It has been one year since the EU General Data Protection Regulation came into force, and most of the commentary has focused on enforcement or compliance. And yes, privacy professionals are working hard to comply, and regulators worldwide are dealing with myriad complaints and investigations. But what about the complaints filed? What can we say when we look closely at those? For one: They vary significantly. Brave et al’s sectoral complaint and NOYB’s class-action type procedure are two of the major cases in front, and two that are largely different in terms of the mechanics of managing the complaint, but some common ground in terms of expectations.
In September 2018, privacy browser Brave submitted a formal GDPR complaint to the Irish Data Protection Commission about real-time bidding in the online advertising sector. Simultaneous complaints were filed with the U.K. Information Commissioner by the Open Rights Group and in Poland by the Panoptykon Foundation.
Since then, similar complaints have been submitted to the data protection authorities in Spain, the Netherlands, Belgium and Luxembourg. Johnny Ryan, chief policy and industry relations officer at Brave, told The Privacy Advisor, “So now we are at seven complainants, and it wouldn't surprise me if we got to a nice round figure of 28 — all EU member states.”
So how do these sectoral complaints differ from individual cases?
Ryan said the cases are based on alleged personal data leakage by the tech industry on a vast scale, and in ways that could have affected voters in the recent European Elections. "And we have not seen substantive action from the regulators,” explained Ryan, adding, “I think they have a responsibility to act.
“We approached this on the understanding that we would have to supply evidence. We have been supplying evidence continually over the last few months since September, and we will continue to supply evidence, and there will be more complaints in more jurisdictions in more member states. So our complaint is different to someone who has a particular complaint doesn't necessarily understand what has happened and appeals to the regulator to find out what has happened,” Ryan continued. “In our case, we investigated the specifics and told the regulator what the specifics are, saying, 'now you have enough facts; will you please act?' We don't need quite as much hand-holding as someone else,” he said.
According to Ryan, if you were building technology for this industry, you would be reading the documents that Brave has submitted as evidence on a daily basis. The real question is to find out what's the best way to present them in a way that the regulator can quickly grasp, he said.
However, Ryan explained that despite the workload Brave has taken on, no new staff has been needed solely to deal with the complaint. “A qualified lawyer is not essential,” he said. “One needs to understand the principles of data protection and to understand the domain one is complaining about. We have worked in this industry. Some of us have blood on our hands. We need the regulators to step in and fix it.”
But he acknowledges that this sort of sectoral complaint is not typical: “Of course the average person or resident in Europe should not need to understand everything about a breach that has happened to them to be able to make a complaint about it. The investigators now really have to be the regulator. And it probably has to be something that involves multiple data protection authorities, because it's European wide.”
How long will it take?
“I don’t know, it could be half a year, it could be a couple of months. The main factor is when it will come before the European Data Protection Board. We are still waiting to hear from the U.K.’s [Information Commissioner's Office], although Jim Killock [of the Open Rights Group] filed the same day as [Brave filed with] the Irish DPC, with the same evidence, we are still waiting to hear from them. I don’t know why. It could be that the workload is a mitigating factor,” Ryan said.
Given that the EDPB reports that during the first year of the GDPR, a total of 446 cross-border cases were logged in its cross-border case register, and 205 of these cases have led to one-stop-shop procedures, the workload at the EDPB is almost certainly an issue.
Despite dealing with an entirely different sort of case, the infamous Max Schrems, founder of privacy nongovernmental organization NOYB, agrees. However, he is clear that there is a fundamental difference between the sort of sectoral case brought by Brave and those submitted by NOYB.
“I think the fundamental difference is theirs is basically a petition to the ICO saying that they should generally look into the sector, but they don't necessarily have an individual claimant. Ours are usually always based on an individual person who can actually argue that their rights were violated in a personal way. I think that is structurally a different approach from the NGOs telling the regulator to look into something,” Schrems told The Privacy Advisor.
But just because NOYB can represent a large group of complainants doesn’t mean it is a "class action," as understood by American colleagues, explained Schrems.
“Not at all. Firstly, there is basically no jurisdiction that has a class action as per the U.S. understanding in Europe. We do have different types of what we call collective redress, which means that you can group people. The big difference is that usually in Europe we have an opt-in basis. So individuals would have to join a group. You cannot have just one lawyer who walks up and says, 'I hereby represent all the customers of the U.S.,' which is the usual thing for a class action. Under Article 80, paragraph 2, there is the possibility for an NGO to bring a general abstract lawsuit, but that is basically an injunction against a company without directly representing someone that has any suffered any harm from it. So not really a class action lawsuit, because you don't have an individual that really suffered something,” Schrems explained.
So why do users need NOYB? It seems to be a combination of difficulty for individuals in seeing a case through to completion and Schrems’ desire to get the ball rolling and set some precedents in law with big GDPR test cases.
