ICCL's 2021 report on the enforcement capacity of data protection authorities
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Europe’s enforcement paralysis
ICCL’s 2021 report on the enforcement capacity of data protection authoritiesForeword
This report uncovers a paralysis at the heart of lack tech specialists who can investigate what Big The European Commission is quiescent.
the GDPR. Data protection authorities (DPAs) Tech does with people’s data. Distracted by the next generation of legislation,
are unable to act against Big Tech in major the Commission has neglected the GDPR.
GDPR cases. We reveal why this is (pages DPA budget boosts have also declined every
3-10), and how to fix it (page 11). year since the GDPR, which indicates that The fanfare surrounding the GDPR was such that
national governments are not committed to the the EU’s global influence will wane if it is allowed
The recent WhatsApp decision notwithstanding, GDPR’s proper application. to fail.
the Irish Data Protection Commission (DPC) has
failed to send draft decisions to its European The European Commission is at fault, too. It has Consumers will suffer too, because innovative
colleagues on a very large number of major EU- the duty under the EU Treaties to ensure that EU startups and venerable news publishers will be
wide cases. This makes it impossible to police law is applied. But the Commission has unable to compete with Big Tech’s entrenched
how Google, Facebook, Apple, and Microsoft, inadequate data to judge whether the GDPR is internal data free-for-alls.
use people’s data across Europe. applied correctly.
The worst cost will be that continuing data
Ireland is the GDPR’s worst bottleneck. But there There is no consistent view across the European misuse will tyrannise citizens, and debase politics.
are other problems, too. Economic Area (EEA) of whether or how often
lead DPAs use their investigative powers, or what The European Commission must urgently
Covid-19 has forced many to adapt to digital specific powers are used. Nor is there an intervene.
life.1 Despite this, Europe’s DPAs have not adequate overview of what precise sanctioning
configured themselves for digital era. They still powers are used. As a result, the GDPR is silently
failing.
Johnny Ryan Alan Toner
ICCL | 2021 DPA report 1Contents
Europe is unable to police how big tech firms use people’s data. Three and a half years after the introduction of the GDPR,
EU GDPR enforcement against Big Tech is paralysed by Ireland’s failure to deliver draft decisions on major cross-border
cases. In addition, Europe’s DPAs remain underfunded, and have too few tech specialist investigators.
Introduction DPA capacity
1. Foreword 9. GDPR's funding bump is fizzling out
2. Table of contents 10. Too few tech specialist investigators to police tech
3. Key insights
Recommendations
Paralysis of enforcement on major EU-wide cases 11. Recommendations
4. Most important “one stop shops”
5. Ireland is the big EU bottleneck Appendices
6. Despite funding increases, Ireland remains bottleneck 12. Methodology and end notes
13. Acknowledgements and caveats
Decisions in major EU-wide cases
7. Few EU-wide corrective actions agreed
8. Decisions focus on data subject rights
ICCL | 2021 DPA report 2Key insights
EU-wide DPA enforcement of the GDPR against Big Tech is paralysed as a result of a failure
of the Irish DPC to send draft decisions to the European Data Protection board (EDPB). 98%
major EU cases not yet
● The Irish Data Protection Commission is the bottleneck of GDPR enforcement against Big Tech decided by the Irish DPA.
across the EU. Almost all (98%) major GDPR cases referred to Ireland remain unresolved.
● Though Covid-19 has forced many Europeans to work online,1 DPAs remain ill equipped to
supervise the tech sector. Only 9.7% of EU DPAs 3,014 full time staff are tech specialists. 14
GDPR enforcers have annual
● Less than half (44%) of EDPB final EU-wide decisions include corrective measures, such has budgets smaller than €5M.
fines or orders to stop processing.
● A small number of Member States (Ireland, Spain, Germany, Netherlands, France, Sweden,
and Luxembourg) receive almost three quarters (72%) of all cross-border complaints 9.7%
referred between DPAs. of staff at European DPAs are
EU countries’ investment in DPAs is declining. tech specialists.
●
● Germany alone accounts for almost a third (32%) of all spending on EU DPAs that oversee
the private sector. More than half of all national DPAs have small (€5 million or less) annual
budgets.
