The Consequences of Privacy Regulatory Inaction: Some lessons from the EU for Australia

When the GDPR introduced hefty new fines and more stream lined enforcement, many privacy advocates expected a flurry of regulatory action.  Although some significant fines have been levied in the nearly 4 years since the GDPR came into force, there has been concern around the delays and lack of enforcement by some EU regulators, particularly Ireland’s Data Protection Commissioner (DPC).

In this blog post, we look at some of the issues facing Ireland’s DPC, what the consequences of perceived failures to act have been and what that might mean for Australia.

EU privacy regulatory action so far

We’ve written previously about the increase in GDPR related EU regulatory action in 2021, following a slow start. (See our previous blog post.) The increase in fines was mostly attributed to two record-breaking fines against Amazon and WhatsApp.

On July 16, 2021, the Luxembourg data protection supervisory authority levied a €746m fine against Amazon and requested a change in certain business practices relating to consumer data processing. This fine is by a landslide the largest to date, with the previous record high being €50 m against Google in 2019 for targeted advertising practices. The recent Amazon fine is almost fifteen times more than the 2019 record high penalty.

The Amazon fine stemmed from a 2018 complaint filed by a French privacy rights group that alleged that Amazon did not obtain proper consent for their advertising practices in breach of the GDPR’s data processing requirements.

On September 2, 2021, Ireland’s DPC levied a €225m fine against WhatsApp, which is four and a half times more the  €50m 2019 fine against Google. The DPC initially proposed a €50 million fine for WhatsApp, but a handful of other data protection authorities referred the matter to the European Data Protection Board asking for an increase (as part of the One-Stop-Shop mechanism discussed below). This decision was the result of a three-year investigation about whether WhatsApp provided enough detail to consumers in their privacy policies about their data processing practices. WhatsApp also intends to appeal this penalty.

In March 2022, the Irish DPC fined Meta Platforms (previously Facebook) €17m over a series of 12 data breaches from June to December 2018. While two European supervisory authorities raised objections, the DPC said, “consensus was achieved through further engagement.”

However, there has been an ever-increasing chorus of concern about regulatory failures to act, not just from privacy advocates but from other regulators.

Irish DPC in the spotlight

There has been much commentary on the DPC’s perceived enforcement failures.  For example, it was reported in September 2021 that the DPC’s failure was  adversely affecting the rest of the EU, which were held up from taking action on other complaints against Big Tech.

Because so many US big tech companies have their EU head quarters in Ireland, many of the complaints against them fall to be determined by the Irish DPC, as the Lead Supervisory Authority, which has placed a significant burden on the DPC.  This burden has been further exacerbated by the consensus mechanism which involves reaching agreement with other concerned supervisory authorities on the decision and penalty (referred to as the one-stop shop mechanism, that was designed to ensure consistency in regulatory response across the EU).

The DPC has not been inactive.

However, the time and effort required to reach consensus on decisions involving multiple regulators as part of the One-Stop-Shop mechanism has been significant, and has perhaps fallen disproportionately on the DPC.

In December 2021, the DPC published its 2022-2027 regulatory strategy which included an “ambitious vision” for “five crucial years in the evolution of data protection law, regulation and culture.” The DPC notes its plan reflects “the wider context in which it regulates,” realizing the ongoing change with the sectors and technologies it oversees. The regulator also mentions its regulatory ambitions will require “new partnerships and new ways of engaging” as it seeks to ultimately reach “one overarching objective — to do more, for more.” (More here.)

Perhaps to help illustrate some of the challenges it has faced, in March 2022 the DPC published a statistical report covering its handling of cross-border complaints under the GDPR’s One-Stop-Shop (OSS) mechanism.  This report suggests that some of the criticisms aimed at the DPC are ‘often based on information that is incomplete and lacking context.’

