In the year After introducing a landmark privacy law known as the General Data Protection Regulation (GDPR) in 2018, the European Union has delegated the policing of Big Tech to countries with European headquarters. That will put pressure on countries such as Ireland, which hosts several large Internet companies that have repeatedly been accused of breaching privacy laws, including Meta Platforms Inc. Ireland has previously fined Meta alone 1 billion euros ($1.1 billion). Five months, but the penalties took years to come, and, in the latest situation, Ireland was forced by its European peers to raise the level significantly. Ireland has been a bottleneck for EU enforcement because of its slow handling of cases and its relatively business-friendly interpretation of GDPR rules.
But this may well change now, as the EU’s executive body, the European Commission, requires each country to share an overview of its data protection audit six times a year. A country’s supervisory commission should provide an overview of large-scale cross-border investigations under the GDPR, including, crucially, the main steps taken in each case and all investigative or other measures. Among those steps and measures, according to a Bloomberg opinion document detailing the Commission’s response to recommendations from the European Ombudsman. It shows a strong stance on privacy by holding regulators themselves accountable for properly investigating companies.(1)
When the Commission issues a report every two years or so on the general state of GDPR enforcement, (2) the executive branch has not systematically and systematically scrutinized the work of each country’s privacy regulator; In theory, if national guards don’t meet the new data requirements, the country’s government could face legal action at the European Court of Justice. Privacy regulators have never had their feet held to the fire like this.
Ireland, the Netherlands, Luxembourg and France are the countries where this change is most important. Ireland is home to the largest tech companies on the coast, Uber Technologies Inc. In the Netherlands, Amazon.com Inc. In Luxembourg and Criteo SA, one of the world’s largest online advertising companies in France.
The change appears to be the result of a complaint to the EU ombudsman by the Irish Civil Liberties Council, which has raised several objections to the EU over how Ireland’s privacy watchdog handles Facebook.
“Before, you had issues that were lying dormant for years and the privacy laws weren’t enforced,” said Johnny Ryan, a senior fellow at ICCL. This heralds the start of real enforcement, and that means tougher European enforcement against Big Tech.
The EU’s one-stop shop, which bureaucrats say allows a country to police tech companies, has put privacy advocates in the unusual position of complaining not only about companies but also about regulators themselves for not being strict enough. . Austrian privacy advocate Max Schrems has suggested action against Luxembourg’s privacy watchdog over a long-standing complaint against Amazon for allegedly breaching and exposing user data to exploitation.
The European Ombudsman, which investigates administrative complaints against the EU, has confirmed it has been told by the European Commission that it will step up investigations into national security inspectors.
Ireland’s Data Protection Commission argued that the cases were complex and time-consuming, and that despite being overwhelmed by the huge number of tech companies under its belt, it had been able to resolve hundreds of cross-border complaints over the past four years.
But the European Court of Justice called out the Irish watchdog for “continued administrative instability”. And earlier this month, the regulator forced the European Data Protection Board to increase the fine against Meta from 28 million euros to 390 million euros for illegal data handling, after first contacting Meta in connection with the original complaint.
As the Commission examines the homework of each regulator, the watchdogs will be forced to work harder and avoid stagnation: the years of delay between the filing of a complaint and the opening of an inquiry will be fully visible in the EU’s motherhood, as many do, with months passing between correspondence on the matter, or complaints with no investigation.
One problem with this development is that the commission does not conduct its audit work publicly. All information shared by national privacy regulators will be kept “confidential”.
Until then, we must do what is a step in the right direction. The renewed inspection won’t be official, but at least it’s happening.
More from Bloomberg Commentary:
Metta decides how painful an Irish gut punch is: Parmy Olsen
Stop the Schadenfreude on Bloated Tech Layoffs: Lionel Laurent.
That silicon fence around China is about to end: Tim Culpan.
(1) According to the document, the Commission’s Department of Justice and Consumer Affairs, headed by Commissioner Didier Reynders, “requires all national supervisory data protection authorities to share with the Commission every two months and in strict confidence.” An overview of large-scale cross-border investigations under the GDPR containing information on the following predefined fields: case number; controller or processor involved; type of investigation (eg ex officio or complaint-based); A summary of the scope of the investigation (including which GDPR provisions apply); Relevant DPAs; Main procedures and dates taken; Investigative or other actions taken and dates.
(2) The Commission’s last such report, published in 2020 and referring to Ireland once, said that overall resources for privacy enforcement were “uneven among Member States”.
This column does not necessarily reflect the views of the editorial board or Bloomberg LP and its owners.
Parmy Olsen is a Bloomberg opinion columnist covering technology. A former reporter for the Wall Street Journal and Forbes, she is the author of “We Are Anonymous.”
More stories like this can be found at bloomberg.com/opinion