Civil society organisations in Europe are playing a crucial role in enhancing the effectiveness of the European General Data Protection Regulation (GDPR) by using its enforcement provisions to challenge established practices of some of the biggest technology companies in the world.
The GDPR addresses some of the power imbalances between users and tech companies that operate globally. It has strengthened existing rules and given new powers to enforcement authorities. Companies and organizations are forced to be more transparent about how they collect and process personal data.
Even though the GDPR is a European regulation, it is relevant globally. First, because it applies to data collection about European citizens, it is recognized by many internet companies that dominate the global web. Second, countries around the world are watching to understand its strengths and weaknesses as they consider similar regulations.
One year since the law came into effect in May 2018, the efforts of filing complaints across Europe are beginning to bear fruit. By helping users going after companies that collect their data, digital rights organizations in Europe hope to improve how privacy regulations are being enforced to close the gap between legal protections and actual practice.
In January 2019, Google was fined €50 million Euros (about $57 million USD) by the national Data Protection Authority (CNIL) in France following two complaints on “forced consent” by noyb – European Center for Digital Rights in Austria and La Quadrature du Net in France.
Is GDPR working?
A coalition of digital rights organizations in Europe have created the publication GDPR Today to collaboratively collect and publish statistics that help advocacy organizations across Europe understand how the GDPR is being applied and to raise awareness of EU rights.
There are inconsistencies in how different countries collect and provide data but GDPR Today has compiled reports of data breaches and complaints from 10 out of 28 European Union countries in their March 2019 edition.
Between May 2018 and March 2019, there have been at least 71,237 complaints and 28,977 data breach notifications reported in those ten countries alone – all varying in nature. The Irish data protection authority reports that among the 1,928 GDPR complaints they received between May and December 2018, most fall under the categories of “Access Requests” (30%), closely followed by “Unfair Processing of Data” (15%) and “Disclosure” (11%).
An important right granted by the GDPR is that individuals can request a copy of the data collected about themselves in an unedited and intelligible form. This allows individuals and watchdog organizations to get a better sense of what personal data online services collect. noyb has tested whether and how popular streaming services comply with this requirement by requesting a copy of user data from a variety of companies. According to noyb, none were fully compliant. They filed ten different complaints against eight streaming services in January 2019. Other contributors to GDPR Today have similarly filed complaints to advocate for a better enforcement of existing protections including Panoptykon, Privacy International and Open Rights Group.
It’s clear, the GDPR will only be as effective as its enforcement, and civil society groups are playing a crucial role in ensuring that enforcement happens. That is an important lesson not only for Europe, but for privacy advocates around the world. As data protection authorities across Europe react to these complaints we will see what effect GDPR ultimately has.