Skip to main content
https://www.highperformancecpmgate.com/rgeesizw1?key=a9d7b2ab045c91688419e8e18a006621

Brave accuses European governments of GDPR resourcing failure

Brave, a maker of a pro-privacy browser, has lodged complaints with the European Commission against 27 EU Member States for under resourcing their national data protection watchdogs.

It’s asking the European Union’s executive body to launch an infringement procedure against Member State governments, and even refer them to the bloc’s top court, the European Court of Justice, if necessary.

“Article 52(4) of the GPDR [General Data Protection Regulation] requires that national governments give DPAs the human and financial resources necessary to perform their tasks,” it notes in a press release.

Brave has compiled a report to back up the complaints — in which it chronicles a drastic shortage of tech expertise and budget resource among Europe’s privacy agencies to enforce the region’s data protection framework.

Lack of proper resource to ensure the regulation’s teeth are able to clamp down on bad behavior — as the law drafters’ intended — has been a long standing concern.

In the Irish data watchdog’s annual report in February — aka the agency that regulates most of big tech in Europe — the lack of any decisions in major cross-border cases against a roll-call of tech giants loomed large, despite plenty of worthy filler, with reams of stats included to illustrate the massive case load of complaints the agency is now dealing with.

Ireland’s decelerating budget and headcount in the face of rising numbers of GDPR complaints is a key concern highlighted by Brave’s report.

Per the report, half of EU data protection agencies have what it dubs a small budget (sub €5M), while only five of Europe’s 28 national GDPR enforcers have more than 10 “tech specialists”, as it describes them.

“Almost a third of the EU’s tech specialists work for one of Germany’s Länder (regional) or federal DPAs,” it warns. “All other EU countries are far behind Germany.”

“Europe’s GDPR enforcers do not have the capacity to investigate Big Tech,” is its top-line conclusion.

“If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities,” said Dr Johnny Ryan, Brave’s chief policy & industry relations officer, in a statement. “Robust, adversarial enforcement is essential. GDPR enforcers must be able to properly investigate ‘big tech’, and act without fear of vexatious appeals. But the national governments of European countries have not given them the resources to do so. The European Commission must intervene.”

It’s worth noting that Brave is not without its own commercial interest here. It absolutely has skin in the game, as a provider of privacy-sensitive adtech.

Ryan has also been a key instigator of a number of strategic GDPR complaints — such as those filed against certain widespread adtech industry practices. Enforcement against programmatic advertisement’s use of real-time bidding would very likely be of commercial benefit to Brave, given its engineered to operate a different model.

But such commercial interest in robust and active GDPR enforcement doesn’t undermine Brave’s core beef — aka: that regulatory inaction is linked to DPA under-resourcing.

Indeed, the UK’s ICO has itself, er, blogged multiple times about the systemic problem of unlawful adtech — repeatedly calling for the industry to reform. But not actually doing anything when it doesn’t.

It’s just this sort of ‘soft soap’ from regulators — words, instead of firm GDPR enforcement — that’s in Brave’s sights. Nor is it alone in complaining about the lack of GDPR ‘bite’; independent privacy campaigns and researchers have dubbed ongoing regulatory inaction as a “disastrous” failure that’s undermining the rule of law.

We reached out to the Irish Data Protection Commission, the European Data Protection Board (EDPB), the European Data Protection Supervisor (EDPS) and the European Commission for comment on Brave’s report and to ask whether they believe GDPR is functioning as intended.

A major milestone is looming with the regulation’s two year birthday falling next month — which will be concentrating minds within EU institutions.

A spokesman for the EDPS pointed us to this joint document with the EDPB — which was adopted in mid February, ahead of this wider evaluation process for GDPR.

In a section of the document on enforcement the assessment finds “increased attention and effort toward enforcement of data protection laws by most SAs” [supervisory authorities], with the EDPB noting that: “The new enforcement tools provided by the GDPR and the SAs made use of a wide range of corrective measures, i.e. not only administrative fines but also warnings and reprimands”.

On fines specifically, the evaluation notes that between May 25, 2018 and November 30, 2019, a total of 22 EU/EEA data protection agencies made use of this corrective power — with 785 fines issued overall (although around 110 of which relate to infringements that predate GDPR coming into force).  

“Only 8 SAs have not imposed any administrative fine yet although most of them have ongoing proceedings that might lead to imposing an administrative fine in the near future,” they further note.

In terms of what fines have been issued for, the write that most related to principles relating to processing of personal data (Art. 5 GDPR); lawfulness of processing (Art. 6 GDPR); valid consent (Art. 7 GDPR); processing of special categories of personal data (Art. 9 GDPR); transparency and rights of the data subjects (Art. 12 to 22 GDPR); security of processing and data breaches (Art. 32 to 34 GDPR).

We’ll update this report with any other responses to Brave’s report. We’ve also asked the Commission if it will be instigating infringement proceedings against any Member States.

