Europe is unable to crack down on big technology companies. Large and important privacy cases mainly end up on the plate of the Irish regulator. The latter, in turn, misses out on too many issues. Moreover, the budget at most European regulators is insufficient and there are too few specialists who can act against the tech companies. The enforcement of European privacy laws is seriously affected as a result. So writes the Irish Council for Civil Liberties (ICCL) in a report published today.
The Irish civil rights organization makes no mistake. Europe is currently unable to monitor and call large (mostly U.S.) tech companies to order. Three-and-a-half years after the introduction of the AVG, enforcement of European privacy laws and regulations has become paralyzed.
Ireland's Data Protection Commission (DPC) is a bottleneck in the fight against Big Tech across the EU, ICCL writes in its report. According to the civil rights movement, 98 percent of cases that come to the DPC are not resolved. European regulators are not prepared for the digital age. For example, there are too few specialists who can determine exactly what tech companies are doing with European citizens' personal data. Only 9.7 percent of all employees at national regulators possess the specialized knowledge to investigate this.
Another factor leaving the AVG enforcement policy wanting is the budget. More than half of all European regulators have €5 million or more available annually to take on privacy issues. Of the total EU budget, Germany accounts for 32 percent.
According to the ICCL, the one-stop shop is the main cause of Europe's inability to act against tech companies such as Google, Amazon, Apple and Facebook. This principle means that the regulator of the country where the company in question is headquartered should investigate the case. Since most tech companies are headquartered in Dublin, most privacy-related and anti-competitive cases end up on the DPC's plate. Moreover, one in five cases (21 percent) is referred to the Irish regulator.
"No other EU AVG enforcement body can intervene if the Irish DPC claims its leading role in cases against big tech companies headquartered in Ireland. As a result, EU AVG enforcement against Big Tech is paralyzed by Ireland's failure to submit draft decisions in cross-border cases," ICCL writes.
It is unfair to place the blame entirely on the Irish. Along with Spain, Germany, the Netherlands, France, Sweden and Luxembourg, Ireland accounts for handling nearly three-quarters of all AVG complaints filed in Europe (72 percent). In other words, a small group of member states is responsible for handling the bulk of all privacy cases and complaints.
On top of that, the budget at most supervisors is insufficient. The good news is that the total budget for national regulators increased by 81.9 percent to €294.6 million between 2016 and 2021. On the other hand, the annual increase has been steadily declining since 2018, when the AVG came into force. Nine national regulators have to get by on a budget of less than 2 million euros.
Finally, ICCL finds that European regulators employ too few technically skilled staff. Out of 3,014 full-time employees, only 293 are technical specialists. That's less than one in 10 employees. Only five member states employ 10 tech specialists or more. The lion's share of member states (15) employ only four or fewer specialists.
The civil rights movement ends with a number of recommendations. First, it believes the Irish regulator should be reformed and strengthened. The government should provide more funding so that the DPC can increase its capacity. Furthermore, greater weight should be given to the DPC's rulings. Instead of advice, the body should place more emphasis on enforcement.
Furthermore, ICCL suggests that the European Commission take tougher action against member states that do not take personal data protection seriously enough. Finally, the EU's day-to-day administration should better enforce the application of the AVG. The European Data Protection Board (EDPB) and national supervisors should publish quarterly reports updating the Commission on the development of pending cases.
ICCL examined 164 major cases filed with the DPC between May 2018 and May 2021. Only four cases were actually addressed by the Irish regulator during this period. One of these is the investigation into WhatsApp. Recently, the DPC announced that it had imposed a €225 million fine on the chat service for violating the AVG. Initially, the fine amount was considerably lower, somewhere between 30 and 50 million euros. Eight European regulators objected to this. The DPC then decided to increase the fine to 225 million euros.
Download the report here.
