from if-even-the-bureaucrats-are-not-compliant… department
We have been highlighting issues with the data protection regime in the EU for years, primarily the GDPR, but also other aspects. The idea behind it – that people have a right to have their data protected – might sound sound and logical, but in practice it’s usually a complete mess*, which probably caused far more harm than it solves it. We recently wrote about the startling news that the EU’s top data protection officer finally admitted that the GDPR had really not worked as intended, which was so surprising because it has become important for experts to EU “data protection” to support the myth that the GDPR has been a success.
Of course, rather than acknowledging that it’s the whole GDPR framework that’s the problem, the manager insisted that the real problem was not being sufficiently enforced by data protection authorities. Basically, “it’s not the law that’s bad, it’s the fact that we haven’t punished more companies.” The logic might make sense if the real problem was that companies don’t really care how they use our data (which may be true in some cases, but actually seems a lot rarer than most people think. think so).
But, this belief that more enforcement is the answer starts to look a lot more questionable when the real problem might be that the GDPR rules and framework are impossible to comply with.
And, just to put an exclamation mark on that, the European Commission itself has now been sued for breaching its data protection rules. It’s not technically GDPR, as (of course) the Commission is exempt from the GDPR itself, but it has other, mostly similar, data protection rules that it must follow.
The dispute concerns the website of the Conference on the Future of Europe, a conference intended to engage EU citizens in deciding the future of the bloc and its member states.
Amazon Web Services hosts the website, so when registering for the event, personal data such as IP address is transferred to the United States.
In addition, the Commission’s website also allows users to log in via their Facebook accounts. US-based social media has also been challenged for unlawfully transferring personal data to the US, and a complaint in this regard is currently being investigated by the Irish Data Protection Commissioner.
As the European Commission is the operator of the website, the complainant requested information on how personal data is processed in two inquiries. According to the lawsuit, one of the requests was not fully answered and the other was not answered at all, in violation of rights to information under data protection law.
There are a few things to comment on here. Firstly, the underlying problem is the failure of successive EU/US agreements on data sharing/transfer, which, as we have noted, really has only one problem at its core: Internet spying. by the NSA. The United States could solve all of this by stopping such overly intrusive mass surveillance, but instead it has essentially suspended the American internet sector claiming that the real problem lies with its data protection practices (which are often much better than any other industry).
But, as it stands, it is effectively a violation of European data protection laws to use the most widely used American internet services.
The second, more important point is that it shows (again) that the problem is not necessarily the lack of enforcement, but rather the ridiculous nature of the framework, in which no one can actually respect the rules in a reasonable way . Even the European Commission itself.
And this isn’t the first time this kind of thing has been reported. Shortly after the GDPR came into force, people noticed that the European Parliament’s own website was probably breaking the law.
That should get people to recognize that maybe the framework we have here is bad. The problem is not that we need more fines and more aggressive enforcement, because all of this only increases the compliance costs of a system that is impossible to fully comply with, no matter do anyone. And larger companies can easily pay these fines.
For everyone else: you’re basically screwed. Anyone who wants to cause problems for virtually anyone with a website in the EU can find a way in which a website is non-compliant and then create a huge problem for them.
Should we find better ways for people to keep their data safe and secure from abuse? Absolutely. Is that answer to create a cumbersome, impossible-to-follow system of confusing laws that forces expensive lawyers to constantly give you noncommittal answers on how to minimize your risk? It doesn’t look like it. Is the answer to ensure that no one in the EU can actually use useful online services? It doesn’t look like it either.
There must be a better way. But, rather than looking for the best way, so many people seem to be content to assume that’s the way things should be done: by creating ridiculously complex laws that basically make it legally risky to have a website. And, of course, it spreads. In many ways, California’s privacy law is modeled after a similar framework to GDPR and has already created havoc for California businesses. And other states are looking to do the same.
The very fact that the European Commission itself cannot comply should be seen as a flashing warning sign that the problem is within the law.
* For what it’s worth, every time I write about GDPR, EU “data protection” experts get mad at me. But no one has ever been able to explain why this setup makes sense or how whatever benefits they insist on resulting from this diet outweigh the very obvious problems (which they rarely seem willing to recognize).
Filed Under: compliance, data protection, eu, eu commission, gdpr, privacy shield