Three years of AVG - more questions than answers?

Let's start with the most talked-about (and feared) part of the AVG - enforcement. Although virtually all regulators have imposed fines over the past three years, there is great variation in their frequency and amount. For example, the Italian authority has imposed the highest total amount of fines: EUR 76,217,601. Although this is a substantial amount, it does involve 73 fines, while the United Kingdom regulator raked in EUR 44,221,000 with only 4 fines. With a fine total of EUR 5,537,500 (based on 11 fines), the Autoriteit Persoonsgegevens ranks seventh among European regulators in terms of total amount. The various figures are especially fun to compare, but what is striking is that in general the fines imposed are relatively low. In any case, we do not see the gigantic maximums of EUR 20,000,000 or 4 percent of global turnover as standard. Partly for this reason, the focus on AVG compliance has in some cases receded more into the background.

One of the reasons that enforcement is less fierce than feared beforehand follows directly from the AVG. After all, it is full of open standards and effort obligations imposed on data controllers (and to a more limited extent processors). In practice, this can lead to the necessary frustration because while the AVG prescribes that something must be done, it gives little direction as to when that something is actually good (enough) and thus leaves undiscussed how it should be done.

Take the processing basis "legitimate interest" where the controller itself must make a balancing of interests as to whether the intended processing outweighs the privacy invasion of data subjects. Coupled with the general accountability requirement, it can be derived that the balancing of interests must be adequately thought through and documented, but it is doubtful that companies are aware of this. Any guidelines or manuals on how to do this balancing correctly are also lacking. The justifiable interest standard explanation by the Autoriteit Persoonsgegevens has since disappeared from the website, but prescribed a very strict balancing of interests. On the other hand, the (outdated) guidelines of the Article 29 Working Party and the legitimate interest assessment prescribed by the British regulator are much more generous in what qualifies as a legitimate interest. The fine that the Autoriteit Persoonsgegevens had imposed on VoetbalTV - partly because of the lack of such an interest - has been overturned by the court, while the lawsuit against the KNLTB (in which the test of the legitimate interest plays a role again) is still pending. Despite the fact that the legitimate interest basis is very common in practice, there is still much uncertainty beforehand about how to apply it lawfully.

The open standards also lead to discussion on other points. The AVG largely centers around the key figure of the controller - the party who determines the purpose and means of processing. In addition, we know the processor, who processes solely on behalf of the controller, and joint responsibility where there is not one, but several controllers jointly deciding on a specific processing. The seemingly simple qualification on paper, leads to much discussion in practice. Due to the strict conditions to which a processor is subject and the actual control of the controller to which it must be subject, in many cases it is no longer possible to speak of a processor's role. Since the entry into force of the AVG, a change seems to be taking place in which the former processor is increasingly pushed into the (joint) responsible role. This picture is confirmed in case law and in the interpretation of the processor concept by national privacy regulators. Processor roles are (virtually) impossible in corporate relationships; if the mother performs services for the daughter, the mother will be jointly responsible - and no longer processor.

The use of social media plug-ins can lead to joint responsibility between the plug-in placer and the relevant social medium. While this last example seems primarily an attempt to make the big tech companies accountable for their "unlimited" data collection, it mostly raises questions for me. After all, there is no such qualification (yet) for the use of third-party cookies. The largest cloud providers, Google and Amazon, do (still) offer their services as processors while one wonders whether customers can enforce the desired conditions for processing by those parties for which they ultimately remain data controllers. I would not be surprised if the march of (joint) responsibility continues and processor roles become increasingly scarce.

The shift from processor to (joint) controller also means that regulators can act against more parties, but how does that work with a foreign company? In principle, regulators are only empowered to enforce in their own perks. Notable, therefore, is the recent fine by the Autoriteit Persoonsgegevens to the party behind the website locatefamily, believed to be based in Canada. This party had failed to appoint a representative, which is mandatory if you, as a foreign-based data controller, still fall within the scope of the AVG. The idea is that the representative then complies with the AVG on behalf of the foreign company. And therein lies the rub: outside the EU, European regulators are not empowered to enforce, but the Autoriteit Persoonsgegevens is trying here anyway. I wonder if the fine will be paid, but only time will tell.

Finally, the case law. Meanwhile, due to the high-profile Schrems II judgment of the Court of Justice, international transfers are again under discussion. At the national level, we see a cautious development in case law in the area of damages and the right of inspection and removal.

My aftertaste: after three years of AVG, we are far from wiser on a number of key issues, but above all, there are plenty of interesting questions before us to answer over the next three years.