Data Protection: GDPR Is Perfect, Enforcement Is Terrible, Says EU Parliament
EU Parliament's GDPR resolution | Washington Privacy Act | MailChimp declared illegal in the EU | Facebook wiretapping case
Issue 4, 21-28 May, 2021
A lot of new signups this week!
Big thanks to everyone who has shared Data Protection on social media. Please do the same if you enjoy this newsletter.
If you want me to write up data protection-related news or create content for your website, please get in touch: rob@data-protection.news
EU Parliament Rates GDPR A+; Enforcement F-
Asked what they think of European data protection regulation, EU legislators say it would be a very good idea.
It’s nearly five years after the GDPR passed, and nearly three years since it came into force. While the upcoming ePrivacy Regulation will change the European privacy landscape, don’t expect the GDPR itself to change any time soon.
In a resolution this Thursday, the European Parliament said that the GDPR:
Has been “an overall success”
Has “become a global standard for the protection of personal data”
Has “placed the EU at the forefront of international discussions about data protection”
Does not require any “update or review”
However, there’s a big “but”…
Why did they say these lovely things?
The EU Parliament’s comments come in a resolution, which passed by 483 votes to 96, with 108 abstentions, on the Commission’s GDPR resolution. In short, the Commission said that the GDPR did not require amendment, and the Parliament agreed.
What’s the “but”?
Despite lavishing praise on the regulation itself, most of the comments in the Parliament’s resolution are quite negative.
The main problem, as the European Parliament sees it, is a lack of enforcement. The Parliament was pretty scathing about Ireland’s and Luxembourg’s DPAs:
“…these DPAs are responsible for handling a large number of cases, since many tech companies have registered their EU headquarters in Ireland or Luxembourg… the Irish data protection authority generally closes most cases with a settlement instead of a sanction… cases referred to Ireland in 2018 have not even reached the stage of a draft decision…”
Ouch…
Ouch indeed. The Parliament also lists some ways in which a lack of enforcement of the GDPR is leading to poor outcomes for EU data subjects.
For example, this passage about the ubiquity of targeted advertising and algorithms:
“…profiling, although only allowed by Article 22 GDPR under strict and narrow conditions, is increasingly used as the online activities of individuals allow for deep insights into their psychology and private life…”
And this passage, which cites digital “monopoly situations”:
“…further efforts are needed to address broader issues of digitisation, such as monopoly situations and power imbalances…”
The Parliament also criticised the Commission’s method of adopting adequacy decisions:
“…adequacy decisions should not be political but legal decisions… so far adequacy decisions have only been adopted for nine countries, even though many additional third countries have recently adopted new data protection laws with similar rules and principles as the GDPR.”
Are they sure they think the GDPR has been an “overall success"?
The issues raised by the Parliament are all about enforcement. The resolution doesn’t really criticise any provisions in the GDPR—at least not to the extent that they would require amendment.
However, some of the principal issues creating a lack of enforcement are the GDPR’s one-stop-shop and consistency mechanisms. The one-stop-shop mechanism leads to most complaints about firms like Facebook, Google, and Amazon being forwarded to Ireland and Luxembourg—and then going no further.
Last week we looked at the German DPA’s criticisms of Ireland for its lack of action under the one-stop-shop mechanism.
It is notable that both the Commission and the Parliament stopped short of actually recommending that the EU amends these seemingly dysfunctional mechanisms.
Washington Privacy Act Defeats People’s Privacy Act—But Will It Pass?
I know… Another piece about emerging U.S. state privacy laws—but I promise this one is particularly interesting.
On Friday, Washington lawmakers voted on two highly significant privacy laws: the Washington Privacy Act (WPA) and the People’s Privacy Act (PPA).
The WPA is a relatively strong privacy law by U.S. standards, but critics say it’s not strong enough. The PPA was proposed as a more powerful alternative bill.
First, we’ll take a look at the WPA.
Hasn’t Washington been trying to pass this law for a while?
Yes, Washington has been trying to pass state privacy legislation for a few years now.
Pollyanna Sanderson, policy counsel at Future of Privacy Forum, has been watching the WPA’s progress through the state’s legislature very closely. I asked her about the history of the bill.
“This is the third time that the Washington Privacy Act has been introduced in Washington State,” Sanderson told me via email. “Each year, the legislation has become more sophisticated, and has made it further through the legislative body.”
“Last session, the legislation almost passed. After passing out of the Senate, it narrowly failed to pass in the House.”
“At the time, the Attorney General stated that the legislation was ‘unenforceable,’” Sanderson said. “Since then, legislators have worked with the Attorney General to improve enforceability.”
What’s so interesting about this version of the WPA?
Sanderson said the most impressive elements of the proposed law were its “risk assessments, purpose and retention limitations, sophisticated research provisions,” plus the obligation for businesses to obtain opt-in consent before processing sensitive data.
