A recent assessment by Beuc, the European consumer protection organization, highlights challenges in the consistent application of the EU’s primary data protection regulation, presenting a difficult assessment for European legislators and regulatory bodies as they prepare to shape the future of digital governance within the region.

In November 2018, Beuc’s constituent groups submitted a number of complaints regarding Google’s utilization of location data; however, approximately two years after these privacy issues were raised, no resolutions have been reached.

The technology company continues to generate substantial revenue from advertising, including through the processing and commercialization of internet users’ location data. Ireland’s Data Protection Commission (DPC), designated as the lead data protection authority under GDPR’s cross-border complaint handling system, initiated an investigation in February of this year.

However, it may take several more years before Google is subject to any regulatory measures in Europe concerning its location tracking practices.

This delay is due to the fact that Ireland’s DPC has not yet issued any decisions regarding cross-border GDPR cases, despite the regulation having been in effect for approximately 2.5 years. (Although, as previously reported, a case concerning a Twitter data breach is nearing a conclusion.)

In contrast, France’s data protection authority, the CNIL, was able to complete a GDPR investigation into the clarity of Google’s data processing procedures more swiftly last year.

This summer, French courts upheld the $57 million fine issued by the CNIL, dismissing Google’s appeal.

However, this case occurred before Google fell under the jurisdiction of the DPC. Furthermore, Ireland’s data regulator is responsible for a disproportionately large number of multinational technology companies, given the number that have established their EU headquarters within the country.

The DPC currently manages a significant backlog of cross-border cases, including over 20 GDPR investigations involving numerous technology companies such as Apple, Facebook/WhatsApp, and LinkedIn. (Google has also been under investigation in Ireland regarding its advertising technology since 2019.)

This week, Thierry Breton, the EU’s commissioner for the Internal Market, acknowledged that European lawmakers are aware of enforcement “bottlenecks” within the General Data Protection Regulation (GDPR).

He indicated that the commission has taken note of the difficulties encountered—asserting that it will ensure similar issues do not impede the implementation of a forthcoming regulatory proposal concerning data reuse, which he recently presented to the public.

The commission intends to establish standardized conditions for the lawful reuse of industrial data throughout the EU, through a new Data Governance Act (DGA), which proposes similar supervisory mechanisms as those used in the EU’s oversight of personal data—including national agencies responsible for monitoring compliance and a central EU steering body (planned to be named the European Data Innovation Board, mirroring the European Data Protection Board).

The commission’s extensive agenda for updating and expanding the EU’s digital rules framework means that criticism of GDPR could diminish the impact of the DGA before the proposal is finalized—placing pressure on legislators to identify innovative solutions to overcome GDPR’s enforcement “bottleneck.” (Innovation is necessary because national agencies are responsible for daily oversight, and member states are responsible for funding DPAs.) 

In an initial GDPR assessment this summer, the commission lauded the regulation as a “modern and comprehensive piece of legislation” and a “global benchmark”—claiming it has served as a model for California’s CCPA and other emerging digital privacy frameworks worldwide.

However, they also admitted that GDPR enforcement is insufficient.

Didier Reynders, the EU’s commissioner for Justice, stated in June that the most effective solution to this issue “will be a decision from the Irish data protection authority regarding significant cases.”

Five months later, European citizens are still awaiting such a decision.

Beuc’s report—titled “The long and winding road: Two years of the GDPR: A cross-border data protection case from a consumer perspective”—details the procedural obstacles its member organizations have encountered in their efforts to obtain a decision related to the initial complaints, which were submitted to various DPAs across the EU.

These concerns include the Irish DPC’s implementation of unnecessary “information and admissibility checks”; as well as the rejection of complaints submitted by an interested organization on the basis that they lack standing under Irish law, despite the Dutch consumer organization having filed the complaint under Dutch law which does allow for third-party redress…

The report also questions why the DPC initiated an inquiry into Google’s location data activities on its own initiative (rather than a complaint-driven inquiry)—which Beuc believes could further delay a resolution to the complaints themselves.

It further notes that the DPC’s investigation of Google only covers activity from February 2020, not November 2018 when the complaints were originally filed—meaning a portion of Google’s location data processing is not currently under investigation.

It observes that three of its member organizations involved in the Google complaints considered seeking a judicial review of the DPC’s decision (Note: others have pursued this option)—but ultimately decided against it, in part due to the substantial legal costs involved.

The report also highlights the inherent imbalance of GDPR’s one-stop-shop mechanism, which shifts the administration of complaints to the location of the companies under investigation—arguing that they therefore benefit from “easier access to justice” (compared to the average consumer who must undertake legal proceedings in a different country and (likely) language).

“If the lead authority is in a country with a tradition in ‘common law,’ like Ireland, things can become even more complex and expensive,” Beuc’s report further states.

Another issue raised is the overarching challenge of rights complaints having to contend with what it describes as “a moving target”—given that well-funded technology companies can exploit regulatory delays to (superficially) modify practices, masking continued misconduct with misleading public relations campaigns. (Something Beuc accuses Google of doing.)

DPAs must “adapt their enforcement approach to intervene more rapidly and directly,” it concludes.

“Over two years have passed since the GDPR became applicable; we have now reached a critical juncture. The GDPR must finally demonstrate its effectiveness and serve as a catalyst for urgently needed changes in business practices,” Beuc continues in a summary of its recommendations. “The experiences of our members and other civil society organizations reveal a series of obstacles that significantly hinder the effective application of the GDPR and the proper functioning of its enforcement system.

“BEUC recommends that the relevant EU and national authorities make a comprehensive and collaborative effort to ensure the swift enforcement of the rules and improve the position of data subjects and their representing organizations, particularly in the context of cross-border enforcement cases.”

We contacted the Commission and the Irish DPC for comment on the report. However, neither had responded at the time of writing. We also reached out to Google for a statement.

Update: Graham Doyle, the DPC’s deputy commissioner, informed us that the decision to launch a “forward-looking” inquiry into Google’s location practices in early 2020 was motivated by a desire to investigate “in real time” rather than attempting to reconstruct past events.

Doyle also explained that the location-related Google complaints were submitted to different DPAs at different times—meaning some complaints reached Ireland considerably later than November 2018, raising questions about the efficiency of the current procedures for European DPAs to forward complaints to a lead supervisor.

“The complaints in question were lodged with different Supervisory Authorities on different dates from November 2018,” he said. “The DPC received these complaints in July 2019, following which we engaged with Beuc. We then opened an own-volition inquiry in February 2020 in a manner that will enable us to undertake real-time testing in order to evidence our findings.”

Beuc previously submitted a list of eight recommendations for “efficient” GDPR enforcement to the commission in May.

Update II: A commission spokesperson referred back to its earlier evaluation of the GDPR this summer, highlighting the follow-up actions it committed to at that time—such as continuing bilateral discussions with member states on the proper implementation of the regulation.

It also stated that it would “continue to use all the tools at its disposal to foster compliance by member states with their obligations”—including, potentially, initiating infringement proceedings if necessary.

Additional follow-up actions related to “implementing and complementing” the legal framework that it detailed in the report included supporting “further exchanges of views and national practices between member states on topics that are subject to further specification at national level so as to reduce the level of fragmentation of the single market, such as processing of personal data relating to health and research, or which are subject to balancing with other rights such as the freedom of expression;” and to advocate for “a consistent application of the data protection framework in relation to new technologies to support innovation and technological developments.” 

The commission also said it would utilize the GDPR Member States Expert Group to “facilitate discussions and sharing of experience between member states and with the commission,” with the goal of improving the regulation’s operation.