The time when the Netherlands, and the rest of the EU, were preparing for the arrival of the General Data Protection Regulation ("AVG") seems like an eternity ago. Yet this month marks just three years since the AVG went into effect. Although the AVG has created more privacy awareness among citizens and organizations, there are also less positive developments to note. In this blog, we will discuss some of these issues.
Before the advent of the AVG, European privacy rules were contained in a directive. The AVG, unlike its predecessor, is a regulation. This form of legislation generally leads to harmonization in the EU; equal rules in each member state. After all, the obligations included in the AVG - unlike with a directive - should have direct effect in national legislation. In addition, there is limited room in the AVG for national law derogations.
Despite the fact that all member states start from an equal set of rules, as more enforcement actions are launched, more and more differences are visible. Not only are certain concepts interpreted differently by different authorities, but there also seems to be a big difference between the levels of fines handed out. For example, the Dutch Personal Data Authority ("AP") seems to apply a fairly strict interpretation of the term "legitimate interest," while it is not clear whether the other regulators see it the same way. On the other hand, however, the AP applies rather modest fine policies with EUR 1,000,000 as the upper end of a bandwidth (barring exceptions), while in 2019 the French CNIL did not hesitate to fine Google EUR 50,000,000. In addition, some authorities seem to be a lot more "active" than others, which means that penalty risks for organizations in one member state may be more present than in another. For example, the Spanish Agencia Española Protección Datos has already imposed more than 220 fines, while in Belgium the counter stands at 25.
So in that respect, there is still some work to be done, for example for the European Data Protection Board; the group in which all national authorities participate and give direction to the AVG.
The AVG has brought the EU a robust privacy framework. The EU thus appears to be a forerunner to many other countries around the world; not everywhere does the right to privacy have a meaning as it does in the EU. For this reason, the exchange of personal data to countries outside the EU ("third countries") is possible only in limited cases. Only when one of the prescribed appropriate safeguards can be taken, the transfer is permitted. However, we see increasing doubt as to whether existing safeguards are as appropriate, especially as legislation in those third countries continues to lag behind. For example, the European Court of Justice ("CJEU") already invalidated the EU-U.S. transfer mechanism - the so-called Safe Harbor Principles - in 2015. However, its successor - Privacy Shield - was also found to be inappropriate last summer. In addition, the CJEU also questioned the degree of protection that Standard Contractual Clauses, the most commonly used safeguard, can provide.
The question now before us is "where to go from here?" Far-reaching restrictions on the exchange of personal data, especially with countries where many IT service providers are located, does not seem a realistic option in the digitized and globalized world in which we now find ourselves. On the other hand, the fact that countries around us can offer a lesser degree of protection should also not be a reason to lower our European privacy standards. So here, too, there is still much need for guidance.
The AP has been struggling with a capacity problem for years and has sounded the alarm about this several times. Earlier this week, the AP released a position paper, in which the AP emphasizes that increasing its capacity is necessary for citizens, business and trust in government. It outlines a growth path by the AP to 470 fte by 2025. Currently, the AP has 184 fte.
The AP's current budget is preventing it from fulfilling its statutory duty as a regulator and not getting around to implementing its strategic priorities, according to the AP. Other examples cited by the AP in its position paper as a result of the lack of capacity:
data breach reports receive too little follow-up: only 0.15% lead to investigation;
9800 complaints are on the shelf and the waiting time before the AP can consider a complaint is six months;
there is insufficient capacity to impose fines and other penalties;
the AP does too few mandatory investigations of large-scale European information systems that share police and justice data;
oversight of algorithms holding personal data does not get off the ground.
As indicated earlier, with the AVG, the EU has a robust privacy framework. However, having a robust privacy framework is not enough. Equally important is that citizens can effectively exercise their rights under the AVG and the AP can take enforcement action. With the AP's current capacity, that does not seem possible.
The AP is not the only regulator facing a capacity problem. Earlier this week, it emerged that the Irish privacy regulator, which serves as the lead regulator for virtually all major tech companies through the one-stop shop mechanism, has insufficient capacity to conduct all (cross-border) investigations, critics say.
These developments are cause for concern. The capacity problem of authorities may lead to a reduced willingness of citizens and organizations to report. It may also ultimately affect the privacy awareness and compliance of citizens and organizations, as only a very small percentage of complaints, reported breaches and data breach notifications are followed up.
So even though the AVG may provide a solid foundation, after three years there are still some steps to be taken to grow into that European tiger with teeth.
