On 16 and 17 June, Trilateral Research was pleased to attend and present at the 2022 EDPS Conference on “Effective Enforcement in the Digital Age”. The conference was attended by leading academics, activists, practitioners, regulators and policy-makers, and featured several high-level keynote speeches by individuals like Max Schrems (NOYB), Wojciech Wiewiórowski (EDPS) and Shoshana Zuboff (Harvard Business School). The European Commission, the European Parliament and the EDPS were heavily represented, and the programme included presentations by several EU and non-EU Supervisory Authorities (SAs), including Norway, Switzerland, the UK, and Ghana. As the conference was focused on enforcement, a key theme throughout the event was the challenges to effectively regulating “big tech”. However, a few themes emerged more broadly around how enforcement should be improved within and between SAs across the EU.
In a panel entitled “Anticipating risks – how foresight can support data protection?” Trilateral’s Dr David Barnard-Wills, alongside colleagues from Google, the UK Information Commissioner’s Office and the Latvian SA, discussed how existing tools like risk assessments can be used – alongside other foresight strategies – to collectively and collaboratively anticipate risks and provide proactive guidance for innovators and practitioners. David particularly noted how valuable Trilateral’s foresight activities with SAs have been to date and how DPIAs bring demonstrable results to organisations. The ICO described their well-respected regulatory sandbox initiative, but noted that this type of collaborative activity raises disclosure challenges for organisations. Google also discussed the value of their interactions with SAs and the ways in which collaborative discussions can shape tool design and tool development.
The importance of the national perspective
Most speakers took the opportunity to celebrate the success of the GDPR as a pan-European harmonisation tool, while also highlighting the importance of national authorities. According to the EDPS statistics, 95% of enforcement actions are local and 99% are national. Furthermore, people expect to be able to speak to someone in their country, in their own language about complaints, questions and other issues. As such, the embedding of the regulatory function within Member States (and individual third countries like the UK) remains an important part of the success of the current GDPR framework. Furthermore, the one-stop-shop mechanism provides a structure to enable Supervisory Authorities to cooperate, build efficiency and avoid duplication.
The procedural law bottlenecks
Many SAs and the European Commission’s representatives indicated that misalignments in national civil procedure and administrative laws currently represent relevant barriers to enabling an harmonious enforcement. For example, under German law, only individuals, and not organisations, can be fined, and the GDPR rules must be enforced through the general principles of EU law. Max Schrems also raised the cost of pursuing court cases in different jurisdictions as a barrier, with it costing only €30 to raise a case in Austria while in Ireland it can be in excess of €100,000. According to him, this cost barrier makes it difficult for anyone but the most heavily resourced organisations to effectively exercise individual data protection rights. Nevertheless, the lack of resources and sufficient independence of SAs were recognised by many speakers as the most relevant obstacles to enforcement at the national level.
The role of the public sector
The special role of the public sector was recognised by a number of speakers and activists. A few speakers mentioned the Dutch scandal around the use of profiling for enabling access to social benefits. The police use of personal data, including linking public databases was another central theme in the conversations. In response, a speaker from the EDPS linked law enforcement, public services and enforcement by recognising that it was “as important to supervise the public sector as it is to supervise the private sector” given the ways in which the experience of law enforcement or access to social services may be impacted by a lack of enforcement. In response, some participants called for more comparative research on enforcement actions targeted towards the public and private sectors.
Data Protection Complaints
Examining enforcement as a result of complaints also revealed a number of challenges. As above, differences exist in how complaints are received in different countries and how individual Supervisory Authorities conduct investigations and evaluations of those complaints. This is particularly significant given that the introduction of the GDPR has tripled the number of complaints that some SAs (i.e., CNIL) have received each year. Marie-Laure Denis, President of CNIL also reported research findings that men, executives and people with a Masters’ degree were over-represented as complainants to CNIL, suggesting that more needs to be done to ensure access to the ability to complain is better distributed across demographics.
While “big tech” is the focus of many of the enforcement discussions at an EU level, it is clear that effective oversight of the public sector is a key priority for national and EU-level Supervisory Authorities.
Trilateral Research will continue to work with our colleagues across the Data Protection landscape to monitor regulatory developments, including new legislative frameworks governing Digital Services, AI and Digital Markets, and provide proactive analysis of these as develop. Contact us for more information on how you can improve your alignment with data protection, cybersecurity or data governance frameworks.