Brave accuses European governments of GDPR resourcing failure


Image Credits: cnythzl / Getty Images

Brave, a maker of a pro-privacy browser, has lodged complaints with the European Commission against 27 EU Member States for under resourcing their national data protection watchdogs.

It’s asking the European Union’s executive body to launch an infringement procedure against Member State governments, and even refer them to the bloc’s top court, the European Court of Justice, if necessary.

“Article 52(4) of the GPDR [General Data Protection Regulation] requires that national governments give DPAs the human and financial resources necessary to perform their tasks,” it notes in a press release.

Brave has compiled a report to back up the complaints — in which it chronicles a drastic shortage of tech expertise and budget resource among Europe’s privacy agencies to enforce the region’s data protection framework.

Lack of proper resource to ensure the regulation’s teeth are able to clamp down on bad behavior — as the law drafters’ intended — has been a long standing concern.

In the Irish data watchdog’s annual report in February — AKA the agency that regulates most of big tech in Europe — the lack of any decisions in major cross-border cases against a roll-call of tech giants loomed large, despite plenty of worthy filler, with reams of stats included to illustrate the massive case load of complaints the agency is now dealing with.

Ireland’s decelerating budget and headcount in the face of rising numbers of GDPR complaints is a key concern highlighted by Brave’s report.

Per the report, half of EU data protection agencies have what it dubs a small budget (sub €5M), while only five of Europe’s 28 national GDPR enforcers have more than 10 “tech specialists”, as it describes them.

“Almost a third of the EU’s tech specialists work for one of Germany’s Länder (regional) or federal DPAs,” it warns. “All other EU countries are far behind Germany.”

“Europe’s GDPR enforcers do not have the capacity to investigate Big Tech,” is its top-line conclusion.

“If the GDPR is at risk of failing, the fault lies with national governments, not with the data protection authorities,” said Dr Johnny Ryan, Brave’s chief policy & industry relations officer, in a statement. “Robust, adversarial enforcement is essential. GDPR enforcers must be able to properly investigate ‘big tech’, and act without fear of vexatious appeals. But the national governments of European countries have not given them the resources to do so. The European Commission must intervene.”

It’s worth noting that Brave is not without its own commercial interest here. It absolutely has skin in the game, as a provider of privacy-sensitive adtech.

Ryan has also been a key instigator of a number of strategic GDPR complaints — such as those filed against certain widespread adtech industry practices. Enforcement against programmatic advertisement’s use of real-time bidding would very likely be of commercial benefit to Brave, given its engineered to operate a different model.

But such commercial interest in robust and active GDPR enforcement doesn’t undermine Brave’s core beef: regulatory inaction is linked to DPA under-resourcing.

Indeed, the UK’s ICO has itself, er, blogged multiple times about the systemic problem of unlawful adtech — repeatedly calling for the industry to reform. But not actually doing anything when it doesn’t.

Behavioural advertising is out of control, warns UK watchdog

It’s just this sort of “soft soap” from regulators — words, instead of firm GDPR enforcement — that’s in Brave’s sights. Nor is it alone in complaining about the lack of GDPR “bite;” independent privacy campaigns and researchers have dubbed ongoing regulatory inaction as a “disastrous” failure that’s undermining the rule of law.

We reached out to the Irish Data Protection Commission, the European Data Protection Board (EDPB), the European Data Protection Supervisor (EDPS) and the European Commission for comment on Brave’s report and to ask whether they believe GDPR is functioning as intended.

A major milestone is looming with the regulation’s two-year birthday falling next month, which will be concentrating minds within EU institutions.

A spokesman for the EDPS pointed us to this joint document with the EDPB, which was adopted in mid February, ahead of this wider evaluation process for GDPR.

In a section of the document on enforcement, the assessment finds “increased attention and effort toward enforcement of data protection laws by most SAs” [supervisory authorities], with the EDPB noting that: “The new enforcement tools provided by the GDPR and the SAs made use of a wide range of corrective measures, i.e. not only administrative fines but also warnings and reprimands”.

On fines specifically, the evaluation notes that between May 25, 2018 and November 30, 2019, a total of 22 EU/EEA data protection agencies made use of this corrective power — with 785 fines issued overall (although around 110 of which relate to infringements that predate GDPR coming into force).  

“Only 8 SAs have not imposed any administrative fine yet although most of them have ongoing proceedings that might lead to imposing an administrative fine in the near future,” they further note.

In terms of what fines have been issued for, the write that most related to principles relating to processing of personal data (Art. 5 GDPR); lawfulness of processing (Art. 6 GDPR); valid consent (Art. 7 GDPR); processing of special categories of personal data (Art. 9 GDPR); transparency and rights of the data subjects (Art. 12 to 22 GDPR); security of processing and data breaches (Art. 32 to 34 GDPR).

We’ll update this report with any other responses to Brave’s report. We’ve also asked the Commission if it will be instigating infringement proceedings against any Member States.

