Concerns that the EU General Data Protection Regulation "isn't working" based on the fact there hasn't been a bevy of massive fines are ill informed. After all, we're only 18 months into a massive revolution to the regulatory landscape that took years to shape. That was the message from data protection authorities on the keynote stage at the IAPP's Data Protection Congress in Brussels, Belgium, Wednesday morning.
Of course, the DPAs themselves have heard the criticisms in the media and elsewhere. But, as CNIL President Marie-Laure Denis noted, fines aren't the only way progress is evidenced. There's a lot happening behind the scenes.
"Sanctions are the ultimate measure we take in case of noncompliance," she said, but they're not an objective in themselves. Of course, there will be sanctions, but there's also a "huge amount of work that is not visible yet."
Ireland's Data Protection Commissioner Helen Dixon, who has faced criticism over the fact that her office hasn't issued fines yet, said it's "early days" into the GDPR and that, on the contrary to "doomsday conclusions" that the GDPR isn't working, "there's evidence significant progress is being made."
In Ireland alone, there have been 1,600 newly minted data protection officers appointed across public sector, small- and medium-sized organizations, and major tech companies, and "over time, those individuals with expertise embedded within organizations are going to start making a big difference."
In addition, the Irish DPC alone has amicably resolved 6,000 complaints from individuals this year. "So that's a lot of work; it's a lot of access requests, erasure requests. But it's also all evidence of mobilization of the public behind the GDPR and at least an interest in trying to exercise rights and vindicate rights."
Dixon certainly isn't unaware of the criticism being levied against her.
"I have heard this commentary that it’s too slow," she said. "But I think if you understand even a little bit about what’s involved in investigating in a case where the sanctions can be considerable, very high fines potentially, bans on processing, potentially, that can affect businesses and the viability of a business, you're going to have to follow a due process and take it step by step."
Otherwise complicating matters is the fact that "what were doing is without precedent, not just in terms of the subject matter we're investigating, but also in terms of that one-stop-shop process at the end."
She understands that "companies are naturally nervous and entitled to information about how [enforcement] is going to work," but added, "it will happen. The decisions will start to roll out soon. I think we're exactly where we expected to be at this point."
Asked to give a rough estimation on when the first enforcement actions might be released, Dixon said she learned doing so is a lost cause. Her office's policy now is simply to keep the public informed on where the regulator is at with its work.
German Federal Commissioner for Data Protection and Freedom of Information Ulrich Kelber said like Dixon, he receives criticism about his office's lack of fines to date, but he said it is wrong to look at that and decide the GDPR hasn't been effective, citing both a stronger understanding of data protection issues across the EU, as well as the strengthening of the European Data Protection Board.
While "where are the fines?" has been a relatively dominant theme in conversations among privacy professionals, there has also been talk about the increasingly interconnected regulatory landscapes surrounding data protection and competition law. Recently, U.S. lawmakers have held hearings to examine whether antitrust law should be used to regulate in the data protection space — the theory being the company that owns the most user data owns the market share. And in Germany, the competition authority, Bundeskartellamt, recently prohibited Facebook from combining data from different sources and assigning it to users' Facebook accounts.
Is this a trend we're going to continue to see, asked moderator Gabriela Zanfir-Fortuna, senior policy counsel at the Future of Privacy Forum?
Kelber said his agency did collaborate with the competition authority in the Facebook case; however, "not every data protection case is a case for the anti-trust authority," he added.
"But in the moment when market power brings people into consent or without consent, seeing that their data has been collected at sources they will never have expected it to be collected — using some source code — then it's not only a question of data protection, but also antitrust work," he said.
Denis agreed that collaboration between her agency and competition authorities could exist in the future and said there is communication now between the French competition authority and the CNIL given that both want to address the emergency of digital platforms whose business models are based on data collection, "with significant market impacts and impacts on society." But, like Kelber, she noted the procedural law of competition authorities is different from that of DPAs, so it's not a seamless collaboration.
"It's important to maintain a delineation between the two regulatory frameworks because the underlining principles are clearly distinct," Denis said. "Competition law aims at regulating market conditions, whereas data protection law relies on the protection of a fundamental right."
The commissioners noted that inside the EDPB, once the new European Commission takes office, the plan is to have an exchange on the interplay between competition and data protection.
Besides all that comes with enforcing the GDPR, the DPAs on stage said their primary concerns for the immediate future include artificial intelligence, personalized health genomics and the privatization of health data processing, among others.
"And I think connected cars can't be that far away at this stage, too," Dixon said. "I think that's going to catapult us into real-life examples that we can all touch and feel to do with AI and every facet of data protection."
Denis noted facial recognition is "one of the hot issues" at the CNIL, evidence by its report on the topic last week highlighting the technical, ethical and societal risks associated with it.
"It's very important to have a debate," she said. "For example, in the last couple of weeks, we were warned about experimentation by local authorities in France. We want to grow some boundaries on the role of technologies to determine when facial recognition is really necessary and with what guarantees for citizens, because the subject is complex and deserves a lucid and real debate to keep grip on the model of society we want."
But enough about future priorities. There are some basics to sort out first.
Dixon noted that for the time, "the issues still center on identifying the controller versus the processor: 'Is it personal data, does it meet the definition?' It is fascinating and frightening to start talking about what the next big challenges are, because we're still on first principles in terms of the legal framework."
Photo by Paul Clarke