GDPR enforcement is gridlocked – what can be done?
2022 marks four years since the adoption of the GDPR in the EU. In that time, it has become a de facto global standard and has kickstarted a global implementation of similar data protection rules in almost 160 countries including Brazil, Canada and New Zealand.
In the US, individual states’ own data privacy and protection rules, are being supplanted by a federal privacy legislation. Only a post-Brexit UK’s proposal to relax its GDPR-based law in the name of removing red tape stands out as not following the trend.
The EU’s reputation for strong regulatory and policy capacity (the so-called ‘Brussels Effect’) means it is held up as an example of rigorous and advanced data protection law.
But despite its influence on national rule books, the enforcement of the GDPR in Europe has not been such a success story. On paper, GDPR remedies include the right to lodge a complaint with a Data Protection Authority (DPA) and the right to bring a case directly to the judiciary. In practice, both routes have proved difficult and slow. Does this week’s fine by the Irish DPA mark a new era of action, or will challenges remain behind the scenes?
Public enforcement of GDPR: headline fines mask poor coordination
One reason is the design of the GDPR enforcement arm which appoints DPA of the firm’s host country to lead on infringements. Low tax and a highly-skilled English-speaking workforce have attracted many global tech companies to set up in the Republic of Ireland, effectively making its DPA the chief data privacy watchdog for the continent. This is despite doubts over whether key data protection decisions are actually made within this state.
So far, a lack of resources seems to have held back the Irish Data Protection Commission from taking action and has resulted in a backlog of cases in the pipeline. However, a recent €405 million fine for Instagram for mishandling children’s data, and this week’s €265m fining of Meta for a data breach could mark a change in approach. In the Meta case, over 500 million people’s emails and phone numbers were accessed and released online.
Since 2018, numerous cases have been investigated by other national DPAs who have issued some high-profile sanctions for infringements such as Luxembourg’s record-breaking fine for Amazon in 2021.
But according to several studies and a recent letter from the European Data Protection Board to the European Justice Commissioner, inconsistencies in national practices, poor design of complaint processes and lack of clarity on when it is appropriate to lodge a complaint make it difficult to bring them.
For cross-border complaints, the process is even more long-winded as discovered by consumer groups who lodged parallel complaints against Google with their DPAs in 2018. It took six months to appoint a lead authority, who then six months later decided to open their own inquiry which further delayed the complainants’ case. A lack of harmonised procedures seems to be a major factor in hampering progress.
Private enforcement of GDPR: slow progress on compensation
When it comes to achieving direct consumer redress for harms via the judicial process, progress has been even slower. And the lack of direct remedies for consumers via private enforcement is in part linked to the problems with public enforcement. This is because follow-on cases are more likely to be brought if a strong indication of wrongdoing has been established by public authorities.
Despite this, consumer groups and citizens have challenged companies’ data practices, although they have been frequently stymied by the slow pace of legal proceedings.
Collective actions (such as a recent one against TikTok bought by Consumentenbond) which are well suited to data-driven consumer services used by millions are also moving at a snail’s pace. In France, for example, when UFC-Que Choisir launched a group claim against Google for GDPR violations in 2019, they knew it would take many years to reach a final decision.
How to value data privacy damages?
Enforcing redress under data protection legislation presents additional hurdles due to the nature of the harm experienced. As quantifying damages in privacy has not been done before for mass scale consumer cases, there is understandable hesitancy amongst various judiciaries across Europe to be the first to state how it should be done.
There are some general challenges with demonstrating the material and non-material harm of a privacy or data protection infringement. For example, the impact of a misuse of data may not be experienced until a future date (for example exclusion from a product or service).
For group actions (where the class bringing the claim musthave experienced a similar harm) there is an added challenge of demonstrating that the misuse of data would have the same impact on the entire class.
What’s more, there are questions over the evidence required to demonstrate a damage related to data misuse. This is in part due to the GDPR being part of a system based on a compensatory redress.
To receive redress under this system, the claimant must prove that the defendant’s behaviour had a material or non-material impact on a claimant. It is not enough to receive redress based on proving the defendant broke the law.
What is a non-material data damage?
The thresholds for quantifying this for mass scale privacy breaches has not yet been established in case law. In addition, the concept of what might constitute a ‘non-material’ damage is being challenged.
