If there was a takeaway from the IAPP Data Protection Intensive — Paris session, "The Regulators' View," it was surely this: The General Data Protection Regulation has created massive shifts in how data protection authorities in the EU must budget, staff, prioritize and operate.
At the event here in Paris Wednesday, Cathal Ryan, assistant commissioner at the Data Protection Commission in Ireland, said the most obvious change is the sheer workload. For example, now that the Article 29 Working Party has been dissolved and supplanted by the European Data Protection Board, there are simply a lot of discussions to be had, especially in these early days.
The EDPB plans to meet monthly, but for now, Ryan — who generally flies to Brussels about five times per year — will find himself in the governmental hub five times in February alone. But that's because there is guidance to issue for companies eagerly awaiting compliance roadmaps and important questions to iron out, like when is a complaint considered an issue best suited for a local regulator versus a lead supervisor? For example, before it had been fined $57 million by the French data protection authority, Google hadn't established its home base. After the fine, it declared its official address to be Ireland.
But besides all the meetings and EDPB collaborations, the regulators have been utterly inundated.
Michael Kaiser, data protection officer at the Hesse Data Protection Authority in Germany, said the DPA has been so inundated with complaints and breach notifications — up 1,200 percent since the GDPR went into effect — that it's like "everyone seems to think that under the GDPR, data processing is no longer lawful." He said the DPA essentially sorts the complaints and questions for guidance and puts them in two piles. If it must prioritize one over the other for reasons of time and resources, it must first address the complaints.
Michael Kaiser, data protection officer at the Hesse Data Protection Authority in Germany, said the DPA has been so inundated with complaints and breach notifications — up 1,200 percent since the GDPR went into effect — that it's like "everyone seems to think that under the GDPR, data processing is no longer lawful."
It's so dire, in fact, that Kaiser described his office as a submarine, sunk deep below the ocean of complaints and advisory requests. Now, he said, the office's main task is to "bring the submarine up to the surface. We have a submarine laying on the ground. We are not driving anymore. We have no one even snorkeling on the surface. We are completely on the ground. Now we need to go back to the surface."
Kaiser said, for example, if a data subject sends a complaint now, they'll get back a message that says the DPA received it, and they can expect to hear back within three month's time. And that's it.
For Ryan at the DPC in Ireland, it's a similar story, if slightly less dire. The DPC has been allocated a significant budget to staff up, especially considering the number of tech companies headquartered there. Nonetheless, the DPC had 2,795 breach reports come through its portal in 2017. Since the GDPR went into effect not even one year ago, the number of reported breaches is at 4,136.
"We're getting absolutely inundated with complaints and breaches," Ryan said. He added, as Kaiser alluded to earlier, that the mantra, "When in doubt, report it," might not be the best approach anymore. Companies may need to instead look a little more closely at whether the breach is a reportable one under the letter of the law. While it's admirable companies are aiming to be transparent and communicative with regulators, it's resulting in a bottleneck and straining resources globally.
While it's admirable companies are aiming to be transparent and communicative with regulators, it's resulting in a bottleneck and straining resources globally.
Finally, Kaiser said a combination of excessive media attention and fear mongering by law firms have resulted in a misconception that German regulators are frothing at the mouth to fine companies over GDPR violations. In reality, Kaiser said, that's not true.
"It's completely overblown, the topic of privacy in Germany," he said. "Management's attention is focused on the GDPR, and law firms are doing their business and telling everyone we have really high penalties now. Everyone is scared about the penalties. But I've seen none currently. But it's good for DPOs; they're getting recognition in Germany."
In fact, Kaiser said, he doesn't even care much for the fining powers he has been granted under the GDPR.
"I don't feel I have more power than before. I simply ask for records of data processing activities and get you in a panic ... by sending you catalogs of questions for pending investigation," he said. "I don't need any penalties. With penalties, you can go to court, and [then that means] I need to go to court, and that's a very complicated process. I don't feel like having more power currently. I have the same power as before, and the power I have is enough."
For Ryan, there's plenty of work ahead. The DPC is aiming to be proactive in its regulatory priorities by, in part, meeting with some of the big tech companies it regulates to learn more about the technologies it's not only using now but aims to use in the future. But even more concerning than the uncertainty new tech brings is the uncertainty the new political order brings given the U.K.'s plan to leave the EU. What will that mean for DPAs' global collaboration?
At the EDPB, Ryan said, "There's almost a sense of bereavement" over it. There's an EBPB meeting in April, but it's unclear whether the U.K. Information Commissioner's Office will be there; a "hard-Brexit" would forbid that. The ICO has about 700 staffers, and that's a loss the collective body of regulators will surely miss, if it comes to that.
For now, the world waits to find out.
Top photo: Cathal Ryan, Paul Jordan and Michael Kaiser
If you want to comment on this post, you need to login.