“For individuals, it's really hard to really bring a case that's also successful in the end, especially against a big company, because usually they have 100 lawyers and come with arguments. Many of these arguments may not hold water, but you need someone who understands that, in order to be able to say so. The problem in the cases we've seen from individuals is that oftentimes they have a good gut feeling of what's wrong and are usually able to articulate that somehow, but then the other side comes back with a hundred counter-arguments. Those counter-arguments may not be very good, but depending on the country, some regulators have the approach of, 'If you do not argue against an argument, then the argument by the other party is automatically accepted.' So you need to have a rebuttal on it. And that is stuff that, if you don't know the law, is really hard to do,” he said.
“The other thing that is important probably to stress is it's not about just going to the [data protection authority], but especially if you win, then there's going to be an appeal situation. Usually, a company would appeal the decision of the regulator and then it becomes really pricey, first of all, but it also becomes very technical and complicated. In many jurisdictions, you need a lawyer to represent you in court; you cannot just walk into the court yourself. So that is a bit of a problem with the GDPR. Anybody can file for free, but if you win in the first instance, then you're usually stuck in the second instance, and that gets really pricey,” Schrems explained.
So what sort of cases does Schrems foresee in the future? “In terms of the sheer numbers, it's going to be individual cases. That's obvious. However, if you look at the ones that are probably going to have a bigger impact, it is probably the more structured, organized complaints.”
However, there is an overlap between Brave and NOYB in terms of looking at the bigger picture.
“What we tried to do is strategic litigation,” Schrems explained. “Not by the way of identifying one company for being terrible, but identifying a larger issue of all industry sectors and then picking up one model case to go through with it. Basically, we have two types of cases that we categorize internally. One is essentially what we call standard setting cases, where it's just about one legal question but no one really knows the answer to. And then the other cases are more like what we call enforcement cases, in the sense of everybody knows what the law is, but companies just ignore it.”
Because so much big tech has its European headquarters in Dublin, both Schrems’ original case and Brave’s complaint involve the Irish DPA. And it told The Privacy Advisor, “We currently have 54 statutory inquiries open. Thirty-five are non-cross-border statutory inquiries, and 19 are cross-border statutory inquiries into multinational technology companies.”
The breakdown of those 19 cross-border inquiries:
- 8 into Facebook.
- 3 into Twitter.
- 2 into WhatsApp.
- 2 into Apple.
- 1 into Google.
- 1 into Instagram.
- 1 into LinkedIn.
- 1 into Quantcast.
“Since May 25, 2018, the DPC has been contacted by the public 48,000 times, received 5,818 valid data breach notifications and more than 6,600 complaints. The most common types of complaints we receive relate to access rights, the unfair processing of data, and unauthorised disclosures. We also receive a significant number of complaints relating to multinational technology companies,” explained the DPC.
“The majority of breach notifications we receive relate to human error, i.e. unauthorised disclosure — such as an email/text/letter/correspondence sent to an incorrect recipient; disclosure through a customer online portal; a processing error; or a verbal error. In terms of how long a case takes and its cost, it is not something we can comment on as it can depend on a number of different factors and vary in each case,” added the Irish DPA.
“Legal regulations take shape by practice,” said Katarzyna Szymielewicz, head of the Panoptykon Foundation. “But the expectations [for GDPR] were higher. We wanted it to change the whole ecosystem, change the distribution of power over data. Are these hopes lost already? How many years should we wait before making definite judgments? I don’t have all these answers yet, not even for myself. One year is certainly not enough to judge the value of the reform that took six years to prepare and is here to stay for a couple of decades. But it is enough to show us where the obstacles are, or, if you like, what needs to be fixed if we want to see the GDPR develop to its full potential in the near future,” she continued.
“On paper, the GDPR makes it plain that cooperation between national DPAs is essential and creates many ways in which it can be facilitated. It is not up to lead authorities to decide whether they need to engage other DPAs. If a 'significant number of data subjects' from a certain country is 'likely to be substantially affected by processing operations,' a national supervisory authority has the right to participate in joint operations,” Szymielewicz explained.
So why the hold up with certain cases?
“On paper, it does look pretty straightforward. In real life, it will take a lot of red tape and insider maneuvering before these mechanisms are alive and functioning properly. We have heard about first proceedings that, apparently, are pending before the EDPB. We hear about the attempts of various DPAs to get involved in cases that affect citizens under their jurisdictions. However, not a single opinion on a matter of general application has been issued so far,” Szymielewicz said.
As for how he views the GDPR one year on, Ryan said, “Well, I wouldn’t have lodged the complaint under the old regime, because nothing would have happened. But the biggest thing that didn’t happen is early decisive action by the regulators."
Photo by Agence Olloweb on Unsplash