Statistics from the report covering DPC activity, for the period from 25 May 2018 (the introduction of the GDPR) to 31 December 2021 include:

  • 1,150 valid cross-border complaints have been received by the DPC; 969 (84%) as lead supervisory authority (LSA) and 181 (16%) as a concerned supervisory authority (CSA).
  • 65% of all cross-border complaints handled by the DPC as the LSA since May 2018 have been concluded, with 82% of those received in 2018 and 75% in 2019 now concluded.
  • Of the 634 concluded cross-border complaints handled by the DPC as the LSA, 544 (86%) were resolved through amicable resolution in the interests of the complainant.
  • 72 (22%) open cross-border complaints are linked to an inquiry and will be concluded on the finalisation of the inquiry.  A large number of the remaining open complaints from 2018 and 2019 are linked to an inquiry.
  • 86% of all cross-border complaints handled by the DPC as the LSA relate to just 10 data controllers.
  • 38% of complaints transferred by the DPC to other EU/EEA LSAs (excluding the UK) have been concluded.

However, it’s unlikely that these statistics will assuage the concerns of other regulators, in particular those in Germany, France, Spain and Italy, which have been critical of the DPC’s enforcement record to date.

As a sign that some EU regulators are likely to pursue increased enforcement and high penalties without waiting for the DPC, France’s CNIL kicked off 2022 announcing fines of €210m against Facebook and Google for breach of the ePrivacy Directive (which regulates cookies, amongst other things).  The CNIL has jurisdiction under the ePrivacy Directive to take enforcement action against Facebook and Google although their Lead Supervisory Authority is the DPC (given their head office location Ireland).

Other reactions to EU privacy regulatory inaction

Another important reaction to the perceived failure of action by regi;atprs comes from privacy advocates and civil society, who have jumped into the enforcement vacuum to push certain issues.

The privacy world are all aware of the results of action taken by Max Schrems in regard to cross-border transfers, bringing down both the Safe Harbour and then the Privacy Shield as adequacy measures used for cross border transfers between the EU and the US.

More recently, noyb (None of Your Business), the organisation created by Max Schrems has had the validity of cookie consent banners in its sights.  According to the NOYB website, noyb intends to scan  10,000 websites in Europe, as part of a one-year project on “deceptive designs” and “dark patterns.” After sending a written warning and a “draft complaint” to more than 500 companies on May 31st 2021, 42% of all violations were remedied within 30 days. However, according to noyb 82% of all companies still violated the GDPR. noyb filed 422 complaints with ten data protection authorities in August 2021.  In March 2022, noyb sent another 470 draft complaints to website operators whose banners don’t comply with the GPDR. (More here.)

In March 2022, Dr Johnny Ryan, from the Irish Council for Civil Liberties (ICCL) sued the DPC for its failure to protect people against privacy breaches related to Google’s “Real-Time Bidding” online advertising system (which shares personal data with other tracking companies as part of the real time bidding system supporting online targeted advertising).

According to the ICCL, the DPC received a complaint about Google’s RTB data breach 3 ½ years ago.  The DPC confirmed that it has written a statement of issues as at 12 January 2022, but had not taken any further action.  In March 2022, the ICCL was given leave by Ireland’s High Court to issue a lawsuit against the ICCL for its failure to investigate or act on that complaint under the GDPR.  (More here.)

What does this mean for Australia?

Privacy issues, particularly those involving big tech, are complex and time consuming.  Pursuing them is expensive and requires detailed understanding of complicated data processing methods. And the time and costs involved are raised even higher when big tech companies roll in their epxert skilled teams to take on regulators.

If Australia expects to really take on big tech, it may need to completely overhaul and upgrade the existing regulatory enforcement mechansims.  The progress to date of the action taken against Facebook stemming from the Cambirdge Analytics revelations is a great example of how costly and time consuming pursing remedies via the court process can be. 3 years after commencing proceedings, the OAIC has just won in the High Court over which Facebook parties can be joined and served as part of the proceedings.  See our earlier blog post here.  A final decision in the OAIC’s first attempt to penalise an organisation for breach of the Privacy Act seems to still be a long way in the future.

Unless the Australian OAIC receives significant additional funding and resources, to help it exercise its current powers plus any new powers that may be granted, the powers available to it are largely irrelevant. And unfortunately there seems little interest or opportunity for civil society and activist groups to step into the breach the way they have in the EU.  What would it take for that to change?