Take the recent opinion by the Advocate General of the CJEUon a case brought in Austria. The complainant claimed €1,000 in compensation for having a profile created from his personal data, without his consent, which said he was likely to be a far-right party voter. The complainant wanted to be compensated for the damage to his reputation caused by being labeled with this political leaning and the upset caused to him.
The Advocate General gave his opinion that he should not receive compensation as only ‘genuine’ non-material damages were eligible. This raises critical questions about how non-material damages, and more in particular privacy breaches, are to be defined and evidenced.
Profiling a person on the basis of their personal data without their consent is unlawful, but the principle of compensatory redress means that the claimant needs to provide evidence of what is considered a ‘genuine’ non-material damage – and then quantify this.
Marco Scialdone, Euroconsumers’ litigation expert questions whether the lack of an agreed measure and threshold around personal data damages can be sustainable in a digital economy:
“Currently, the GDPR establishes a claim for compensation in case of data security rules, but it does not give any indication of how to calculate the material or immaterial harm caused to the individual. We still stick to a strict principle of compensatory damages in tort law: but is it still the right way in the digital economy based on immaterial exchanges where consumers exchange data for services?”
How can the GDPR enforcement gridlock be broken?
In all circumstances where consumers experience harm en masse, enforcement should deliver the right balance of compensation and deterrence. This applies equally to a cartel damage claim as it does to a data protection damage claim.
It is vital therefore, that public enforcement is able to do its job in rectifying and preventing further harm through strict and swift action on infringements. To unlock the deterrence and sanctions from public authorities, BEUC have recommended the following:
- The European Data Protection Board (EDPB) to establish a common process for handling cross-border complaints and working with National DPAs to establish a list of organizations who are eligible to represent data subjects under Article 80 GDPR.
- DPAs to ensure their investigations do not delay cases being brought, or undermine the rights of the complainants. DPAs should also make full use of their assistance function when dealing with cross-border complaints and of their corrective powers under Article 58 of the GDPR.
- Member states to establish more support for data subjects or their representative organizations who bring cross-border complaints, and to implement Article 80(2) which ensures eligible organizations can lodge complaints without a mandate from a data subject. Member States can also ensure that DPAs have the right resources and expertise to carry out their functions.
Such calls from the consumer organisations have been echoed by the EDPB who want to see aspects of procedural rules under the GDPR to be harmonized, such as the rights of different parties involved in investigations, investigative powers of DPAs and deadlines and timings of procedures. Greater harmonization could bring greater certainty and end delays around what and how processes are delivered.
Can private and public enforcement of GDPR work better together?
We have already mentioned that unlocking public enforcement cases can help with private cases in terms of establishing harm, but closer collaboration between the private and public side of enforcement could also help in terms of quantification of damages.
In the case of unfair commercial practices, some competition authorities calculate the economic impact on consumers, this helps at the follow-on private enforcement stage. In a similar vein, Data Protection Authorities could carry out economic analysis when they sanction companies for GDPR infringements.
However, this still doesn’t tackle the challenge of a lack of knowledge of how to quantify damages, and so carries the risk that GDPR cases are left open indefinitely without conclusion. Such knowledge must be developed, and soon, in order to maintain the momentum of data protection on the continent.
Growing knowledge and confidence to set quantify data damages
A key challenge is the lack of experience and knowledge of naming a quantifiable compensatory amount for a consumer data harm. As the GDPR has inspired other jurisdictions in policy terms, perhaps it is now time for the EU to learn from other jurisdictions in terms of damages calculations.
Take the US for example, which unlike the EU system allows for punitive damages for abuses – is there case law here that could be of guidance when considering quantification?
Other legal approaches with commonalities with data protection can also help here. For example, in the field of copyright, jurisprudence has recognized the so-called “price of consent” as a possible criterion for quantifying damage: as consumer associations must we challenge the courts to recognize that there is also a price of consent in the data economy?
Clarity is key to progress
For private enforcement to contribute to upholding EU citizens’ data rights, the puzzle of how to evidence and calculate material or non-material harm from data protection breaches must be solved.
This is not only a job for judges – the expertise of public enforcement authorities also has a critical role to play. Public enforcement also must step up to break down some of the well documented barriers to bringing complaints which have been evidenced by four years of efforts to enforce data rights.
Without clearing the barriers to bringing complaints, and without a firm indication of who is responsible for the decision and how it is calculated, consumers’ data rights will be worth little more than the paper they are written on.