As GDPR Reaches 2nd Anniversary, Enforcement Resources an Issue
As the EU general data protection regulation nears its second anniversary May 25, privacy officials said this month the law is working well, but they need more resources. It's of "utmost importance" national governments fund data protection authorities (DPAs) effectively, European Data Protection Board Chair Andrea Jelinek said. Priorities for the third year include more intensive work on advanced technologies such as artificial intelligence and blockchain, plus guidance on the implications of COVID-19 for data protection, said EDPB's annual report, issued Monday.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The board's work plan is on track, Jelinek said. She believes there's more public awareness about data protection, sparked by the contact tracing apps being considered and rolled out to track the pandemic. "Slowly but steadily we're seeing results" from the one-stop-shop mechanism, she said, referring to one supervising authority taking the lead in cross-border cases to resolve complaints. But most DPAs "stated that resources made available to them are insufficient."
The need for resources depends on each DPA's ambitions, emailed K&L Gates (Paris) data protection lawyer Claude-Etienne Armingaud. "White whale chaser" DPAs go after a limited number of large, emblematic targets and/or impose major fines to "set resounding examples," while the "sardine boxers" prosecute more enterprises but for smaller amounts and limited profiles, he said. "It seems that all DPAs are active, each according to its means and with a common goal in mind: making it clear that no-one is exempt from potential fines."
The Future of Privacy Forum reported that national authorities and the board are focused on guidelines for consistent GDPR application, and on "high-impact areas" such as transparency and consent. Jelinek noted the board is trying to find a solution to practical issues raised by the patchwork of different national procedures for handling GDPR cases. FPF noted enforcement priorities including big tech, advertising and direct marketing, and telecom and media.
A key point "is the relative low number of staff with a technical background in enforcement positions," emailed FPF Managing Director-Europe Rob van Eijk. Having technologists in a DPA's organization able to investigate intricacies of new data tech is "crucial." But "finding these unicorns is hard," since ideally a DPA would like to employ people with a knack for technology and a good understanding of privacy, telecom or European law, he said. "You simply cannot write a legal analysis without a deep understanding of the issues at hand in an investigation."
Companies are widely trying to comply, which in itself is a success for the GDPR, Armingaud noted. "Compliance is a moving target" because additional processing operations may have been carried out or previous ones changed in areas in which initial compliance efforts weren't undertaken. Compliance also depends on how the regulatory framework and its interpretation evolve, he said. The major noncompliance issues Armingaud has seen "stem from over confidence by some clients -- either brushing off the consequences of non-compliance or assuming that compliance on paper is sufficient." The "corporate culture of data protection" that GDPR sought to introduce isn't there yet, and data protection is still "perceived as a niche issue."
"Let go of the 'Europe good, America bad' narrative on privacy," blogged American Enterprise Institute's Roslyn Layton. The pandemic has shown the value of personal data and "electrified the debate over a personal right of privacy versus the public's right to know."