https://g8fip1kplyr33r3krz5b97d1-wpengine.netdna-ssl.com/wp-content/uploads/2020/05/GettyImages-924551844-1160x773.jpg
Failure to enforce the rules against big companies has undermined GDPRPau Barrena/AFP via Getty Images

Hamburg privacy boss calls for overhaul of EU privacy rules

Johannes Caspar said the failure of EU agencies to cooperate had undermined GDPR.

by

Europe's landmark privacy rules must be overhauled to ensure proper enforcement and protection of people's rights, Johannes Caspar, a leading German regulator, said ahead of the law's two-year anniversary.

Failure to enforce the rules against big companies and a lack of cooperation between regulators have fundamentally undermined the General Data Protection Regulation (GDPR), the head of Hamburg's data protection authority told POLITICO.

"I'm completely critical of the enforcement structure of the GDPR," said Caspar, whose office is in charge of overseeing the German activities of several Silicon Valley firms. "The whole system doesn't work."

His comments come as the bloc's privacy enforcers have yet to agree on almost any penalties against large firms for potential abuse. The law passed in May of 2018 allows for penalties amounting to as much as 4 percent of a firm's annual revenues in the event of a breach and has become a template for countries around the world, yet so far no blockbuster fines have been announced.

On Friday, Ireland's privacy watchdog, in charge of overseeing firms like Google, Facebook, Twitter and Apple, said it had finished an investigation into Twitter, its first major move against a Big Tech company under Europe's new privacy standards.

The draft decision, details of which were not disclosed, will now be circulated among other European privacy regulators for approval, with a final decision in that case expected late next month. Dublin also said it was close to finishing a separate privacy investigation into WhatsApp, the internet messenger owned by Facebook.

The Twitter decision is unlikely to quell disagreements between Europe's community of 27 privacy regulators over enforcement against multinationals in technology, banking or other industries. Caspar has been one of the bloc's most outspoken critics of the current system, under which Ireland's watchdog is a key player due to the fact that many Silicon Valley firms are based in the country.

So far, France's data protection agency issued a €50 million fine against Google in early 2019, which the search giant is appealing. The United Kingdom's regulator also said it would slap British Airways and Marriott International, the hotel chain, with a collective £282 million fine, though the ruling has been mired in legal uncertainty.

Bottomless pit

Caspar said EU agencies must be allowed to work with each other on international cases to avoid delays that can undermine people's rights.

Under the current system, only the watchdog in the country where the company is legally established has the authority to investigate potential abuses. Other regulators are allowed to weigh in via cooperation mechanisms and must approve the final penalty.

"Time is a core issue in our digital world," Caspar said. "Every month that goes by, another [international] case goes into the case register. We're postponing them until they are forgotten."

Despite his calls for change, Commission officials already have confirmed they will not change the enforcement procedures for Europe's tough data protection standards as part of an upcoming two-year review.

Officials in Brussels and in EU data protection agencies acknowledge the current regulatory system has not been fully effective in enforcing people's privacy rights. But they add that the rules have forced many companies to change their behavior.

Caspar told POLITICO the failure to move ahead with high-profile cases against many of Silicon Valley's largest names was having a knock-on effect on both rivals' ability to compete and people's trust in officials' willingness to uphold their privacy rights.

Ireland currently has more than 20 ongoing investigations into the likes of Facebook, Twitter and Google, but has yet to issue any fines or legally-binding changes to how those companies handle individuals' data.

The German regulator said the Irish regulator was not to blame for these delays. But he added that his office was reticent to investigate smaller, local companies like Xing, the German social network, when LinkedIn, its largest American rival owned by Microsoft, had yet to be sanctioned in an ongoing case filed with the Irish authority.

"A lot of companies tell us that there's no fair competition in the market because of the differences in how Europe's privacy rules are enforced between countries," he said.

"We have to cooperate in the structure of enforcement," Caspar added. "We have to be disappointed because the main mechanism for safeguarding rights is the deterring effect of the law."