European officials are introducing a new oversight process to monitor major data-privacy investigations following criticism of the glacial pace of enforcement, particularly against multinational tech firms.
Regulators that handle large-scale cases affecting people in more than one European Union country will need to report on their progress every other month to the European Commission, the EU’s executive arm. The commission disclosed the new procedure in response to a complaint alleging that the commission itself had violated EU law by not properly overseeing the Irish privacy regulator.
“The law is nothing if it’s not enforced,” said
a senior fellow at the nonprofit Irish Council for Civil Liberties, which in 2021 filed the complaint to commission and the European Ombudsman, the watchdog body for EU institutions. “The authorities cannot now leave cases dangling in a timeless limbo,” he added.
Discontent among European regulators has been brewing since the General Data Protection Regulation, the EU’s strict data-privacy and security law, took effect in 2018. Some authorities have publicly criticized their counterparts for taking too long to dig into high-profile cases, with some even proposing revising the GDPR so major, large-scale investigations aren’t handled by one office alone. Under the new oversight process, regulators will provide the commission with detail on procedural and other steps they have taken in any big investigations, and when.
It took four-and-a-half years for the Irish regulator to issue a decision in January in an advertising privacy case against
Meta Platforms Inc.,
fining it $414 million for GDPR violations related to ad-tracking programs. The case began with a complaint from
an Austrian privacy lawyer, filed on May 25, 2018, the day the law took effect. Meta has said it would appeal.
Other investigations have been protracted, including one against Meta’s WhatsApp that took nearly three years, culminating in a $270 million fine in 2021, and another against Meta’s Instagram, resulting in a $402 million fine last year after a two-year probe. One still-unresolved complaint over location-tracking by Google, owned by
was filed in November 2018.
Oversight by the European Commission will reveal if there are recurring problems that cause bottlenecks, Mr. Ryan said. Regulators share details of their large investigations with the board of their European counterparts, but until now haven’t been forced to disclose specific information on their progress to the commission, which said it would publish reports on the data it receives, he said.
Regulators in other European countries have criticized elements of GDPR’s enforcement system. Under the law, the regulator in the country where a company has its EU headquarters is responsible for oversight of the company throughout all the EU’s 27 countries. Meta, Alphabet, Twitter Inc. and other multinationals have their main European offices in Ireland.
Since 2018, the Irish regulator has received thousands of complaints—3,419 in 2021 alone, according to its last annual report. To cope, the office increased its staff to around 258 by the end of last year, from 110 in 2018, the government said last year. For 2023, the office’s budget was raised to 26 million euros, around $28 million, to hire two more commissioners and other employees.
Long delays lead to drawn-out violations of individual privacy as companies are free to continue their business practices as investigations play out, said
Maryant Fernández Pérez,
senior digital policy officer at the European Consumer Organization, a Brussels-based nonprofit. The advocacy group filed the 2018 complaint against Google for location-tracking.
The commission’s pledge to gather data on weighty investigations is a good step, Ms. Fernández Pérez said, but “it’s not the solution for all the problems we see.” Changes to strengthen complainants’ rights by harmonizing procedures across EU countries, for example, should be included in a coming initiative the commission has said it would work on this year, she said.
For companies under scrutiny by European privacy regulators, cases bring confusion when there isn’t clear guidance even after a ruling, said
vice president and chief knowledge officer of the International Association of Privacy Professionals.
Companies want a road map on how to deal with certain privacy issues after a regulator issues a decision. But it isn’t always clear, in part because regulators disagree, courts may overturn a decision and companies may appeal rulings, Ms. Fennessy said.
“What they are anxious about is uncertainty,” she said.
Write to Catherine Stupp at firstname.lastname@example.org
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8