This week, the European Commission published the long-awaited GDRP evaluation 2020: a 17-page document filled with limited criticism, supported by a press release that trumpets: 'Commission report: EU data protection rules empower citizens and are fit for the digital age'.
This GDPR-evaluation was accompanied by a lousy fact-sheet that, according to the Commission, contains a 'success-story': almost 800 fines were imposed by the 28 national data protection authorities between May 2018 and November 2019 - when the European civil service apparently already had to complete the evaluation. The Q&A offers a ‘premature conclusion’: '[t]wo years after its entry into application, the GDPR has been an overall success, meeting many of the expectations, even if a number of areas for future improvement have also been identified.'
The Commission’s spokesperson in Brussels admits there is no official 2020 independent audit report of the effects of the new GDPR. The following questions remain unanswered: did the new directive really improve the privacy of European citizens? Or is the legislation mainly a lucrative business model for privacy lawyers?
Not much privacy concern
The factual report is partly based on a Fundamental Rights Survey (Survey), conducted by the EU Agency for Fundamental Rights (FRA). This Survey was carried out by the statistical offices of the Netherlands (CBS), Luxembourg and Austria among 26,000 citizens in the Member States of which 20,000 are internet users.
Of those surveyed, 69 per cent said they had heard about the GDPR, varying from 38 percent in Estonia up to 79 percent in Poland. About 71 percent of the EU-27 citizens said they know about (have heard of) their national authority for data protection (DPA); from 44 percent in Belgium (and 35 percent in the UK) up to 90 percent in the Czech Republic.
The biggest problem with this study is that people were asked for their opinions instead of the actual protection of their data pursuant to the GDPR. The questions covered people’s willingness to share data with state institutions and companies, however, people were not asked whether the current regime allows to sufficiently limit the sharing of personal data. Furthermore, the survey included questions about people’s degree of concern on privacy issues, but not about their behaviour to protect privacy.
Nevertheless, the most interesting outcome is that people are not really that much concerned about access to their data by third parties. Only 31 percent of the people that were interviewed tend to be concerned about access to information without knowledge or permission by advertisers and businesses, 30 percent about access by foreign governments, 26 percent by their own country’s intelligence services. Only 20 percent is concerned that their personal data is (mis)used by their own government, and 17 percent by law enforcement agencies or employers using their data. These outcomes challenge the broad need for a GDPR.
Rights not used
Half of the citizens which participated in the survey indicated that they are not aware of the right to access processed personal data at companies and 40 percent do not know that they have this right at government agencies (Article 15 GDPR).
The survey does not indicate the frequency with which the access right is used , but you can assume that this is less than 1 percent since companies report they hardly ever get these requests. In addition, nothing at all is reported about the use of the important deletion rights (art. 17), also called the ‘right to be forgotten’, although it encompasses more than the right to be deleted from the Google-index with presumably damaging information. Certainly nothing is reported about the use of the right to ask for a copy of the collected personal data to be transferred to another (competing) provider, the right of portability (art. 20). This is likely 0 percent, because it is simply not possible to transfer personal information between platforms, (except for taking your photos from Facebook tot Google Photos.)
The Survey contained a question about the kind of data which people would want to share and with which kind of organizations. However, these questions are not relevant if you want to know if GDPR legislation works. What matters is whether people use their rights and whether data processing by companies is really affected by the GDPR requirements.
PR campaign is effective
The lack of transparency and neutrality concerning the GDPR-evaluation by the Commission is particularly striking. Not only a good audit report from an independent body is lacking, but the identity of the evaluators and the methodology used it is also unclear. The report states that, for its evaluation, the Commission could rely on the contributions of the European Council, the European Parliament and the European Data Protection Board, the national regulators, and the Multistakeholder Expert Group. Except for the latter, these were all involved in the establishment of the GDPR.
The Commission’s approach seems to work. Media all over Europe report that the GDPR is doing reasonably well, sometimes mentioning scarce critical notes such as too little manpower among supervisors - also a point of lobbying, because the EU wants member states to invest more money in supervision. Another point of criticism: European coordination is inadequate.
Even the EU itself acknowledges that the approach to corporate groups is not smooth: 'Given that the largest big tech multinationals are established in Ireland and Luxembourg, the data protection authorities of these countries act as lead authorities in many important cross-border cases and may need larger resources than their population would otherwise suggest.’
And the Commission is silent on one of the most important elements of the GDPR: the granting of permission by individuals to companies to process personal data, or use of cookies on our equipment. Still, privacy statements are not read, and most people give their permission to get rid of the hassle and go to a site quickly. The Survey results on this point are telling: ‘Overall, only one in five respondents in the EU says they always read the terms and conditions when using online services (22 %). 44 % read them sometimes and 33 % do not read the terms and conditions (1 % don’t know).’ Maybe those 22 percent of the respondents themselves believe they always read privacy statements. They should have a second life to find the time to do so.
Access does not work
About 130 organisations and individuals sent their feedback and comments to the EU evaluation group. One of them wasDutch privacy expert Simon Hania, who clearly stated: '... it becomes clear that the promise of GDPR to deliver on the right to data protection founded on unity in diversity has resulted in stagnation in bureaucracy. This to me seems a systemic issue to which politicians, policy makers and the supervisory authorities need to respond to swiftly with determination and courage in order to not undermine confidence in the rule of law and institutions that uphold it.'
Systematic criticism comes form a joint evaluation of the University of Amsterdam, the Free University of Brussels, and the Catholic University of Leuven. This is a fundamental report that focuses on access to stored personal data by citizens, because this right is not just essential for enabling citizens to exercise their GDPR rights, it also plays a pivotal role in collective efforts to overcome information asymmetries. The researchers reported about 25 practical requests for a copy of stored personal information at companies, some of which well-known like the case of French writer Judith Duportail and the 800 pages of her personal information with Tinder. Researchers draw the conclusion that companies structurally fail to fully comply with access requests, while the enforcement by data protection authorities remains weak. They operate slowly and ineffectively while their cross-border cooperation is severely substandard, and they all have different approaches.
According to the three universities, data protection will only become meaningful if the many parties involved work well together and give citizens the idea that it makes sense to exercise their rights. The GDPR has not (yet) achieved this.
Another academic research organisation, the Centre for Information Policy Leadership (CIPL) in the UK, stated that it believes that the current challenges can be resolved by the Commission, the EDPB and DPAs using the existing institutional and regulatory mechanisms and their wide interpretative powers. The recent Covid-19 Crisis proves ‘…the need for progressive GDPR interpretation while confirming the enormous potential of data in helping to address this worldwide crisis. This ever-changing environment and the promises of beneficial data uses call for a shift in the approach to leverage the GDPR provisions to their fullest extent going forward.’