Two years-on, GDPR Enforcement Is Yet To Live up to the EU’s Single Market
Back in 2016, the General Data Protection Regulation (GDPR) represented the promise of legal certainty for businesses and uniform application and enforcement of data protection rules across Europe’s single market. Two years after its entry into force, that promise is yet to materialise. Our take-away: limited resources are oftentimes wasted on futile enforcement that could be better spent to provide companies clear and uniform compliance advice and additional instruments to transfer data outside Europe.
On paper, the GDPR provides strong substantive and enforcement data protection rules. But two years after its entry into application, old, fragmented, and under-resourced enforcement habits persist, and the promise of harmonised implementation and coherent enforcement of data protection rules have yet to take hold.
Scarce resources are wasted on trivial procedures outside data protection authorities’ jurisdictions
More than two-thirds of data protection authorities consider they do not have sufficient resources to conduct their oversight. Yet, over the past couple of years, we have seen several data protection authorities instead seeking to expand their oversight to organisations that are located outside their jurisdiction. This ranges from random information requests all the way to infringement procedures, often justified on the basis of innovative interpretations of the GDPR.
These actions run afoul of one of the central ideas (and provisions) of the GDPR: organisations operating in several Member States should only be accountable to one ‘lead’ supervisory authority (known as the “One-Stop-Shop” principle in GDPR lingo). It is then for the authorities to work together and agree on consistent enforcement decisions where an organisation is being investigated or has been found in violation of the GDPR that affects several Member States.
Beyond the legalese, the so-called One-Stop-Shop principle and the enforcement consistency and cooperation mechanisms align with the EU’s single market objectives. In the Commission’s own words in 2016, “companies will only have to deal with one single supervisory authority – rather than the 28. This, together with the simplifications brought by a single Regulation, will save an estimated €2.3 billion every year.” The reality today is quite different.
But on a more practical level, why spend limited resources on oversight procedures outside one’s jurisdiction when they can be better spent to strengthen the consistent and full application of the GDPR?
Two years of GDPR and no new data transfers tools on the horizon
The GDPR helpfully codified Binding Corporate Rules (‘BCRs’) and introduced certifications and Codes of Conducts for companies seeking to transfer data outside Europe. That’s on paper.
But the reality after two years of GDPR is quite different. To this day, organisations can only really use the same two data transfer instruments that they were using pre-GDPR, namely Standard Contractual Clauses (SCCs) and adequacy decisions.
Take BCRs for instance. The review and approval process takes between 12 months and up to 4 years depending on the competent authorities involved, and the total one-off cost is usually in the range of 6 figures. This is arguably untenable for the vast majority of organisations.
Similarly, the review and adoption process of Codes of Conduct is often too slow both at national and European level. Two years after the GDPR became applicable, over 80 Codes of Conduct have been prepared but only a handful of national Codes of Conduct have been approved. At the European level, the European Data Protection Board (EDPB) has not reviewed or even received a single Code of Conduct from a Supervisor Authority, a procedure that is necessary for companies before transferring data under this legal ground.
One of the main reasons for this backlog is the lack of appropriate staff, funding and other resources for most data protection authorities (including authorities with prior experience with BCRs and Codes of Conduct). Scarce resources require prioritisation of workload, and providing legal clarity for organisations to transfer data is usually put at the bottom of the pile.
Yet, there is a pressing need to develop more data transfer tools at a time when the legality of both the SCCs and one important adequacy decision (‘Privacy Shield’) are being questioned in court (i.e. the ‘Schrems II’ referring case and the ‘LQDN’ case).
Unharmonised advice and missing guidance
With over 90 articles, and hundreds of recitals, the GDPR provides harmonised data protection rules across Europe, and only allows Member States to go beyond these rules in narrowly defined circumstances. Guidance from data protection authorities can be useful to clarify these rules and provide advice in concrete examples.
Yet, we have observed a growing number of national guidances from data protection authorities which contrast with advice from their peers. The worrying part is that divergence sometimes emerges on fully harmonised provisions of the GDPR, including its most basic provisions.
Take for instance national guidance on obtaining consent to collect and process personal data from users’ devices: the French, German, Dutch, Spanish, and Irish authorities all seem to take a different view on whether website or app publishers should obtain user consent for purely analytical cookies, if and how an analytics service providers can further process user device information, or even if ‘cookie walls’ are allowed.
Another example is the lack of clear and harmonised guidance on the ‘legitimate interest’ basis for processing; the Dutch significantly restrict the range of interests that can be considered legitimate, and stands in stark contrast with most data protection authorities.
Last but not least, procedures on sanctions also deserve far greater harmonisation across the EU. Today, most enforcement decisions are generally opaque and fail to demonstrate adequate due process and a transparent methodology.
Most data protection authorities in Europe are arguably underfunded. But the misallocation of resources, if not addressed, is one of the real long-term threats to the success of the GDPR. Data protection enforcement in Europe’s single market requires as much cultural change as money.
You can read CCIA’s detailed comments on the review of the application of the General Data Protection Regulation here.