Why the GDPR?

A law is only as good as its enforcement

The European Union’s General Data Protection Regulation (GDPR) is often discussed as being the personal data collection and use regime to which the world should aspire. Apple’s Tim Cook has called for the United States federal government to adopt a similar law. India’s Data Protection Committee described the EU as being at the ‘vanguard’ of international data rules, while Consumers International put the GDPR as perhaps setting a new ‘gold standard.’ Regardless of whether the GDPR is such a standard, its influence has led Anu Bradford of Columbia Law School to argue in her new book, ‘The Brussels Effect’, that the GDPR is one frontier in the EU’s regulatory takeover of the globe; and in an article earlier this year, the Economist pointed out that 120 countries had adopted GDPR-type systems.

Photo by Frederick Tubiermont on Unsplash

But laws are imperfect, and only as good as their enforcement. Otto von Bismarck, who in 1871 became the first chancellor of Germany, once remarked that ‘If you like laws and sausages, you should never watch either one being made.’ Laws are the result of negotiation between legislators, influenced by lobbyists and public opinion, following some agenda-setting by voters. And if a rule is too hard to apply, it will remain on paper and not create the changes that legislators wanted. To know whether the GDPR is the world’s gold standard for data protection, we need to understand which legislative options EU legislators selected from the ones available — the way the sausage was made — the enforcement system they chose, and how its implementation affects the data protection standards that they were looking for— or, how the sausage gets eaten. If other places have more options or enforcement capacity, they might be able to make better rules.

Global principles

The international history of data protection legislation is nearly 60 years old, and the EU had a pool of principles to pick from when it wrote the GDPR. Article five of the legislation lists those for processing personal data: that it be accurate and can be changed if it is not. The same principle is in Britain’s Younger Committee work of 1972; and the 1973 ‘Records, Computers and the Rights of Citizens’ report by an official US committee; both of which were tasked with considering the then emerging questions of data protection and are ably discussed in a research note by Robert Gellman, a Privacy and Information Policy Consultant. Sweden’s Data Act of 1973 — the world’s first data protection legislation — the Council of Europe’s Convention 108, the OECD’s Guidelines on the Protection of Privacy, and the EU’s 1995 Data Protection Directive, all share the same principle, including others on use limitation and suchlike. Professor Graham Greenleaf of the University of New South Wales, in his paper on the origins of data privacy laws around the world, believes that these reports, laws, and frameworks share ten principles. These are that data held by an organisation about a person be

1. relevant and accurate;
2. limited, lawful and fairly held with consent;
3. collected with a purpose specified at the time of collection;
4. collected with a notice given about the purpose of collection and the rights of the person that the data are about;
5. used with the specified purposes;
6. secured with reasonable safeguards;
7. collected and used with practices that are open to observation, understanding, and scrutiny;
8. accessible by individuals with a right of access;
9. able to be corrected by individuals; and
10. that data controllers are held accountable for compliance.

Photo by Patrick Tomasso on Unsplash

According to the European Commission’s impact assessment in 2012 of the draft law that became the GDPR, the EU’s aims for data protection have been long-standing. Since the 1995 directive it has tried to ‘protect the fundamental right to data protection and to guarantee the free flow of personal data between Member States’ but technological change meant that new rights were needed. Comparing chapter three of the GDPR — ‘Rights of the data subject’ — with the global list above, shows what the EU added:

• Article 17, the right of erasure, or the ‘right to be forgotten.’
• Article 18, the right of restriction of processing.
• Article 20, the right to data portability.
• Article 21, the right to object to processing.
• Article 22, on automation using personal data, or the ‘the right not to be subject to a decision based solely on automated processing, including profiling.’

Principles to enforcement

None of the rights in the GDPR imply, by themselves, a way in which they should be enforced. The right to data portability could be actualised through a government-designed system; or left to big digital companies like Apple, Facebook, Google, Microsoft, and Twitter, which have proposed the Data Transfer Project. Article 22 on automation using personal data gives a person the right to object if processing ‘significantly affects him or her’ — which could be interpreted strictly by data protection authorities, or loosely by courts.

Professor Greenleaf lists the basic GDPR enforcement options that were available to the EU. It could have gone for criminal offences, with penalties imposed by the courts; civil penalties for restitution; or administrative orders made by a public agency, prescribing how an organisation holding personal data should act, perhaps with financial penalties attached; and a right to civil actions, with data subjects bringing cases against holders of their data to the courts. The EU chose enforcement through public agencies. In the member states these are the data protection authorities, like the Office for Personal Data Protection in Czechia, which are independent from national governments and have the power to supervise, investigate, and enforce the GDPR locally, issuing administrative fines of up to EUR 20 million, or four percent of an organisation’s global turnover.

