Do We Want a Perfect Enforcement of the GDPR? An Overview of What's at Stake
"Isn't having customers' trust a cornerstone to good business? Isn't that intangible relationship with customers: loyalty, trust, repeat customers, something most companies want?"
As of 25 May 2018 and after a grace period of almost two years, the General Data Protection Regulation (hereinafter 'GDPR') entered into force. This new EU-regulation provides for new rights for individuals whose data are being processed - so-called 'data subjects'. Data subjects are identified or identifiable natural persons, which means that they consist, for most businesses, of customers they collect and process data from. In GDPR-terminology, these companies therefore are 'data controllers', as they determine the purposes and means of the processing of personal data. A broad and complete set of new obligations arose for data controllers with the arrival of the GDPR, like the obligation of information or the implementation of strict data protection programs in order to run new mandatory procedures such as data protection impact assessments or notification of data breaches to competent authorities. To verify and control the compliance of data controllers to the GDPR, Data Protection Authorities (hereinafter 'DPA') have the power to proceed to audits.
The - unofficial - extended grace period seems to have come to an end. Indeed, some heavy fines imposed by DPA during 2020 have made the news, leaving most data controllers in fear. The fines were supposed to serve as an example, and so the companies at fault are major firms such as Google, H&M, and British Airways. These examples show that GDPR compliance is now a necessity, and that sanctions for non-compliance have become reality.
Nevertheless, big players among tech-companies can afford implementing a strong compliance program without fear of being put at risk financially. This is not the case for most digital players - being start-ups, relying on very strict financial plans. Therefore, it is questionable whether a perfectly enforced GDPR is a burden for the data economy and whether it can grind it to a halt. Also, is such enforcement desirable?
We will tackle these questions by highlighting how a perfectly enforced GDPR can be challenging for data-driven businesses (I) and showcasing that the GDPR, since its entry into force, already triggered surprising consequences (II). Finally, the question of the desirability will be assessed (III).
GDPR-Compliance: New Challenges To Digital Businesses
In order to be compliant to the GDPR, companies need to deploy new additional budgets that they probably did not plan while launching their business. For instance, additional staff needs to be hired for the function of data protection officer. Also, medium/small-sized businesses are based on thin businesses and non-extensive staff. The GDPR can be a real threat to their financial strategy, because of the extra costs implied by compliance.
The problem for data controllers is not only that the compliance to the GDPR requires investments. The compliance in itself is a challenge in many ways, and the fact that DPA now seem to start aggressively fining lead data controllers to adopt a risk-based approach to their compliance. Since the GDPR provides for many new obligations (accountability principle, record of processing activities, etc.), data controllers have to choose between sticking to their business and sticking to compliance requirements (which implies renegotiating data processing agreements and restructuring cross-border data transfers), or updating their businesses by proceeding to low-risk processing activities in order to face a reduced compliance burden. Either way, it means more costs (in compliance strategies or in business transformation), or less turnover - because they cannot enjoy the full financial value provided by data.
Data is valuable. If users can have access to free internet or personalised advertising, it is because data controllers are collecting and processing personal data in order to provide such services. Companies like Google and Facebook can provide their use freely, because they make money by analyzing the data they receive from users. Rather than the platforms they offer, the users are the actual product that is being sold to advertisers. The GDPR has an influence on this model, insofar that it obliges the companies to ask explicit and well-informed consent of their users as to whether they would like to be a product being sold. If an obstacle comes to this free flow of personal information, this model could be in danger and, therefore, the digital revolution too. YouTube is an example showcasing the difficulties to switch from a free service to a paid one, as the company is struggling and put itself in danger by changing its business model.
Start-ups and small/medium-sized companies are less prepared than bigger firms. Since data is valuable, it is necessary to access it. Pre-existing businesses already have access to this data, and have a customer base which trust them - and are willing to freely share their personal data. New starters need to gain this customer base, which is difficult because they will need to make extra effort on privacy in order to gain trust - an effort that established enterprises do not need to provide.
At last, GDPR is an obstacle to the big data economy in many ways. Indeed, the requirement to collect consent prior collecting and processing is required to be for a specific purpose. But this contradicts the essence of big data, which lies in the aggregation of personal data and its processing in the context of methods and usage patterns which were not imagined by the time of the collecting of the data.
In this sense, GDPR compliance is difficult to achieve, thus a perfectly enforced GDPR would be a real danger to most data-driven businesses - besides being a source of inequities between small and big businesses.
