Parmy Olson

The EU Is About to Take a Bigger Stick to Big Tech

It’s well established that the European Union has some of the strictest privacy laws in the world, threatening fines of up to 4% of a company’s annual turnover. A lesser-known fact, and one which large tech firms would like to keep quiet, is that the EU hasn’t enforced those rules very strictly.

Since introducing its landmark privacy law known as General Data Protection Regulation (GDPR) in 2018, the EU has delegated the job of policing Big Tech to the nations where the firms have their European headquarters. That puts enormous pressure on countries like Ireland, which hosts several large internet firms that have frequently been accused of flouting privacy law, including Meta Platforms Inc. Ireland has issued roughly 1 billion euros ($1.1 billion) worth of fines against Meta alone in the past five months, but the penalties took years to come about and, in the latest case, Ireland was forced by its European peers to significantly raise it. Ireland has long been a bottleneck for the EU’s enforcement because of the slow pace with which it has processed cases and its relatively business-friendly interpretation of GDPR rules.

But that could well change now that the EU’s executive arm, the European Commission, will require each nation to share an overview of its data-protection investigations six times a year. A country’s regulator will also have to give the Commission an overview of all its large-scale cross-border investigations under GDPR including, critically, all key procedural steps taken with each case, and all investigatory or other measures taken, along with dates for each of these steps and measures, according to a document detailing the Commission’s response to suggestions from the European Ombudsman, seen by Bloomberg Opinion. It signals a toughening stance on privacy, holding the regulators themselves to account for investigating companies properly.

While the Commission does issue a report every two years or so on the general state of GDPR enforcement, the executive arm has not deeply scrutinized the work of each nation’s privacy regulator in such a formal or systemic way. In theory, if national watchdogs don’t comply with the new requirement for information, that nation’s government could face legal action at the European Court of Justice. The privacy regulators have never had their feet held to the fire quite like this.

Ireland, the Netherlands, Luxembourg and France are countries for whom this change is most important. Ireland hosts the largest number of tech firms on its shores, while Uber Technologies Inc. is in the Netherlands, Inc. in Luxembourg and Criteo SA, one of the world’s largest online advertising firms, is in France.

The change appears to be the result of a complaint made to the European Ombudsman by the Irish Council for Civil Liberties, a human rights group that has lodged several objections with the EU about how Ireland’s privacy watchdog has dealt with Facebook.

“Previously you had cases lying dormant for years and privacy law not being applied,” says Johnny Ryan, a senior fellow at the ICCL. “This heralds the beginning of true enforcement, and that means serious European enforcement against Big Tech.”

The EU’s one-stop-shop mechanism, which is bureaucrat-speak for making a single country responsible for policing tech firms, has put privacy advocates in the unusual position of lodging complaints not just against companies but against the regulators themselves for not being strict enough. Austrian privacy campaigner Max Schrems has suggested he’ll take action against Luxembourg’s privacy watchdog because of the long wait over a complaint about Amazon, which has been accused of exposing user information to potential breaches and exploitation.

The European Ombudsman, which investigates administrative complaints about the EU, confirmed it had been told by the European Commission that it would increase its scrutiny of national watchdogs.

Ireland’s Data Protection Commission has argued that its cases take a long time because they are complex, and that while it is inundated with cases with the myriad tech companies under its jurisdiction, it has resolved hundreds of cross-border complaints over the last four years.

But the European Court of Justice has also called out the Irish watchdog for “persistent administrative inertia.” And earlier this month the regulator was forced by Europe’s Data Protection Board to substantially increase a fine against Meta over illegal data processing, from 28 million euros to 390 million euros, after it initially sided with Meta on several aspects of the original complaint which came from Schrems.

With the Commission checking each regulator’s homework, the watchdogs will be forced to work harder and avoid stalling: any years-long delays between the lodging of a complaint and the opening of an inquiry will be in full view of the EU mothership, as will many months passing between rounds of correspondence about a case, or complaints leading to no investigation at all.

The one drawback to this development is that the Commission won’t do its audits in the open; all the information that national privacy regulators share will be kept “strictly confidential.”

Till then we’ll have to make do with what is still a step in the right direction. The renewed scrutiny won’t be public, but at least it will be happening.