Effective implementation of the General Data Protection Regulation (GDPR) will hinge on the cooperation between EU data protection authorities (DPAs) and industry. Yet the newly defined roles and obligations of DPAs, the lack of resources to guide companies, and complex procedures make such cooperation difficult. Unless EU policymakers clarify and adjust the GDPR, these barriers to cooperation will negatively affect business efficiency and consumer protection.
The primary challenge to effective cooperation is the DPAs’ dual role as both an enforcer and advisor to industry. DPAs are vested with investigative and corrective powers to ensure the enforcement of the GDPR. These powers include the ability to suspend data transfers, order erasure of data, and impose fines of up to €20 million or 4 percent of a company’s worldwide annual turnover (whichever is greater). Moreover, companies may face serious reputational damage if DPAs find them to be non-compliant. While DPAs have such enforcement power, by statute they also have an advisory role. They provide non-legally binding guidance on the interpretation of the law to companies, publish expert advice on data protection issues, and establish tools which help businesses understand their obligations.
Wearing these two hats complicates cooperation and ultimately undermines consumer protection. For example, 10 DPAs of the German states of Lower Saxony and Bavaria recently announced their intention to randomly audit companies’ compliance with the GDPR. Companies will have to fill in a questionnaire informing a number of precise questions about the technical and organizational measures in place for personal data processing. The declared purpose is to raise awareness among companies, identify room for improvement, and provide them with further guidance and support. But these audits may very well lead to the identification of non-compliance cases, followed by enforcement measures, likely resulting in the imposition of fines. These audits will certainly galvanize firms to take some kind of action, but these actions will likely be focused on preventing fines, rather than asking the harder questions about how to make design changes in their products that would improve data protection for their customers.
A second roadblock to cooperation is that DPAs lack adequate resources. Ill-equipped, understaffed, DPAs are overwhelmed with companies’ questions, and many of which remain unanswered. This under-resourcing prevents DPAs from providing efficient guidance, and without quick responses, businesses moving through rapid development cycles cannot effectively collaborate with regulators.
Some of the delays from DPAs is by design. According to the procedures triggered by the consistency mechanism—a complex process the GDPR creates to harmonize decisions made by DPAs across member states—the European Data Protection Board (EDPB) may be notified in some cases, and produce an opinion on data processing within 8 to 14 weeks. In practice, the EDPB will likely have to deal with many more requests than anticipated from concerned DPAs. For example, firms must provide interstitial privacy notices to users using clear, concise, and simple language, and data protection professionals have raised concerns regarding consistency in approach and interpretation across member states and their DPAs, as well as in relation to how they obtain and manage consent. In addition, companies have no voice in this mechanism, which here again undermines cooperation. Unable to obtain timely endorsement, companies may also be faced with the financial consequences of delays in planning.
Ironically, the GDPR was supposed to reduce red tape for companies, but instead it has introduced many new regulatory complexities. And unfortunately, EU policymakers did not fully anticipate how to best organize the new relations between DPAs and industry under the GDPR. Yet, efficient collaboration is possible. To overcome the challenges the DPAs’ dual role creates, EU policymakers should take several actions. They should strengthen and emphasize the role of DPAs as collaborators that raise awareness among companies and support better framework for the governance of data protection. For example, companies could refer exclusively to the advisory side of DPAs for guidance, through a legally-binding process which would ensure that they cannot be exposed to enforcement actions (e.g., fines). Companies would then share information and seek help more freely. Furthermore, policymakers should formalize that industry will be involved with the DPAs in any early discussions about guidance and have a role in providing input to the consistency mechanism. The provision of feedback by companies before DPAs issue guidelines will allow for better resource allocation and help avoid misunderstandings because it will set expectations for how DPAs will enforce the GDPR.
The purpose of the GDPR is not to punish EU businesses, it is to better protect the privacy of EU residents. But that goal will not be realized if companies are unable to get accurate and timely guidance from DPAs. As such, efforts by policymakers to ensure efficient cooperation between DPAs and industry will be to the benefit of both European businesses and residents.
Image credit: Vodafone Institute