ORG Response to the European Commission Review of the GDPR

We suggested changes to the mechanism which governs cross-border complaints to the European Commission, based on our experience with adtech complaints.

Download the PDF here.

0. SUMMARY

We first present the Civil Society Organisations which are submitting this input and the complaints we lodged, which allowed us to observe the functioning of the cooperation mechanisms provided by chapter VII of the GDPR. We then provide a detailed feedback of the issues we encountered, alongside some policy recommendations which we believe could address such shortcomings. Finally, we explain the methodology we used to survey the complainants and organisations involved, and whose feedback has informed our submission.

In particular, our experience highlighted:

  • A substantially passive attitude of the Supervisory Authorities in the handling of complaints;
  • Divergent and conflicting standards over the admissibility of complaints;
  • Lack of information concerning the progress of complaints to the complainants; and
  • Long duration of the proceedings.

In short, cross border complaints are not effectively tracked or resolved at present: the root cause is to be found in the way the One-Stop-Shop mechanisms was implemented, as Supervisory Authorities lack the means and encouragement to take an active stance in the resolution and enforcement of complaints.

We believe such shortcomings can be tackled without resorting to legislative changes, but rather by implementing appropriate guidelines and procedures which can allow Supervisory Authorities to effectively work together in all stages of the complaint. We also find Supervisory Authorities to be ill-equipped to meet their new tasks, and assert enforcement decisions against well-resourced technology companies: we therefore call on Member States to provide proper financial means to their national Supervisory Authorities, and on the European Commission to ensure that Member States meet their obligations under Article 52(4) of the GDPR.

1. WHO WE ARE

Open Rights Group (ORG) is a UK-based digital campaigning organisation working to protect fundamental rights to privacy and free speech online. With over 3,000 active supporters, we are a grassroots organisation with local groups across the UK. We have worked on GDPR and other issues such as data retention, and were a party in the Watson case at the CJEU. Our current focus includes the free expression impacts of content moderation and ‘online harms’ regulatory proposals, alongside surveillance and encryption policy, the use of personal data in the COVID-19 pandemic, data protection enforcement, online advertising and the use of personal data by political parties. We are a member of European Digital Rights (EDRi).

Panoptykon Foundation is a Polish watchdog NGO with the mission to protect fundamental rights in the context of growing surveillance and fast-changing information technologies. We believe in „watching the watchers” and consider data a source of power. Therefore we keep an eye on entities that collect and use personal data in order to influence people (public authorities, intelligence agencies, business corporations). On the legal front we keep track of new legislation, develop alternative regulatory solutions and intervene to protect human rights. In our advocacy we address both policymakers and business lobbies. Through our research and investigations we expose risks related to commercial and public surveillance in order to raise public awareness. We visualize collected data and engage in artistic collaborations in order to reach broader audience. Since 2010 we have been active member of European Digital Rights (EDRi).

The Civil Liberties Union for Europe (Liberties) is a non-governmental organisation promoting the civil liberties of everyone in the European Union (EU). We are headquartered in Berlin and have a presence in Brussels. Liberties is built on a network of national civil liberties NGOs from across the EU. Currently, we have member organisations in Belgium, Bulgaria, the Czech Republic, Croatia, Estonia, France, Hungary, Ireland, Italy, Lithuania, Poland, Romania, Spain, Slovenia, the Netherlands and associated partners in Germany and Sweden. We intend to keep expanding our membership to include NGOs from all 27 EU countries.

2. ABOUT THIS SUBMISSION

We are glad to see the Commission reaffirming the objective to strengthen individuals’ rights to data protection with the Communication “Data protection rules as a trust-enabler in the EU and beyond – taking stock”, both as means to promote the adoption of sound data management practices by business and organisations, and to drive public trust within an increasingly data driven economy. With this regard, Open Rights Group, Panoptykon Foundation and Liberties worked together for the last years to address online advertising data processing practices, raising a number of complaints to different National Supervisory Authorities. Within this context, we observed some issues concerning the functioning of the cooperation and consistency mechanisms laid out in chapter VII of the GDPR, and we welcome the opportunity to contribute to the Commission report on the application of the GDPR.