“Moreover,” she said, “the consent language is incredibly strong—prohibiting deceptive user interfaces known as ‘dark patterns.’”
In its current state, the law would include a limited private right of action allowing injunctive relief (i.e., no money) if businesses violate certain provisions. These provisions include the WPA’s consumer rights, anti-discrimination rules, and opt-in consent requirements.
How does the WPA compare to other emerging U.S. state privacy laws?
The WPA compares favorably to America’s two strongest privacy laws—California's CPRA and Virginia's CPDA—in many respects.
“The WPA offers a more attractive model for US privacy legislation than the CPRA,” Sanderson said. “Its framework is more sophisticated, risk-based, and is more comparable to the GDPR.”
Sanderson noted that California’s CPRA “contains an opt-out—the right to limit the use and sharing of sensitive information.” But the WPA’s range of opt-outs is broader, allowing consumers the chance to refuse “sales, risky profiling, and targeted advertising.”
“This provision would overcome a loophole contained in the California law which has enabled targeted advertisers to continue business as usual,” she said.
What about the People’s Privacy Act?
The People’s Privacy Act (PPA) was a stronger proposal for Washington’s privacy law, sponsored by Representative Shelley Kloba and supported by the American Civil Liberties Union (ACLU), among others.
Here’s a tweet from the ACLU’s Jennifer Lee summarising how support is split across the two bills:
You get the idea—the WPA has been drafted with the involvement of industry lobbyists, whereas the PPA is supposedly more of a “grassroots” bill, supported by nonprofits.
Unfortunately for the ACLU and others, the PPA failed to advance this Friday.
So is the PPA better than the WPA?
PPA proponents have been harshly critical of the WPA. Most of this criticism focuses on the WPA’s mostly “opt out” consent provisions, its limited right of action, and the fact that it doesn’t apply to employees or students.
The WPA also offers businesses the opportunity to “cure” violations before being punished for them. The PPA would have only allowed this for the first year.
Do the PPA’s proponents have a point?
I’ve always been slightly taken aback by the strength of feeling from PPA supporters. Looking at the situation from across the Atlantic, the WPA seems like one of the strongest privacy bills with a chance of passing in the U.S.
But perhaps I’m being too pragmatic. The ACLU does some amazing work on privacy, and it’s their prerogative to always push for stronger protections.
So the PPA failed to advance and the WPA advanced… but will the WPA pass?
When I first spoke to Future for Privacy Forum’s Sanderson about the WPA back in January, she said she was “cautiously optimistic” that it would pass. This week, her outlook had changed.
“I am not sure about whether WPA will pass,” she said. “In fact, I am a little pessimistic.”
So perhaps it’ll be “fourth time lucky” for the WPA next year.
Mailchimp Fails Schrems II Test
Using Mailchimp is unlawful in the EU, says the Bavarian DPA.
How did this start?
A German business used MailChimp to send marketing emails. One of the recipients noticed that MailChimp might not be GDPR compliant, and made a complaint to the Bavarian DPA (BayLDA).
What was the alleged problem with MailChimp?
MailChimp is a U.S. company that uses standard contractual clauses (SCCs) to facilitate transfers of personal data from EU-based controllers to the U.S.
Since the Schrems II judgment invalidated the EU-U.S. “Privacy Shield” framework, SCCs are basically the only option for most companies wishing to transfer EU personal data to the U.S.
The complainant alleged that their personal data was not properly safeguarded by the arrangement between the German business and MailChimp.
Even though the transfer to MailChimp used SCCs?
That’s right. While Schrems II found that SCCs—unlike Privacy Shield—are still valid, that doesn’t mean they will always be enough to safeguard personal data subject to a third-country transfer.
As noted by the EDPB, controllers are expected to assess third-country transfers on a case-by-case basis to ensure SCCs are sufficient. If not, it might be necessary to take supplementary measures to protect personal data against interference.
So SCCs weren’t good enough in this case?
No. Particularly because MailChimp might be an “electronic communication service provider” under U.S. law.
What’s an electronic communication service provider?
Under U.S. law—in particular, a surveillance law known as FISA 702—an electronic communication service providers include cloud service providers, ISPs, and email providers
These companies are particularly vulnerable to interference from the U.S. government. This means they might be forced to allow government access to EU data subjects’ personal data.
Without supplementary measures designed to mitigate this possibility (NB: it’s not clear that such measures actually exist), the DPA said that the agreement between the German business and MailChimp was unlawful under Article 44 of the GDPR.
The controller had not properly assessed the risk, and therefore had not taken any supplementary measures to safeguard the personal data.
What happens now?
There has been relatively little coverage of this case, but it seems that MailChimp might no longer be a viable data processor for EU controllers.
This is one of the more significant implementations of the Schrems II judgment, along with the Doctolib decision, which I covered last week. It seems obvious that we’ll see more and more cases like this.