As noted above, the Commission will publish a review of GDPR next month, as the regulation reaches its second anniversary. And while plenty of compliance activity is undoubtedly taking place, away from flashy headlines — such as data impact assessments; and accelerated data breach notifications — which will be provide plenty of filler for the looming Commission report, the biggest ongoing criticism attached to GDPR is the lack of perceived action over major cross-border complaints. And, therefore, the lack of enforcement against major platforms and tech giants.

A $57M fine for Google by France’s CNIL back in January 2019 stands as something of a lone exception on the major-financial-penalties-for-tech-giants front.

However, fines seems a poor lever to spur reform of resource-rich tech giants. Just look at the $5BN fine Facebook negotiated with domestic regulators in the US — a tiny price-tag for its earlier flouting of US regulatory requirements. tl;dr fines — even record-breaking ones — are a line of business expense for platforms operating at this level.

So it’s worth noting some high profile interventions/warnings by EU DPAs — which did not involved any actual financial penalties — have netted some tangible changes to how voice assistant AI systems function.

Last summer, for example, it emerged that the Hamburg data protection authority, in German, had informed Google of its intention to use Article 66 powers of the GDPR to begin an “urgency procedure” — which allows a DPA to order data processing to stop if it believes there’s “an urgent need to act in order to protect the rights and freedoms of data subjects”.

Just the warning that it was about to unbox that power appeared to be enough to spark action from Google which suspended manual (human) audio reviews of Google Assistant across the whole of Europe.

There were similar process changes from Apple and Amazon — following regional press and regulatory attention. (Global changes, in the case of Apple.)

So the picture around GDPR enforcement is a little more nuanced than just ‘hey DPAs, show us the money’.

Nonetheless, Ireland remains an obvious ‘one-stop’ bottleneck for the functioning of regulation — making the agency an eye-catching pinata for those who like to claim GDPR isn’t working.

The DPC cannot remain in this critical limbo forever, of course, no matter how concerned it evidently is that its decisions stand up to tech giants’ lawyerly nitpickings and future judicial review.

Decisions in the more than 20 cross-border cases stuck on its desk — including complaints against Apple, Facebook, Google, LinkedIn, Twitter and TechCrunch’s own parent, Verizon Media, to name a few — must flow eventually. And, per earlier comments, pretty quickly now — given the first decisions were slated for ‘early’ this year. (Expect the coronavirus crisis to provide some cover for any further administrative delay.)

Whatever those crux decisions look like, critics will still be able to shoot back that they’ve come too late to be truly effective, though.

Comments

Popular posts from this blog

Uber co-founder Garrett Camp steps back from board director role

Uber co-founder Garrett Camp is relinquishing his role as a board director and switching to board observer — where he says he’ll focus on product strategy for the ride hailing giant. Camp made the announcement in a short Medium post in which he writes of his decade at Uber: “I’ve learned a lot, and realized that I’m most helpful when focused on product strategy & design, and this is where I’d like to focus going forward.” “I will continue to work with Dara [Khosrowshahi, Uber CEO] and the product and technology leadership teams to brainstorm new ideas, iterate on plans and designs, and continue to innovate at scale,” he adds. “We have a strong and diverse team in place, and I’m confident everyone will navigate well during these turbulent times.” The Canadian billionaire entrepreneur signs off by saying he’s looking forward to helping Uber “brainstorm the next big idea”. Camp hasn’t been short of ideas over his career in tech. He’s the co-founder of the web 2.0 recommendatio...

Drone crash near kids leads Swiss Post and Matternet to suspend autonomous deliveries

A serious crash by a delivery drone in Switzerland have grounded the fleet and put a partnership on ice. Within a stone’s throw of a school, the incident raised grim possibilities for the possibilities of catastrophic failure of payload-bearing autonomous aerial vehicles. The drones were operated by Matternet as part of a partnership with the Swiss Post (i.e. the postal service), which was using the craft to dispatch lab samples from one medical center for priority cases. As far as potential applications of drone delivery, it’s a home run — but twice now the craft have crashed, first with a soft landing and the second time a very hard one. The first incident, in January, was the result of a GPS hardware error; the drone entered a planned failback state and deployed its emergency parachute, falling slowly to the ground. Measures were taken to improve the GPS systems. The second failure in May, however, led to the drone attempting to deploy its parachute again, only to sever the line...

How the world’s largest cannabis dispensary avoids social media restrictions

Planet 13 is the world’s largest cannabis dispensary. Located in Las Vegas, blocks off the Strip, the facility is the size of a small Walmart. By design, it’s hard to miss. Planet 13 is upending the dispensary model. It’s big, loud and visitors are encouraged to photograph everything. As part of the cannabis industry, Planet 13 is heavily restricted on the type of content it can publish on Instagram, Facebook and other social media platforms. It’s not allowed to post pictures of buds or vapes on some sites. It can’t talk about pricing or product selection on others.   View this post on Instagram   A post shared by Morgan Celeste SF Blogger (@bayareabeautyblogger) on Jan 25, 2020 at 7:54pm PST Instead, Planet 13 encourages its thousands of visitors to take photos and videos. Starting with the entrance, the facility is full of surprises tailored for the ‘gram. As a business, Planet 13’s social media content is heavily restricted a...