3. OUR EXPERIENCE WITH THE COOPERATION MECHANISM

On September 12, 2018, we filed two complaints to the Supervisory Authorities of Ireland and the UK, seeking action against Google and the Interactive Advertising Bureau breaches of the data protection regime, as well as the initiation of a wider investigation of adtech data protection practices. Additional complaint were filed in 2019 to the Supervisory Authorities of Poland, The Netherlands, Spain, Luxembourg, Belgium, Germany, Hungary, Italy, Bulgaria, Romania, Estonia, Slovenia, France and Czech Republic, for a total of 21 Supervisory Authorities being involved in the action.

These complaints were all supported by compelling evidence, validated by a number of reports and press statements released by the Supervisory Authorities. In our experience, however, Supervisory Authorities have failed to address these findings with appropriate regulatory action, resulting in the absence of any significant change of behaviour by the industry and, ultimately, in the continuation of a systemic breach of the data protection rights of the complainants and EU citizens at large. In particular, we encountered a passive approach by Supervisory Authorities, diverging and conflicting standards over the admissibility of complaints, lack of information concerning the progress of the complaints, and long duration of the proceedings. All these aspects are further substantiated in the following paragraphs.

4. OUR FEEDBACK

4.1 Passive approach by Supervisory Authorities

In our experience, Supervisory Authorities have shown a substantially passive attitude in the handling of the proceedings: fifteen Supervisory Authorities merely assigned a Registration Number to the complaint being issued or referred their claim to a Lead Supervisory Authority, without any further communication to the complainant. Another SA expressly instructed the complainant to contact the Lead Supervisory Authority to obtain updates about the complaint, which the complainant did with no avail. Finally, three Supervisory Authorities did not reply at all.

Recommendations:

We believe that Concerned Supervisory Authorities should be given the means to actively participate to complaints, in particular in the phase preceding the adoption of a draft decision by the Leading Supervisory Authority. To this end:

  • The EDPB should issue guidelines on procedures to allow effective sharing of information and participation to the proceeding by all the Supervisory Authorities involved. In particular, the effective implementation of mutual assistance (Article 61) and joint operations (Article 62) mechanisms should be promoted.
  • The EDPB should ensure that complaints are effectively tracked and that information flows between all parties, e.g. by promoting the adoption of best practices for the use of the Internal Market Information System.
  • The EDPB should further emphasise that Supervisory Authorities retain responsibility for the complaint and its resolution, even when another authority is leading the investigation

4.2 Divergent and conflicting standards over the admissibility of complaints

Some Supervisory Authorities resisted or refused to admit complaints, whose admissibility had already been established by other Supervisory Authorities: two SAs rejected the complaint for, respectively, alleged lack of jurisdiction and lack of fundings and resources to participate to joint investigations. Also, another SA asked for further details to instruct the complaint (which were provided), but did not follow up. Finally, we registered a case where a Lead Supervisory Authority rejected a claim lodged by a Civil Society Organisation without a mandate from a data subject, despite the country of the claimant allowing such claims pursuant to Article 80(2), and the Supervisory Authority of this country having already admitted the complaint.

Recommendations:

We believe that

  • The criteria to lodge a complaint or commence an investigation should be clarified by the EDPB, in particular within the context of One-Stop-Shop complaints where one or more Supervisory Authorities have already ruled the admissibility of the complaints.
  • Additionally, a tracking mechanism as mentioned above would allow Supervisory Authorities to see when similar complaints have been raised, and understand better when these should be referred to another authority.

4.3 Lack of information concerning the progress of the complaints to complainants

In our experience, Supervisory Authorities have fallen short in informing complainants about the progress of their proceedings: fifteen Supervisory Authorities did not provide any update, following the assignment of the reference number or the referral of the complaint to a Lead Supervisory Authority. One Lead Supervisory Authority only informed the complainant about the commencement of the investigations. Another Lead Supervisory Authority, and notably one of the Concerned Supervisory Authority, have chosen to release reports and press statements about the adtech sector or the use of cookies, but have fallen short of keeping the complainants updated about the progress of their complaint. Also, it is unclear to us if any information intended to reach complainants has been passed by the Lead Supervisory Authorities to the other Supervisory Authorities.