As noted above, the Commission will publish a review of GDPR next month, as the regulation reaches its second anniversary. And while plenty of compliance activity is undoubtedly taking place, away from flashy headlines — such as data impact assessments and accelerated data breach notifications — which will be provide plenty of filler for the looming Commission report, the biggest ongoing criticism attached to GDPR is the lack of perceived action over major cross-border complaints. And, therefore, the lack of enforcement against major platforms and tech giants.

A $57 million fine for Google by France’s CNIL back in January 2019 stands as something of a lone exception on the major-financial-penalties-for-tech-giants front.

However, fines seems a poor lever to spur reform of resource-rich tech giants. Just look at the $5 billion fine Facebook negotiated with domestic regulators in the U.S. — a tiny price-tag for its earlier flouting of U.S. regulatory requirements. TL;DR: Fines — even record-breaking ones — are a line of business expense for platforms operating at this level.

So it’s worth noting some high profile interventions/warnings by EU DPAs — which did not involved any actual financial penalties — have netted some tangible changes to how voice assistant AI systems function.

Last summer, for example, it emerged that the Hamburg data protection authority, in German, had informed Google of its intention to use Article 66 powers of the GDPR to begin an “urgency procedure” — which allows a DPA to order data processing to stop if it believes there’s “an urgent need to act in order to protect the rights and freedoms of data subjects”.

Just the warning that it was about to unbox that power appeared to be enough to spark action from Google which suspended manual (human) audio reviews of Google Assistant across the whole of Europe.

There were similar process changes from Apple and Amazon — following regional press and regulatory attention. (Global changes, in the case of Apple.)

So the picture around GDPR enforcement is a little more nuanced than just, “Hey DPAs, show us the money.”

Nonetheless, Ireland remains an obvious one-stop bottleneck for the functioning of regulation — making the agency an eye-catching piñata for those who like to claim GDPR isn’t working.

The DPC cannot remain in this critical limbo forever, of course, no matter how concerned it evidently is that its decisions stand up to tech giants’ lawyerly nitpickings and future judicial review.

Decisions in the more than 20 cross-border cases stuck on its desk — including complaints against Apple, Facebook, Google, LinkedIn, Twitter and TechCrunch’s own parent, Verizon Media, to name a few — must flow eventually. And, per earlier comments, pretty quickly now — given the first decisions were slated for early this year. (Expect the coronavirus crisis to provide some cover for any further administrative delay.)

Whatever those crux decisions look like, critics will still be able to shoot back that they’ve come too late to be truly effective, though.

Update: Graham Doyle, the Irish DPC’s deputy commissioner, has now responded to Brave’s report, telling us: “We are aware of the Report. The DPC budget and staff numbers have grown over the past 5 years. We currently have 140 staff in the DPC and plan to increase to approximately 170 staff by year end. However this growth in staff must continue over the next few years.”

Update 2: A Commission spokesman confirmed it has received Brave’s complaint, and said it would be looking into it — as with any complaints it receives.

“The GDPR has put Europeans back in control of their data. It sets high data protection standards that are fit for the digital economy,” said the spokesman.It has also begun to set global standards. It is a cornerstone of the European approach to the digital age, underpinning several political priorities of the new Commission.

On the forthcoming GDPR review, the spokesman added: “The report is looking into application of the rules after two years. The Commission will, in its assessment, in particular take into account of developments in information technology and in the light of the state of progress in the information society. 

“In accordance with Article 97 of the GDPR, the Commission is required to submit a report on the evaluation of the GDPR to the European Parliament and the Council around the end of May 2020.  The evaluation of the GDPR will provide the opportunity to assess its application, in particular as regards international transfers and the consistency and cooperation mechanism between data protection authorities.”

On national data protection authorities the spokesman said: “It is important that Member States provide them with the necessary human, financial and technical resources,” adding: “From the Commission’s side, we will also continue supporting them with EU funding.”

More TechCrunch

After Apple loosened its App Store guidelines to permit game emulators, the retro game emulator Delta — an app 10 years in the making — hit the top of the…

Adobe comes after indie game emulator Delta for copying its logo

Meta is once again taking on its competitors by developing a feature that borrows concepts from others — in this case, BeReal and Snapchat. The company is developing a feature…

Meta’s latest experiment borrows from BeReal’s and Snapchat’s core ideas

Welcome to Startups Weekly! We’ve been drowning in AI news this week, with Google’s I/O setting the pace. And Elon Musk rages against the machine.

Startups Weekly: It’s the dawning of the age of AI — plus,  Musk is raging against the machine

IndieBio’s Bay Area incubator is about to debut its 15th cohort of biotech startups. We took special note of a few, which were making some major, bordering on ludicrous, claims…

IndieBio’s SF incubator lineup is making some wild biotech promises

YouTube TV has announced that its multiview feature for watching four streams at once is now available on Android phones and tablets. The Android launch comes two months after YouTube…

YouTube TV’s ‘multiview’ feature is now available on Android phones and tablets

Featured Article

Two Santa Cruz students uncover security bug that could let millions do their laundry for free

CSC ServiceWorks provides laundry machines to thousands of residential homes and universities, but the company ignored requests to fix a security bug.

