Europe’s General Data Protection Regulation (GDPR) privacy law suffers from “massive flaws” and endless infighting, according to one of the bloc’s top regulators.
GDPR — put in motion with great fanfare three years ago — promised multibillion-euro fines for global companies and faster action to solve 21st century problems. In reality, it’s sparked clashes between watchdogs and delays to probes, said Johannes Caspar, who’s about to step down as head of the Hamburg data protection commission after 12 years.
Tensions over GDPR have been welling up from the start. Overnight, the Irish Data Protection Commission was transformed into the leading EU supervisor for the Silicon Valley giants with regional hubs in the nation, such as Apple and Facebook. With 28 Irish probes into tech firms pending and no immediate decision in sight, the authority has faced a barrage of criticism accusing it of being too slow and too soft.
“The basic model of the procedure set up by GDPR has massive flaws and it just can’t work,” Caspar said. “You can’t accept this in the long term. The problem is what use are these laws to the people if they’re not being applied?”
The 59-year-old German, who returns to academia after 28 June, has earned a reputation as one of the EU’s toughest regulators. He first made his mark in 2010 with his criticism of Google’s Street View roll-out and more recently he slapped a local Hennes & Mauritz unit with a €35.3-million penalty for snooping on staff, a probe that was opened and shut in less than a year.
One of the faults in the GDPR system, he points out, is the way it gives regulators “lots of room for interpretation” of the rules. “At the end of the day, our energies are spent on infighting.”
A key feature of the law is the so-called one-stop-shop system that puts the authority in the country where a company has its EU base in charge of them. But this, too, has led to tensions. A dispute between Facebook and the Belgian watchdog over their powers to enforce an order against the social media giant ended up in the EU’s top court, which ruled this month that other watchdogs can still weigh in on some cases.
Another complication is that probes into possible violations with an EU-wide effect can’t be concluded by the lead authority alone. Colleagues from across the bloc need to sign off on decisions.
Helen Dixon, Ireland’s data protection commissioner, was trapped in this process when she wanted to finalise her first Big Tech probe, concerning Twitter. She has called criticisms over delays by her agency “ludicrous”.
“The idea that 30 data protection authorities decide on cases through consensus and cooperation” means “we get lost in side issues”, Caspar said.
Leaving too much control in the hands of the lead authorities, such as deciding on when to open a probe and what the scope of the investigation should be without much room for input from others, creates tensions, he said.
“For me this is why such a system can’t work,” he said. “Authorities have to work fast and effectively to be able to give clearly deterring signs that certain behaviours are not okay. If that doesn’t happen, law and reality are at odds.” — Reported by Stephanie Bodoni, (c) 2021 Bloomberg LP