ICCL | 2021 DPA report 3Most important “one Lead authorities of major tech firms
non EEA states not shown on map
stop shops” Netherlands
Cisco
Sweden
Spotify
Adobe Netflix Finland
Apple Snap Yandex
eBay Sony
Dropbox Uber
Experian Zoom
Facebook
The findings: incl. Instagram
and WhatsApp
Google
incl. YouTube Germany
Microsoft Akamai
incl. Linkedin
IAB TechLab
Oracle
France Palantir
Salesforce
Criteo SAP
Shopify
IBM
Slack
Ubisoft
TikTok
Twitter
Verizon
Portugal Luxembourg
Cloudflare Amazon
PayPal
Complaints referred to lead authorities by other DPAs
May 2018 - May 2021
ICCL | 2021 DPA reportIreland is the big EU bottleneck
The findings: The bottom line:
No other GDPR enforcer in the EU can intervene if the Irish DPC
● The Irish DPC is the lead supervisory authority for 164 cases of
asserts its lead role in cases against big tech firms headquartered in
Europe-wide significance. But 98% of these cross-border cases
Ireland. As a result, EU GDPR enforcement against Big Tech is
remain unresolved. In the three years from May 2018 to May
paralysed by Ireland’s failure to deliver draft decisions on cross-
2021 Ireland has sent only 4 draft decisions to the EDPB.
border cases.
National backlogs delaying major European cases
as of May 2021
Draft decisions delivered % Cross-border case backlog
2% Ireland 160
9% Luxembourg 83
20% Sweden 89
25% France 95
36% Netherlands 66
43% Germany 105
52%
52% Spain 38
ICCL | 2021 DPA report 5Despite funding increases,
Ireland remains bottleneck draft decisions than the Irish DPC
draft decisions on EU cross-border cases as lead authority, May 2018 - May 2021
The findings:
Irish DPC budget now surpasses Spanish AEPD
millions of Euro, rounded
€19
20
€15.8
15
10
Spain
5
Ireland GDPR period
0
2000 2005 2010 2015 2021
ICCL | 2021 DPA report 6Few EU-wide corrective Final EU-wide decisions
actions agreed
25 May 2018 - 21 July 2021, counts of cases that included any corrective actions
Dismissed‡ No action Corrective action†
12 18 Germany (all)* 16
Major EU cross-border cases are slow, and few result in 4 10 France 19
20 Lux.º 1
corrective action. 4 5 UK 4
2 2 Denmark 7
1 3 Cyprus 6
The findings: 1 2 Sweden 4
7 Austria
● The European Data Protection Board confirmed decisions in 197 3 Hungary 5
1 5 Estonia
cross-border cases between May 2018 and July 2021. These Belgium
1
15%
1 4 44%
cross-border cases are significant enough to concern several
NO CORRECTIVE
CORRECTIVE
Irelandº 4
ACTIONS
ACTIONS†
3 Poland
Member States. 1
2 Malta
3
3
2 2 Norway
● Less than half (44%) of the final decisions at the European Data 1 Latvia 3
Protection Board resulted in corrective action. 1 Spain* 1
1 Liechtenstein 2
43%
1 Czech R. 2 DISMISSED OR NO
INFRINGEMENT FOUND
1 Netherlands* 1
Iceland 2
Finland 1
Romania 2
Lithuania* 1
1 Italy
Switzerland
Slovakia
Slovenia
† Corrective actions include reprimands, fines, and other Article 58(2) powers.
Portugal
‡ Dismissed category includes findings of no infringement.
* This number may be higher. National law may limit some or all decisions Croatia
from being recorded.
º Ireland’s order against WhatsApp was after the period, Luxembourg’s order Greece
against Amazon was not yet published, but both are shown here
Bulgaria
ICCL | 2021 DPA report 7Decisions focus on data
subject rights
EDPB Article 60 decisions, 25 May 2018 - 21 July 2021
Corrective action† No action / dismissed‡
Data rights Articles 15-23 62 74
Security Articles 25-36 21 33
Transparency Articles 12-14 27 26
Lawfulness Articles 6-8 19 32
Note, several articles may feature in a single case.
The findings:
Outcomes of final EU-wide decisions by GDPR Article
EDPB Article 60 decisions, 25 May 2018 - 21 July 2021
Corrective action† No action / dismissed‡
Article 17 Right to erasure 36 32
Article 6 Lawfulness 18 28
Article 15 Right of access 15 25
Article 12 Transparent information 18 21
Article 32 Security of processing 17 16
Article 5 Principles… 8 20
Article 33 Notification of a personal data breach 5 22
Article 34 Communication of a personal data breach 2 21
Article 13 Information to be provided… 11 7
Article 21 Right to object 6 11
Article 14 Information to be provided… 8 4
Article 7 Conditions for consent 3 7
Article 24 Responsibility of the controller… 6 1
Article 16 Right to rectification… 5
Article 30 Records of processing activities 2
Article 28 Processor 2
Article 20 Right to data portability 2
Article 39 Tasks of the data protection officer 1
Article 35 Data protection impact assessment 1
Article 31 Cooperation with the supervisory authority 1
Article 26 Joint controllers 1
Article 18 Right to restriction of processing 1
Article 11 Processing which does not require identification 1
Article 9 Special categories of data 1
Corrective actions include reprimands, fines, and other Article 58(2) powers.
