Parliament Clock
Posted by Tim Walters (The Content Advisory) September 11, 2018

The GDPR’s Regulatory Bears Are Stirring – And They’re Not Happy About Your Half-Assed Compliance Efforts

The article in the Washington Post on 14 August is titled “Big Tech Is Still Violating Your Privacy.” At first, you might think this is just another privacy advocate (say, me) complaining that not that much has changed since the GDPR came into effect – except for even more numerous and irritating cookie banners, many of which invite you to hit the prominent ACCEPT button or plunge into a rabbit hole to “see your options.”

Facebook Please accept our updated Terms to continue using Facebook
From facebook.com, accessed May 2, 2018

The Silence of the Shepherds

Still, over three months after the GDPR took effect, the big surprise isn’t that so many companies are trying to preserve the status quo with manifestly inadequate consent requests (as analyzed in my June post for this blog). It’s rather that the data protection authorities charged with enforcing the GDPR (such as the ICO in the UK and the CNIL in France) have – to the best of my knowledge – remained disturbingly silent and seemingly indifferent to these egregious violations. It’s as if a hockey-style fist fight broke out on center court at the US Open while the chair umpire just sat calmly scrolling through her phone. What’s the point of introducing new data protection rules if they’re not going to be enforced?

Look Who’s Talking

But then you notice that the article is authored by Giovanni Buttarelli – a name you may not recognize yet, but if you have anything to do with data protection and privacy, you’ll hear a lot about in the future. As the editors helpfully point out,

Giovanni Buttarelli is sometimes called Mr. GDPR

When Mr. GDPR takes to a prominent global news platform like the Washington Post to complain that companies are not complying with the GDPR . . . it literally pays to listen.

The Case for the Prosecution

In explain-it-like-I’m-five style, Buttarelli first lays out the GDPR’s requirements for “lawful” processing of personal data. Informed and freely given consent is one lawful ground. Another is legitimate interest – but Buttarelli stresses that firms must be careful to respect its limits. Appealing to a favored example among the data protection authorities, he points out that a pizza parlor that delivers to your home may have a legitimate interest in mailing you promotions. (That is, reusing personal data – your address – that they collected in order to make the delivery.) But they cannot use legitimate interest to share your personal data with “partners,” such as the neighboring juice shop. (Thus suggesting that the ad industry’s effort to justify massive sharing of personal data across the digital advertising ecosystem via legitimate interest is not valid under the GDPR.)

Contracts are another lawful basis for data processing. When you make a purchase, you enter into a contract that typically requires the seller to collect personal data such as name, credit card details, etc. But here again, Buttarelli stresses that contracts should not be abused:

We've all faced the pop-up window that gives us the option of clicking a brightly colored button to simply accept the terms

If Buttarelli’s description of that pop-up window doesn’t seem familiar, please look again at the above screenshot. Indeed, when he speaks of “some major companies” offering (illegitimate) “take-it-or-leave-it-contracts,” it seems obvious that he is talking about – and to – Facebook and Google. The article could well have been titled “An Open Letter to Mark and Sundar.”

“Clearly, Abuse Has Become the Norm”

In short, Buttarelli explains the limits that the GDPR places on legitimate interest and contracts, then accuses companies of abusing those limits in order to avoid asking for consent in a fully transparent and compliant manner. “Clearly,” he concludes, “abuse has become the norm.” And he adds, “The aim of the EU data protection agency that I lead is to stop it.”

The message is obvious: You guys are out of line . . . and we’re not going to let you get away with it. Buttarelli goes on to note that “over 30” alleged violations are currently under investigation across the EU. He specifically mentions the high-profile cases that Max Schrem’s NOYB filed on 25 May against Facebook, Google, WhatsApp, and Instagram. In the context of this article, that amounts in my view to an endorsement of Schrem’s claim that these firms are forcing consent in violation of the GDPR.

Offer Carrots – But Keep A Big Stick Handy

Most ominously for the (alleged) violators, Buttarelli states that when the first judgements are made (“before the end of the year”), “Regulators will use the full range of their enforcement powers to address abuses, including issuing fines.” This torpedoes the belief that the authorities will initially issue warnings in order to give firms a chance to reform and comply. Indeed, in the hype and hysteria leading up to the enforcement deadline, the ICO’s Elizabeth Denham felt compelled to address the “myth” that regulators would cripple businesses with massive fines. “We have always preferred the carrot to the stick.”

Sure. But Buttarelli seems to acknowledge that when faced with recidivist data carnivores – i.e., those companies whose business model is predicated on surveillance capitalism, and who treat any restriction in data access as an existential threat – the stick is the only effective measure.

That Thing Churchill Said

To be honest, I had begun to despair that the EU regulators – through lack of resources, if not lack of will – were going to lay down and allow the deficient consent notices as an acceptable compromise – in effect, instituting abuse as the new norm. I should have known better, since that reaction (or non-action) would controvert not only the GDPR but previous regulatory guidance and nearly all existing EU-level court decisions – as well as everything I’ve heard stated directly by a data protection authority.

Buttarelli closes his article with a look ahead. In the short term, this concerns the ePrivacy Regulation (ePR), “which will stop companies snooping on private communications.” He also notes (as I did in July’s post) that the GDPR is going global, with similar legislation approved or proposed in Brazil, India, Indonesia, California, etc.

Longer term, Buttarelli envisions a “post-GDPR future,” with an ethical consensus on data processing, a (re)decentralized internet, and a “fairer allocation of the digital dividend.” Measured against that vision, enforcing genuine consent on recalcitrant data abuses is not the end, nor perhaps even the end of the beginning. But at least it is happening.

Tim Walters, Ph.D., Privacy Lead at The Content Advisory