10 hours ago
Two Santa Cruz students uncover security bug that could let millions do their laundry for free

OpenAI’s Superalignment team, responsible for developing ways to govern and steer “superintelligent” AI systems, was promised 20% of the company’s compute resources, according to a person from that team. But…

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says

TechCrunch Disrupt 2024 is just around the corner, and the buzz is palpable. But what if we told you there’s a chance for you to not just attend, but also…

Harness the TechCrunch Effect: Host a Side Event at Disrupt 2024

Decks are all about telling a compelling story and Goodcarbon does a good job on that front. But there’s important information missing too.

Pitch Deck Teardown: Goodcarbon’s $5.5M seed deck

Slack is making it difficult for its customers if they want the company to stop using its data for model training.

Slack under attack over sneaky AI training policy

A Texas-based company that provides health insurance and benefit plans disclosed a data breach affecting almost 2.5 million people, some of whom had their Social Security number stolen. WebTPA said…

Healthcare company WebTPA discloses breach affecting 2.5 million people

Featured Article

Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Microsoft won’t be facing antitrust scrutiny in the U.K. over its recent investment into French AI startup Mistral AI.

12 hours ago
Microsoft dodges UK antitrust scrutiny over its Mistral AI stake

Ember has partnered with HSBC in the U.K. so that the bank’s business customers can access Ember’s services from their online accounts.

Embedded finance is still trendy as accounting automation startup Ember partners with HSBC UK

Kudos uses AI to figure out consumer spending habits so it can then provide more personalized financial advice, like maximizing rewards and utilizing credit effectively.

Kudos lands $10M for an AI smart wallet that picks the best credit card for purchases

The EU’s warning comes after Microsoft failed to respond to a legally binding request for information that focused on its generative AI tools.

EU warns Microsoft it could be fined billions over missing GenAI risk info

The prospects for troubled banking-as-a-service startup Synapse have gone from bad to worse this week after a United States Trustee filed an emergency motion on Wednesday.  The trustee is asking…

A US Trustee wants troubled fintech Synapse to be liquidated via Chapter 7 bankruptcy, cites ‘gross mismanagement’

U.K.-based Seraphim Space is spinning up its 13th accelerator program, with nine participating companies working on a range of tech from propulsion to in-space manufacturing and space situational awareness. The…

Seraphim’s latest space accelerator welcomes nine companies

OpenAI has reached a deal with Reddit to use the social news site’s data for training AI models. In a blog post on OpenAI’s press relations site, the company said…

OpenAI inks deal to train AI on Reddit data

X users will now be able to discover posts from new Communities that are trending directly from an Explore tab within the section.

X pushes more users to Communities

For Mark Zuckerberg’s 40th birthday, his wife got him a photoshoot. Zuckerberg gives the camera a sly smile as he sits amid a carefully crafted re-creation of his childhood bedroom.…

Mark Zuckerberg’s makeover: Midlife crisis or carefully crafted rebrand?

Strava announced a slew of features, including AI to weed out leaderboard cheats, a new ‘family’ subscription plan, dark mode and more.

Strava taps AI to weed out leaderboard cheats, unveils ‘family’ plan, dark mode and more

We all fall down sometimes. Astronauts are no exception. You need to be in peak physical condition for space travel, but bulky space suits and lower gravity levels can be…

Astronauts fall over. Robotic limbs can help them back up.

Microsoft will launch its custom Cobalt 100 chips to customers as a public preview at its Build conference next week, TechCrunch has learned. In an analyst briefing ahead of Build,…

Microsoft’s custom Cobalt chips will come to Azure next week

What a wild week for transportation news! It was a smorgasbord of news that seemed to touch every sector and theme in transportation.

Tesla keeps cutting jobs and the feds probe Waymo

Sony Music Group has sent letters to more than 700 tech companies and music streaming services to warn them not to use its music to train AI without explicit permission.…

Sony Music warns tech companies over ‘unauthorized’ use of its content to train AI

Winston Chi, Butter’s founder and CEO, told TechCrunch that “most parties, including our investors and us, are making money” from the exit.

GrubMarket buys Butter to give its food distribution tech an AI boost

The investor lawsuit is related to Bolt securing a $30 million personal loan to Ryan Breslow, which was later defaulted on.

Bolt founder Ryan Breslow wants to settle an investor lawsuit by returning $37 million worth of shares

Meta, the parent company of Facebook, launched an enterprise version of the prominent social network in 2015. It always seemed like a stretch for a company built on a consumer…

With the end of Workplace, it’s fair to wonder if Meta was ever serious about the enterprise

X, formerly Twitter, turned TweetDeck into X Pro and pushed it behind a paywall. But there is a new column-based social media tool in town, and it’s from Instagram Threads.…

Meta Threads is testing pinned columns on the web, similar to the old TweetDeck

As part of 2024’s Accessibility Awareness Day, Google is showing off some updates to Android that should be useful to folks with mobility or vision impairments. Project Gameface allows gamers…

Google expands hands-free and eyes-free interfaces on Android