†
Article 8 Conditions applicable to child’s consent 1 Dismissed category includes findings of no infringement.
‡
Note, several articles may feature in a single case.GDPR's funding bump is EU DPA budget changes from 2017-2021†
in millions of euro, increases shown in lighter colour, totals in dark text
fizzling out Germany (Länder*)
Italy
Germany (Federal)
Netherlands
€15.6 €36.6
€16.1 €31.5
€15.8 €26.3
€21 €62.4
France €4.5 €21.5
Ireland €11.6 €19.1
Spain €15.8
Sweden €6.9 €12
Belgium €9 * Bayern DPA failed to provide data and is
Poland €8.3
not included
† UK not counted, due to Brexit
Luxembourg €4.7 €7.2
Czech Republic €7.1
Denmark €3 €6
The findings: Hungary €4.5
Austria €4.3
Finland €3.8
Greece €2.8
Slovenia €2.5
Portugal €2.4
(€0.4 decrease)
Slovakia €1.7
Lithuania €1.6
Bulgaria €1.6
Latvia €1.3
Croatia €1.2
Romania €1
Estonia €.9
Cyprus €.7
Malta €.6
% year over year increases (UK not counted)
20%
18%
15% 14%
GDPR applied
7%
2017 2018 2019 2020 2021Too few tech specialist Tech specialists at EU data protection authorities
full time equivalents, rounded (vacancies are not counted, but are shown in darker colour)
staff to police tech 745#
Other personnel
Germany (all)
Tech specialist investigators
99#
Europe’s DPAs are not configured for the digital era, and 195 France 30
139 Spain 30
continue to lack the capacity to investigate and 155 ‡ Ireland 28‡
understand what tech companies do with people’s data. 34 Greece 12
27 Portugal 8
124 Italy 8
The findings 47 7
Lux.
74 Bulgaria 7
● EU Member State DPAs claim a combined total of 293 tech 53 Denmark 6
specialists. This number does not include IT support staff. 33 Lithuania 5
82 Sweden 4
● Only 5 EU Member States have more than 10 tech specialists, 29 Croatia 4
but more than half (15) have only 4 or fewer. 44 Slovenia 4
69 Belgium 4
● The UK ICO (not in chart because of Brexit) is the largest single 102 Hungary 4
268 Poland 4
DPA, but only 13 people (1.7% of its full time staff) are in its
170 Netherlands 3
“cyber” investigations team. 39 Finland 2 † Austria, Belgium, Cyprus, and Latvia rely on external consultants.
‡ Estimate based on DPA response.
13 Malta 2 # Bayern DPA failed to provide data and is not included.
16 Cyprus 2†
16 Estonia 2
27 Romania 2
31 Latvia 1†
44 Slovakia 1
106 Czech R. 1
46 Austria †
ICCL | 2021 DPA report 10Recommendations
1. The Irish Data Protection Commission (DPC) must be
reformed and strengthened. The recommendations of the
Justice Committee of the Irish Parliament and Senate2 should
be urgently implemented. In particular:
ICCL | 2021 DPA report 11Methodology and end notes
Methodology:
6. Budget data for the Irish DPC and Spanish AEPD from 12. ICCL received information about the number of tech
2000 to 2021 were found in both organisations’ annual specialist staff and number of all personnel at each
reports and accounts over the period. Budgets and DPA from 26 EU Member State national DPAs and 15
draft decisions delivered (point 3) for the Irish DPC and Länder (German) DPAs. These figures were checked
Spanish AEPD were charted. against other sources.
7. Final cross-border decisions and the GDPR articles 14. Tech specialist staff include policy, research, and
2. This was charted to show the primary LSAs, and concerned in each case from 25 May 2018 to certification roles focused on tech, but exclude
mapped using Eurostat/GISCO mapping data of the November 2020 were extracted from the EDPB public technical support. This was charted to show the
EEA, from which non-EEA members were then registry of final decisions, and for November 2020 to proportion of these personnel to other personnel in
removed. 21 July 2021 were determined by analysing every final each DPA.
decision submitted to the EDPB.