However, the U.S and EU announced on Thursday that they would be “intensifying” Privacy Shield negotiations. There appears to be a clear willingness to engage on this issue.
But it remains to be seen whether the U.S. will be willing to budge on its surveillance legislation—or whether the European Commission will be able to find a solution that will stick (unlike the last two).
Is Facebook ‘Wiretapping’ Via Its ‘Like’ Button?
Facebook is facing a gigantic lawsuit accusing the company of violating a 1968 wiretapping law. Wiretapping sounds a little clandestine even for Facebook… What’s the deal?
Here’s the background
Facebook is facing a $15 billion class-action in the U.S. from people who allege it illegally tracked its users outside of Facebook between April 2010 and September 2011.
Facebook asked the Supreme Court to dismiss the case, but this week, the Supreme Court refused.
What’s the case about?
The central claim is that Facebook used its “Like” button to track its users outside of Facebook, even when they’re not logged in. The plaintiffs say this violates a U.S. law known as the Wiretap Act.
Wiretapping? That doesn’t sound relevant to Facebook’s “Like” button
The Wiretap Act was first enacted in 1968 and recast in 1986 to include reference to “electronic communications”. It’s actually a little bit like the EU’s ePrivacy Directive.
The Act prohibits the interception of communications by someone who is not party to the communication, i.e., someone who is eavesdropping.
Again, what does this have to do with the “Like” button?
Facebook’s Like button is all over the web and allows users to “like” content on external websites.
But the Like button, in combination with Facebook’s cookies, also collects data about people—even if they don’t use the button, and even if they aren’t logged into Facebook.
Facebook used this data to—you guessed it—target ads (Facebook says it no longer uses the data of logged-out users for this purpose).
The company even tracked non-Facebook users in some cases—but said it used this data is not used for advertising purposes.
Has anyone tried to stop Facebook from doing this before?
Yes, lots of times. In fact, this Wiretap Act case came before a U.S. federal judge in 2017, but it was dismissed because the plaintiffs failed to demonstrate that they had a “reasonable expectation of privacy” or that they suffered an economic loss.
The Like button is more controversial than many people realise, having triggered complaints in Canada, Germany, and Belgium, among other places.
Did any of those complaints work?
No. The Belgian DPA initially imposed a fine on Facebook, but the company appealed and won.
The Belgian DPA was found not to have jurisdiction over Facebook, whose EU headquarters is in Ireland. And, if as we know, Ireland is the place Facebook investigations go to die.
Will Facebook win this time?
This is a highly significant case, but it’s very hard to say whether the plaintiffs will succeed.
In defence of the Wiretap Act claims, Facebook says that it is not “eavesdropping” on the communication between visitors and the non-Facebook websites that they visit because it is party to the communication.
On the face of it, this argument seems difficult to sustain given that the user might not even be aware of the presence of a Like button on its website—however, there are some interesting legal precedents in this area.
Either way, the Supreme Court’s decision to allow the case to proceed will offer greater clarity on the Wiretap Act and its relationship with online advertising. The law might transpire to be a suitable stopgap until the U.S. develops a federal privacy law (if ever).
If you want to go deeper into these issues, I strongly recommend this Lawfare blog by Erik Manukyan, written after the Ninth Circuit Court revived this case last year.
Recommended Reading
Is online advertising about to crash, just like the property market did in 2008? | John Naughton | The Guardian
“Here’s a disturbing thought for those of us who are critics of the tech industry: are we unduly credulous about the capabilities of the technology as extolled by the companies and their paid evangelists? Did clever exploitation of social media really lead to the election of Trump and the Brexit vote in 2016, for example?
At one level, the answer to that has to be ‘no’…”
This short piece for The Guardian suggests that targeted advertising—the industry that is powering a huge section of the economy and has amassed exabytes of data about billions of people—is all hype.
Lots of people have been saying this for a long time, of course—and Naughton’s article provides a good jumping-off point if you find this argument intriguing.
How to bring GDPR into the digital age | Axel Voss | Politico
“On the one hand, the legislation has been a clear win for Brussels: By setting data protection rules and levelling the global playing field, the European Union can claim to be a rulemaker rather than a ruletaker when it comes to protecting private information online.
On the other, its implementation has been a huge headache for the average business, organization and citizen. But most importantly, the GDPR is seriously hampering the EU’s capacity to develop new technology and desperately needed digital solutions, for instance in the realm of e-governance and health.”
Did you find yourself shaking your head in disagreement while reading the European Parliament’s unrelenting praise of the GDPR?
If so, you should get to know Axel Voss, an insider-critic of the GDPR. He has many ideas about how the EU should be amending the regulation. (Note: Voss isn’t the “father of the GDPR”, as many outlets wrongly characterised him this month.)
I’m not necessarily endorsing this article, but I do think it’s important to understand this perspective. Outside of my Twitter and LinkedIn bubbles, there are many people who like the GDPR less than I do.