The European Data Protection Board in Brussels has ultimate responsibility for implementing the GDPR. As per its rules of procedure it does this through

• a principle of cooperation, whereby it encourages consensus among data protection authorities;
• a principle of proactivity ‘…to help [data protection authorities] overcome digital challenges to data protection’;
• acting under Article 64 of the GDPR to issue opinions on data processing measures, codes of conduct, certification, transfers of data abroad, and binding corporate rules, being considered by the data protection authorities;
• issuing final and binding decisions in any differences of interpretation between data protection authorities, whenever one is considered not capable of issuing a decision, or is thought to have not followed the legislation;
• giving recommendations and guidelines about any aspect of personal data use in the EU, on its own initiative or at the request of the European Commission.

This is centralised consideration, interpretation, and ultimate enforcement of EU data protection law. The data protection authorities have been distanced from local influence and placed under the direction of the European Data Protection Board, particularly with regard to changes — such as those that will arise with new data processing techniques available through machine learning — that pertain to frontier technology.

Centralising force

The EU chose direction from the centre because its data protection laws have long been unequally applied across the member states, and it did not believe that national authorities would properly implement the GDPR. The preamble to the Data Protection Directive complains about the divergence between domestic laws across the EU, and how this was impeding the flow of data. The same complaint is then made about the directive in the impact assessment for the GDPR, with the European Commission arguing that it had been written too broadly. In making the case for what became the GDPR, the commission argued that the ambiguity in the directive meant that transfers of personal data outside the EU were done differently, meaning that EU citizens did not have equal rights over data about them.

Photo by Christian Lue on Unsplash

The EU will have been worried about the capacity of legal systems in some member states to enforce the GDPR. The Rule of Law Index assesses legal system quality in 128 countries, and finds that some of the biggest in the EU have scores no better than a raft of developing countries. Italy, for example gets a score of 0.66, which is below the 0.68 of Costa Rica and only a bit above Rwanda’s 0.62; Hungary’s 0.53 is about the level of Sri Lanka’s 0.52 and Ukraine’s 0.51. And that is before consideration of countries that might join the EU, like Albania and North Macedonia.

Some of the GDPR’s centralising drive could also be explained by different tastes towards personal data protection across EU countries. In 2015, Eurobarometer conducted an extensive survey of the attitudes of EU citizens towards data about them. Many of the questions revealed big differences across the member states. Half of the respondents in Denmark thought that providing personal information was not a big issue, while in France and Portugal only around a quarter did; in Estonia, 45 percent were worried about the use of their personal data for reasons other than originally specified, but 83 percent in Ireland were. Opinions about implementation differed, too: only 25 percent of Latvians wanted the same rights across the EU, compared to 71 percent of Maltese; and the union was almost evenly split between those who wanted rights enforced at the national or supranational levels.

Centralising consequences

Lowering national interpretation and coordinating enforcement standards from Brussels could raise data protection standards in some of the weakest member states of the EU. It is easy to imagine that cooperation between the data protection authorities will lead to gradual improvements in capacity, and perhaps that a cadre of able officials will be seconded across them. At the moment it is not clear whether some countries are pursuing cases that are locally important, or only simple enough for them to address, but consistent patterns could emerge. For example, according to the GDPR Enforcement Tracker, France has issued a small number of large fines — EUR 51 million across five penalties — while Spain has issued 80 for a total of EUR 2.5 million.

Photo by Nick Wessaert on Unsplash

On the other hand, reducing national interpretation in enforcement will make EU countries less able to respond to technological change that uses personal data. Modern economies are at the beginning of understanding how to best use information about individuals in the development of products and services, and their grasp of the issues will change as technology does. In a blog on regulation and combinatorial innovation for the Open Data Institute, I explained how the nature of combining data in new products in infinitely new ways leads to an unstable environment for regulators to manage, and that they can allow change to be ‘permissionless’ or use ‘anticipatory regulation’ for balanced judgements. That is much easier to do when a regulator can engage locally-based technology companies, adapting rules as issues arise and balancing privacy risks against product development that will benefit citizens. But that is harder to do in the GDPR enforcement regime, as the whole point of it is to reduce ad-hoc national interpretation that undermines union standards. At the very least, allowing data protection authorities to debate changes, and then having the European Data Protection Board decide, will take more time.

