish DPC has 23 live probes into Apple, Facebook, Google, Instagram, LinkedIn, Quantcast, Tinder, Twitter, Verizon Media and WhatsApp — because all those companies have an EU base in Ireland.

— Extraterritorial enforcement —

Enforcement of rules on companies based outside the EU also looks dubious. The GDPR extends to businesses that have an “establishment” in the bloc, or which are targeting goods or services to individuals in the bloc.

So far, regulators have seemingly failed to exercise their power to enforce the GDPR with non-EU companies with no establishment in the bloc, signaling a notable gap in overall enforcement. Not only is it at the bottom of EU regulators' enforcement priorities, the regulation’s extraterritoriality hasn't spurred companies without an EU base to appoint a representative, complicating regulators' enforcement options.

Business Legal's Fagan, whose practice also offers a representative service for non-EU businesses, said that complying with their obligation to designate an EU representative is "well down people's list . . . right now, nobody cares."

— Delays, lack of transparency —

Part of the reason why enforcement hasn’t worked as well revolves around the fact that many national regulators refuse to disclose information about ongoing or completed investigations. That’s particularly problematic when it comes to the progress of high-profile probes, such as those into large tech companies like Amazon.com and Netflix.

In some cases, regulators’ lack of transparency is related to their internal policy, or structure. In the latter, if there's a separate branch that handles enforcement matters, it might have its own approach and decide not to publish information on where things stand, other than the annual progress reports that all regulators publish.

Tine Larsen, the president of Luxembourg's National Commission for Data Protection, said in an interview with MLex that she can’t reveal anything about pending investigations until the entire appeal procedure has been exhausted. That could take years, she admits.

Larsen’s office is probing Amazon.com following complaints by French non-profit organization La Quadrature du Net in 2018 and Noyb in 2019.

She also defended the lengthy procedure, saying that investigations take time because cases are complex, and she wants to ensure due process and the protection of defense rights.

Larsen said the authority would like to clear some of its backlog of pending cases in the autumn. Since the GDPR took effect, the regulator has handled about 60 cases, some of which have been closed. The regulator had been expecting to issue some decisions in the spring, but delays occurred due to the Covid-19 crisis.

The UK, which participates in the "one-stop shop" mechanism until the end of the Brexit transition period, currently set for Dec. 31 this year, has also seen delays in finalizing high-profile probes. The Information Commissioner’s Office is expecting to wrap up investigations into British Airways and hotel chain Marriott International by September, and to impose possible fines on them running into millions.

— Active enforcers —

The overall lack of transparency about decisions means that getting a complete picture of data-protection enforcement across the bloc is difficult, because penalties aren't always made public.

A look into the most recent information about fines collected by MLex shows that the Spanish, Italian, Romanian and Belgian regulators have been at the forefront.

In Spain, privacy regulator AEPD is traditionally one of the most active enforcers in the EU. That, combined with the fact that it publishes all its decisions, including those about dismissed complaints, and the increased number of complaints generally, might explain why the regulator appears to have boosted its enforcement action.

Last year, the AEPD issued 338 decisions and fines for GDPR violations. In its 2019 annual report, it said most of these cases involve complaints about video surveillance, Internet services and advertising. The areas with the highest overall amount of fines correspond to directories, telecoms, fraudulent hiring and security breaches.

The Spanish unit of telecom giant Vodafone has been hit with a series of penalties, including a fine of 120,000 euros in February for unlawful data processing, and a fine of 60,000 euros in March for a breach of consent.

In Italy, the record fine of 27.8 million euros on Telecom Italia, or TIM, for aggressive telecom telemarketing should be seen as a warning to other operators that process data on a large scale. TIM was sanctioned with the highest penalty in the country since the GDPR’s entry into force, mostly because privacy regulator Garante had already warned Italian telecom companies about their aggressive marketing practices.

In Belgium, a legal website received a fine of 15,000 euros for violating the GDPR’s tracking-cookie policy. The company has said it will pay the penalty.

The privacy regulator in the Netherlands, however, is facing court appeals to its decisions in a case against tennis association KNLTB, which was fined 525,000 euros for sharing data with third parties, and an unnamed company — fined 725,000 euros — for collecting employees' biometrical data.

— Getting probes right —

Such risks of legal challenges are in themselves problematic for GDPR enforcement.

Regulators are taking long to decide on high-profile cases, especially those involving Big Tech companies, to avoid losing any subsequent court battles from the infringers against their verdicts and fines. Enforcers have striven to be as thorough and as fair as possible in ruling on cases. That may also explain why some watchdogs have chosen to concentrate only on a handful of cases.

Larsen, the head of the Luxembourg privacy watchdog, stressed that point. She said she agrees with Helen Dixon, the Irish data-protection chief, who has argued that the investigations can’t be rushed. Any decision will be appealed by the companies, and authorities don’t want their first decisions overturned because of procedural errors.

"There's pressure on Ireland and on Luxembourg because of Amazon,” Larsen said. The non-governmental organizations “want big multinational companies to have sanctions. I agree with Helen Dixon; we feel the pressure."

— Lawsuits —

Undoubtedly, larger companies will challenge any major fines they get.

They’re expected to particularly attack the way the penalties were calculated. While regulators will generally go for the highest possible fines based on the largest entity — that is, the parent company — businesses will stress the concept of data controllership in the GDPR and liability stemming from it. It means that the responsibility lies with a smaller entity or a company division, rather than the entire group. Judges may well agree with that view and lower the fines.

It’s clear that such court fights will take years to resolve, especially if they're referred for interpretation to the EU’s highest court. A case in point: Google, which was hit with the largest GDPR fine to date in France in January 2019 — 50 million euros — has yet to learn when its appeal will be heard by the country's highest administrative court.

And in the case of Facebook, a five-year-long Belgian dispute about how the social-media giant handles tracking cookies ended up before the EU Court of Justice for interpretation of the thorny question of jurisdiction (see case file here).

The fact that appeal cases are taking long to resolve puts into doubt the efficiency of the GDPR for boosting citizens’ data-privacy rights.

It’s no surprise, then, that privacy advocates are frustrated and pessimistic about the remedies available to individuals. For many of them, filing complaints has failed to lead to prompt resolution of violations, and they're starting to consider direct court action against cross-border infringements, bypassing privacy regulators.

Taking this route would be “proving the failure of the GDPR," Romain Robert, a senior lawyer at Noyb, told MLex.