Unforeseeable GDPR: Unexpected Consequences of Its Enforcement
Other than what the French case against Google suggests, DPA face some serious difficulties living up to the GDPR. Brave conducted a research and concluded that "European governments are failing the GDPR", because they are not enforcing it. DPA have so far been reluctant to issue fines for violation of the GDPR since the end of the 'grace period' on 25 May 2018, totalling up to 429.
The reason behind this reluctancy would be a lack of funds provided by national governments to their DPA, logically resulting in consistent understaffing and thus the practical incapacity to enforce. One could argue that most data controllers might be simply compliant to the GDPR and DPA, therefore, do not get to issue many fines. This is not the case. In September 2019 (sixteen months after the ending of the - unofficial - grace period) only 28% of data controllers believed that they were compliant. Conclusively, the fact that DPA do not enforce does not follow from the lack of violations, but merely their own incapacity.
Since DPA cannot afford competitive salaries, (most of the) qualified professionals rather choose to work for big tech companies. For instance, right after the entry into force of the GDPR, Facebook had twenty-nine 'Privacy Experts' in service. To put that into perspective: only Spain and Germany have more qualified employees at the moment, but throughout the entire country. In the case of Germany that can be explained by the federal structure of the State.
Furthermore, national authorities could have an economical interest in having these companies in their countries, and therefore refrain from issuing too many fines, like Facebook in Ireland after the 'Schrems II' decision. The European Court of Justice of the EU ruled that data transfers from the EU to the US (relying on the so-called 'Privacy Shield') are not allowed, since the US do not provide sufficient data protection standards. Upon this statement, Facebook threatened to abandon Europe if it was enforced by the Irish Data Protection Commission. Cases like these provide an incentive for national authorities to keep underfunding their DPA, as to make sure that in this case Facebook does not leave Ireland.
Finally, Brexit might impose some extra difficulty on the enforcement of the GDPR. Indeed, as the UK has left the EU, it is unclear what rules will apply to data controllers who are settled there or proceeding to cross-border transfers between both areas.
A solution for this problem could be an infringement procedure on the initiative of the European Commission on the basis of Article 258 of the TFEU and further against national authorities that refuse to enforce EU law by funding their DPA.
Desirability of GDPR Enforcement
It remains uncertain whether it is desirable to perfectly enforce the GDPR. The current status is that mostly small to middle-sized companies find it difficult to comply. Brexit might be a difficulty to overcome in this context, since it is unclear what rules will apply to EU-UK data transfers after the transition period of Brexit has ended. Furthermore, one could ask whether it makes sense to issue fines now for rules that might not be applied anymore in a few months. The GDPR in its current form seems too general and controversial, thus it cannot be expected that all data controllers are able to comply with it.
Conclusively, the GDPR is not easily enforceable since DPA do not have the means to enforce it. National authorities did not and still do not invest enough to attract qualified staff, whereas big technological companies do have the means to do that. On the other end, it is also not desirable to fully enforce the GDPR in its current form, since it is quite impossible to achieve full compliance. A debate on a possible reform of the GDPR should therefore be started, rather than trying to enforce it at all costs.
Additional literature:
Lilkov, Dimitar. "The Impact of GDPR on Users and Businesses: The Good, the Bad and the Uncertain", Wilfried Martens Centre for European Studies, 2018.
Rhodes, Larissa (producer), Orlowski, Jeff (director) (2020), The Social Dilemma [documentary], Exposure Labs and others, the United States.
Richards, Neil M., Four Privacy Myths (April 22, 2014). Revised form, "A World Without Privacy?" (Cambridge Press, Austin Sarat, ed. 2015), Forthcoming
Tal. Z. Zarsky, 'Incompatible: the GDPR in the age of Big Data', 2017.
Vinocur, Nicholas. "We Have a Huge Problem": European Regulator Despairs Over Lack of Enforcement', Politico, 27 December 2019
Case law:
French State Council (Conseil d'État), ruling n°430810, "Fine imposed on Google by the CNIL", 19 June 2020.
European Court of Justice of the EU 16 July 2020, C-311/18, (Schrems II)
Legal sources:
Article 5 para. 1 lit. b) of the GDPR - Principles relating to processing of personal data - Purpose limitation
Article 5 para. 2 of the GDPR - Principles relating to processing of personal data
Article 7 of the GDPR - Conditions for consent
Article 30 of the GDPR - Record of processing activities
Article 37 GDPR - Designation of the Data Protection Officer.