But Chris Jay Hoofnagle — a law professor at the University of California, Berkeley — and other authors of ‘The European Union general data protection regulation: what it is and what it means’ believe that it is wrong to think of EU regulatory authorities such as those for the GDPR, as imposing strict rules. Instead, they argue, unlike in the United States and countries like it, regulators in mainland Europe are comfortable with ongoing discussion between companies and enforcers and these infrequently lead to big fines for small misdemeanours. But this underestimates the data protection harmonisation through the GDPR to which the EU has committed itself, a process which will require the data protection authorities in some member states to behave in ways that local companies are not used to.

The EU’s fear of low enforcement capacity is also behind the adequacy assessments that it places on foreign countries receiving personal data from member states. It could have banned all foreign transfers of personal data from member states with weak protections, but that would have seemed discriminatory. It could also have waited for the data protection authorities to develop their skills in assessing such transfers, but that would have taken too much time and might have risked mistakes that undermined public trust in the new regime. The EU was instead left with putting heavy restrictions on external flows of personal data because that was the easiest way to achieve internal harmonisation. The European Commission’s adequacy assessments of other countries are a block to low capacity member states allowing personal data to flow inappropriately out of the union.

What would the Irish do?

The enforcement constraints faced by EU legislators, and the centrally directed harmonisation process that they have chosen, is often overlooked in consideration of the GDPR. Yes, it might give more power to individuals over their data and become a new data governance regime, but these ambitions are only as good as what the GDPR can effect. And places which do not face the problem of having to drive enforcement across 27 countries with wildly different legal system capacity, might be able to achieve more in the face of technological change.

Photo by Robert Anasch on Unsplash

There will be governments that take guidance from the GDPR, but will not copy it in the way that discussion of it being a ‘global standard’ would suggest. Australia, for example, is ranked higher on the Rule of Law Index than all but eight of the EU’s 27 member states, and shows little sign of even trying to get GDPR adequacy. The United States, which is 21st on the index, has constitutional forces that will push against federal uniformity, but it also benefits from legal capacity across its states that is unlikely to vary as much as that between the best and worst legal systems in the EU. Such enforcement capacity could give both countries and others like them the ability to test, say, rights to data portability and being forgotten, in an implementation regime that allows regulators discretion towards some sectors and technology, imposing strong enforcement on others.

The EU could have similar flexibility by increasing GDPR enforcement capacity across its member states. Helping the least able data protection authorities to better assess personal data use in difficult cases might lower the amount of objections they get from their peers in other countries, at least reducing the time taken to make decisions. But even that will take a while, because even though the data protection authorities are independent from national governments, those governments still have to issue funding. In 2019, Ireland’s Data Protection Commission asked for a 40 percent increase in its budget to deal with a backlog of cases and hire staff that could tackle big digital companies on its territory, like Apple and Google, but instead got 11 percent. And the Irish commission is now being accused by Johannes Caspar, the Data Protection Commissioner in the German City of Hamburg, of not being able to conduct cases and issue fines, thereby undermining confidence in the GDPR and the fair and competitive digital markets that it was meant to achieve. In May 2020, Max Schrems, an influential privacy campaigner from Austria, blasted the Irish investigations into Facebook, Instagram and WhatsApp, arguing that ‘ the GDPR is only as strong as its weakest [data protection authority]’ and that the Irish one has been too close to Facebook in a decision about the company, failed to account for law in other member states, and that the cooperation mechanism between national authorities has broken down.

The complaints about Irish enforcement of the GDPR sound feisty, but are exactly what its enforcement system would produce. The Irish are under pressure because the national government wants to keep Facebook in the country, and other data protection authorities want them to take other member states’ views more into account. As Max Schrems’ letter makes clear, the Facebook decision has already taken years, but the process has only just begun. In the end, regardless of the merits of the case one way or the other, the GDPR enforces from the centre and the Irish will have to back down in the face of arguments about what is best for the EU as a whole.

Many of the world’s most advanced economies have strong legal systems, and will not need to be restricted by the harmonisation process that the GDPR is imposing on Ireland. They might take some principles from the legislation, but will not treat it as the gold standard. The unknowns and potential gains of frontier technology like machine learning are too big, and they will approach the dilemma through regulatory enforcement that achieves strong personal data rights, but is sensitive to the complexity of the questions at hand. In the end, enforcement is what matters.