Recommendations:

We believe that complainants should receive information which is useful to them, such as explanations about the steps being taken by the Lead Supervisory Authority. To this end:

  • The EDPB could provide guidelines to help the Supervisory Authorities to meet —within the context of One-Stop-Shop investigations and proceedings— their duty to inform complainants about the progress of their complaint, in line with articles 57(1)f and 77(2).
  • Also, Supervisory Authorities should be put in the position to see cross-border complaints which have already been lodged, and to track them through a central registry. Tracking the response and information flow would help each Supervisory Authority to ensure they have received updates from the Lead Authority, and passed information to complainants as appropriate.

4.4 Long duration of the proceedings

The first two complaints on this matter were filed on September 12, 2018, and the latest complaint was filed on June 4, 2019. However, by the time this feedback is being submitted (April 29, 2020), no apparent progresses concerning the enforcement of data protection rules have been registered, nor any appreciable change of behaviour by the industry being responsible for such widespread breach of the complainants’ right to data protection.

Recommendations:

We believe that Supervisory Authorities should be put in the position to timely address the breaches of data protection rules brought to their attentions, and to effectively enforce the law. To this end:

  • The European Commission should compel Member States to meet their obligations under Article 52(4), and provide Supervisory Authorities with appropriate means and investigative personnel. This should also include sufficient resources to allow Supervisory Authorities to confidently assert their decisions against well resourced technology companies, and to defend their position in the event of a judicial appeal. Furthermore, the possibility to strengthen cooperation among data protection Supervisory Authorities and other regulatory authorities (e.g. consumer protection or antitrust) should be explored.
  • The EDPB could issue guidelines and procedures which allow Supervisory Authorities to exercise their rights to draft findings, work in other ways with the Lead Supervisory Authority, and rely on the urgency procedure — especially where an issue is high impact and taking time to resolve. To this end, the EDPB could also take responsibility for review of cross-border complaints that remain unresolved, through a tracking mechanism, which would allow discussion to take place when these are unresolved after a set period, eg six months or a year.
  • Finally, Supervisory Authorities should be put in the position to provide information to complainants about other means to resolve their complaint, if proceedings are not reaching a conclusion.

5. CONCLUSION

In our experience, cross border complaints are not effectively tracked or resolved at present: We believe the root cause is to be found in the way the One-Stop-Shop mechanisms was implemented, which de facto created a strong incentive for Supervisory Authorities to pass a complaint onto another authority, without any stimulus to ensure that the proceeding is handled well. Indeed, Supervisory Authorities lack the means and encouragement to complain about the work of another, favouring the adoption of a more passive approach toward the handling of the cases.

On the other hand, we believe these shortcomings not to be rooted in the legal provisions of the GDPR: stronger commitment by EU Member States to ensure proper funding to Supervisory Authorities, together with the implementation of appropriate procedures that allow a successful implementation of the cooperation mechanisms provided by chapter VII of the GDPR, would allow the One-Stop-Shop mechanism to function much better than currently. With this regard, we believe efforts should be focused on ensuring effective information flows among the Supervisory Authorities, as well as adequate involvement and reciprocal support in all stages of the complaint. We also believe the EDPB could play a more active role, for instance by reviewing aged complaints and ensuring they are timely dealt with.

6. APPENDIX: SURVEY METHODOLOGY AND RAW DATA

To collect information about the Supervisory Authorities responses to the complaints, we consulted the individuals and Civil Society Organisations who lodged a complaint to their national supervisory authority, in particular by asking information about: the date the complaint was filed, the subjects the complaint was lodged against, the outcomes of the investigation, and the evidence submitted.

Following these consultations, we sent an online questionnaire consisting of the following questions: Organisation name, Country, Data protection authority (DPA), Date wrote to DPA, Date substantive reply (or replies) received, Did the DPA pass the complaint to another authority, Who did the DPA pass the complaint to?, Have you had any further communication from your DPA?, Did the DPA ask you to further substantiate your claim, in order to proceed with their investigation?.

Raw data is included in the pdf version of this submission.