When the AVG came into effect in 2018, the brilliant new data protection law was hailed as a shift toward stricter enforcement, ensuring that the fundamental right to data protection in the EU does not just exist on paper. To mark this year's Data Protection Day on Jan. 28, noyb conducted a survey of more than 1,000 data protection professionals working at European companies. This yielded a unique inside view: 70% of respondents believe authorities should make clear decisions and enforce the AVG to ensure compliance, while 74% say authorities would discover "relevant violations" if they walked through the door of an average company. In an effort to move toward "evidence-based enforcement," this survey also shows that authorities would have to fundamentally change their approach to enforcement to get companies to comply.
When it came into force in May 2018, the General Data Protection Regulation (GDPR) promised a shift from the current "soft" approach to data protection to serious enforcement. To achieve this goal, EU policy gave authorities serious investigative powers and the ability to impose large fines. According to a new noyb survey of more than 1,000 data protection professionals, most participants believe that the introduction of the AVG has "significantly improved" the way companies handle personal data, but 74% still say that if the authorities were to actually conduct an investigation Upon on-site investigation at an average company processing user data, they would find "relevant violations."
Max Schrems, honorary chairman of noyb: "It is extremely alarming when 74% of in-house data protection professionals say that authorities would find significant violations at an average company. Such figures are unthinkable when it comes to tax compliance or fire safety regulations. Non-compliance seems to be the norm only when it comes to users' personal data."
To gain as much insight as possible into the practical application of the AVG, noyb 's survey included 65 questions on a range of AVG compliance and enforcement topics. This allowed us to obtain reliable and objective data on the internal dynamics that prevent data protection officers (DPOs) from implementing measures to strengthen AVG compliance, as well as external factors that could push companies toward greater compliance in the future. Such data seems crucial to focus enforcement and compliance work on strategies that actually work and support the work of internal DPOs.
Businesses often operate in a conflicting space between the pursuit of profit, the cost of making their systems AVG-compliant and the obligation to comply with the law. The noyb survey clearly shows that DPOs are under pressure to limit AVG compliance in the interest of business: 46% of respondents said sales and marketing actively pressured them to limit compliance, while 32% felt pressured by members of senior management. Not surprisingly, convincing these stakeholders to make the necessary changes to improve compliance also proved to be quite difficult. A shocking 56% of respondents said it was difficult to convince the marketing department, while 38.5% had problems with senior management. 51% also said it was difficult to convince non-EU/EEA suppliers to supply compliant products to EU business customers.
Max Schrems: "DPOs are supposed to be independent and ensure compliance within the company. In reality, many of them report pressure from various sides to prioritize business interests."
The severe lack of clear enforcement measures by authorities does not help DPOs do their job. According to the survey results, a company is most likely to improve its compliance if it - or even other companies - face significant fines. 67.4% of respondents said DPA decisions against their own company that include a fine will influence decision-makers to opt for increased compliance. Interestingly, 61.5% of respondents said that even DPA fines against other organizations would influence their own company's compliance with the AVG. This effect ("deterrence") is known and studied, but not really applied by the authorities. The next best tool seems to be the publication of decisions. 52% indicate that another company's loss of reputation already has a positive effect on their own company's compliance. However, many authorities currently do not publish their decisions (e.g. Germany) or publish them only selectively.
Max Schrems: "The advice from data protection professionals within companies seems to be: 'impose high fines and make them public.' The usual approach of relying on 'informal' negotiations between authorities and companies and secret procedures seems to be the least effective, according to company insiders."
Although authorities invest considerable effort, time and resources in providing guidelines to companies, they seem to be largely ignored by companies. 46% of respondents said EDPB guidelines are not influential, while only 23% considered them somewhat influential. Similarly, insiders rate direct complaints to companies as not very influential. This is in contrast to complaints to data protection authorities and informal closure of cases (currently the most common form of decision). Despite all evidence of the urgent need for strict enforcement, such actions by regulators are exceptions in practice. This can be easily illustrated using noyb 's own work: most of our 800-plus cases have been pending for more than two years. But even if you pick out only cases that noyb has won, there are only a handful of decisions that include a fine. In over 800 cases, we have not seen a single agency actually conduct an on-site inspection of a company.
Max Schrems: "In recent years, European authorities have issued numerous guidelines, held lengthy 'informal' discussions with companies and then 'closed' cases without further action. Judging from feedback from compliance officers, this is unfortunately not the best use of taxpayers' money."
While the insider view is already alarming, it is still more optimistic than the average experience of data subjects would allow. For example, when noyb exercised the right to access personal data, more than 90% of requests were not fully responded to in time. Most requests were simply ignored. By comparison, 59% of respondents believe that most companies would "largely" comply with the "core rules" of the AVG. Practical experience shows that outsiders' opinions may be even worse than insiders'.
If respondents are to be believed, the only realistic solution to this problem is clear: stricter enforcement and clearer decisions by the DPA and courts forcing companies to bring their data processing into compliance. A full and detailed list of suggested actions can be found in the survey. The results also demonstrate the urgent need to gather further objective evidence to ensure that authorities with limited resources (can) do effective enforcement work. Repeated approaches that do not work will not lead to practical changes on Europeans' phones and computers. The data collected in our study provide an excellent starting point for further research. noyb will also conduct further research.
