Press play to listen to this article
Voiced by artificial intelligence.
Five years and almost 4 billion euros in fines resulting from tougher privacy enforcement and the European Union is still wondering if it is doing enough to protect personal data.
Social media giant Meta was the latest to face a big fine on Monday, when Irish privacy regulator fined it a record €1.2 billion for privacy breaches under European Union regulation General Data Protection Regulation (GDPR).
The blockbuster tax strikes at the heart of the tech sector’s ability to transfer data across the Atlantic and orders the company to stop transferring Europeans’ data to the United States until Washington provides enough controls to protect that personal information.
For GDPR advocates, the Irish Data Protection Commission (DPC) fine serves to vindicate the fact that the EU’s most dreaded tech law has a bite, not just a bark.
The law, which took effect on May 25, 2018, has prompted companies – from Big Tech giants to hotel chains, mobile phone companies and family-owned businesses – to tighten privacy policies. Many have cleaned up the way they handled people’s personal data, aided by the prospect of being fined up to 4% of their annual turnover.
“I think the DPC has really hit its stride now,” said Helen Dixon, Ireland’s data protection commissioner, whose agency oversees many of Silicon Valley’s biggest names because these companies are based in Ireland.
However, the decision also lays bare what almost everyone now admits: Europe’s efforts to set the West’s de facto privacy standard are seriously flawed, with watchdogs constantly squabbling over who has the final say. on how Meta, Google, TikTok and other tech companies access European data. In a statement following the decision, the Irish regulator said he did not agree with the fine and the measure, but was forced by his European colleagues to impose them after the initial Dublin decision was challenged by four other regulators from the privacy.
Enforcement depends on the ability of regulators to enforce such fines. And this is where the privacy regime broke out.
Under the European privacy regime, companies are supervised by national regulators where they have their registered office in the EU. This means that Ireland and Luxembourg, whose low tax rates have attracted the European headquarters of many Big Tech companies, hold the lion’s share of executive powers. Ireland, in particular, relies heavily on the corporate tax revenues of a small number of tech giants.
“The GDPR has given authorities these broad powers for very serious enforcement, but in practice we don’t see the powers actually being used by authorities,” said Max Schrems, the Austrian privacy activist whose decade-long case against Facebook led to Monday’s record privacy fine.
If other European privacy regulators disagree with how these agencies apply the GDPR, there is a complex and opaque mechanism to reach a European consensus. After five years of infighting, some of the EU’s privacy authorities are now at open war with each other.
In internal discussions published On Monday, other European enforcers chastised Dublin for not being tough enough on Meta’s privacy breaches, forcing Ireland to impose a fine. French, German, Spanish and Austrian agencies have also criticized their Irish counterparts for failing to ask the social networking giant to delete all data from Europeans shipped to the US via so-called standard contractual clauses.
Ireland, Big Tech island
The Irish decision refers to 2013 revelations by Edward Snowden, the contractor to the US National Security Agency, that American spies were illegally accessing people’s personal information via the country’s tech giants. Schrems filed lawsuits against Facebook for violating his privacy rights, setting off a decades-long lawsuit.
Dublin officially ruled on Monday that Meta can no longer use so-called standard contractual clauses, or complex legal tools that allow companies to move EU data to the US until Washington improves legal controls to protect people’s data. Europeans. The social media giant has appealed that ruling and has until October to comply with the order. Brussels and Washington are in final talks on a new separate transatlantic data pact that will provide an alternative legal framework for such EU-US transfers to continue.
Dublin’s hefty fines against the tech giant came only after other EU regulators forced the Irish to levy a massive tax because these agencies felt the Irish hadn’t gone far enough to hold Meta to account. Ireland believed that the proposed remedies – preventing Meta from using standard contractual clauses to ship EU data to the US – were sufficient.
The decision against Meta masks a decades-long struggle that predates the GDPR and split the blockade’s privacy regime.
Earlier this year, Ireland’s privacy regulator took the European Data Protection Board (EDPB) — the pan-European body of privacy regulators that coordinate privacy decisions — to Europe’s highest court over charges that he overstepped his mandate by forcing Dublin to investigate the cases further Whatsapp, Facebook AND Instagram.
« It’s just a question of whether the Irish Data Protection Authority takes national economic interests into account and therefore isn’t strict enough in enforcing the rules, » said Patrick van Eecke, co-chair of global cybersecurity practice , data protection and privacy at Cooley, a law firm.
Rewrite the rules
Faced with growing frustration that the GDPR has failed to curb the worst data protection abuses by Big Tech companies, the European Commission is preparing a new law this summer to improve cooperation in cross-border disputes on the application.
Privacy campaigners hope the reforms can strengthen the GDPR and reduce the years of waiting for action on complaints. Yet the fiercest critics say that a model in which a few countries like Ireland and, to a lesser extent, Luxembourg, oversee most Big Tech companies, will still not change.
Industry observers also argue that Europe’s privacy regime has become a mere tick-in-the-box exercise that hasn’t strengthened privacy protections as it has taken over the focus on arcane legal procedure.
Deciding which agency would have the final say on enforcement decisions was one of the most sensitive issues during the negotiations on Europe’s new privacy regime, a political battle that led to a mess in which national regulators would have the last word, but with the binding contribution of others .
« The problem is that if the system has some sort of built-in limit, it’s like if you want to race a race in a Subaru and you need the speed of a Ferrari, you can push the pedal all the way down and tune the car to race as fast as possible, but there will be a limit beyond which it can go,” said Christopher Kuner, co-director of the Brussels Privacy Hub at the Vrije Universiteit Brussel.
But after five years as chairman of the European network of regulators, Austrian privacy chief Andrea Jelinek, who resigns as head of the pan-European body of privacy agencies that oversaw the disputes, has shelved those criticisms.
« If you’re an activist, it’s clear enough, it can never be enough, » she told POLITICO. « If you are a regulator like us, we have our duties, we have the law and we are here to defend the fundamental rights of citizens. »