3. The number of draft and final decisions between May
2018 and May 2021 on cross-border cases for each 8. Decisions in cross-border cases were categorised by End notes:
LSA were obtained from the IMI using freedom of outcome: i. corrective action (covering compliance
information requests. orders, administrative fines, and reprimands), ii. no 1. “Telework in the EU before and after the COVID-19:
corrective action, iii. dismissal or no infringement. where we were, where we head to”, European
4. The number of confirmed cases in May 2021 for which Commission Joint Research Centre, 2020, URL: https://
each DPA confirmed it is the LSA are available in the 9. Outcomes in cross-border cases were charted by ec.europa.eu/jrc/sites/default/files/
EDPB’s “Overview on resources made available by Member State concerned. jrc120945_policy_brief_-_covid_and_telework_final.pdf
Member States to the Data Protection Authorities and 2. "Report on meeting on 27th April 2021 on the topic of
on enforcement actions by the Data Protection 10. GDPR articles concerned in cross-border cases were GDPR", Joint Committee on Justice, Tithe an
Authorities”, Aug. 2021, p. 9. charted. In addition, GDPR articles concerned were Oireachtas, July 2021, URL: https://data.oireachtas.ie/
grouped and charted in four categories: data rights ie/oireachtas/committee/dail/33/
5. The backlog in DPA draft decisions in cross-border (articles 15-23), security (articles 25-36), transparency joint_committee_on_justice/reports/
cases was calculated by subtracting the number of (articles 12-14), and lawfulness (articles 6-8). 2021/2021-07-22_report-on-meeting-on-27th-
draft decisions delivered by each DPA (see point 3) to april-2021-on-the-topic-of-gdpr_en.pdf
May 2021 from the number of cases it has as LSA (see 11. Budgets for DPAs from 2016-2021 were provided by 3. “EDPB Document on Terms of Reference of the EDPB
point 4) in May 2021. The percentage was calculated each DPA, or in their annual reports or EDPB Support Pool of Experts”, EDPB, 15 December 2020,
of the number of draft decisions each DPAs delivered publications (“Contribution to the evaluation of the URL: https://edpb.europa.eu/sites/default/files/files/
as LSA as a percentage of that DPA’s cross-border GDPR”, Feb. 2020, pp. 28-9; and “Overview on file1/edpb_document_supportpoolofexpertstor_en.pdf
cases. resources…”, Aug. 2021, p. 4).
ICCL | 2021 DPA report 12Acknowledgements and caveats
Irish Council for Civil Liberties: Caveats:
ICCL has been at the forefront of every major rights advance in Irish This report excludes DPAs that supervise public sector data
society for over 40 years. We helped legalise homosexuality, processing: the Agència Catalana de Protección de Dades, the
divorce, and contraception. We drove police reform, defending Agencia Vasca de Protección de Datos, Der Bayerische
suspects' rights during dark times. ICCL is a membership Landesbeauftragte für den Datenschutz, Žurnalistų etikos
organisation and is independent of government. More at ICCL.ie. inspektoriaus tarnyba, and the European Data Protection
Supervisor.
Acknowledgements:
The IMI system relies on self reporting by DPAs, and LSAs may
Dr Johnny Ryan and Alan Toner produced this report. combine several referred complaints in to a single case. There are
discrepancies between different figures for the number of cases
We thank our colleagues at the EDPB and at DPAs across the assigned to LSAs.
European Economic Area, and at Noyb, for insight and data.
We rely on IMI “cases per LSA” figures for the number of LSA
We also thank our colleagues at ICCL, particularly Sinead Nolan confirmed cases. While the IMI registry may include cases that are
and Liam Herrick. not Article 60 cases, it is lower than other figures reported by a
DPA with access to IMI data on LSA case load.
We thank Reset and Luminate for supporting ICCL’s work on data
and digital rights. We attempt to verify the number of tech specialist staff reported to
us by DPAs, but cannot guarantee them. In cases of doubt, the
The EEA map on page 4 was created using boundary data that is resulting figure is a best estimate of the number of FTEs based on
copyright of EuroGeographics. dialogue with the DPA.
The cover photograph is by Karolina Grabowska. The Bayern DPA declined to provide data and is not included.
Final cross-border decisions for Germany, the Netherlands, Spain,
and Lithuania on page 7 may be undercounted, because national
law may prevent some final decisions being registered.
ICCL | 2021 DPA report 13You can also read