A Lead Data Watchdog report for a large number of tech giants operating across Europe shows a significant increase in privacy complaints and data breach notifications since the region's updated privacy framework came into force last May.
The Irish Data Protection The Commission's published annual report (DPC) covers the period from 25 May to 31 December 2018, also known as the date of entry into force of the General Data Protection Regulation of the European Union (GDPR). The report of the DPC received more than double the number of complaints after the GDPR compared to the first part of 2018 before the introduction of the new system: With 2,864 and 1,249 complaints received.
This makes a total of 4,1
The increase before and after the GDPR is even greater (56 percent), suggesting that the regulation works to provide impetus and help individuals to fulfill their fundamental abilities
 "The 19459027 phenomenon has shown one thing above all: People's interest and appetite for understanding and controlling the use of their personal information are far from a reflection of apathy fatalism," writes Helen Dixon, Ireland's Data Protection Officer ,
She adds that the increase in the number of complaints and requests from data protection authorities across the EU since 25 May shows "a new level of action mobilization in the EU" is part of the fight against what he deems abusive or inadequate to explain what is done with his data. "
While online privacy policies have been in place in Europe since 1995, a weak enforcement regime is essential, allowing them to ignore them for decades – and Internet companies could use and use the data of web users without full respect and respect for European personal rights.
But the regulators pushed the reset button last year. And the Irish Data Watchdog is a particularly interesting agency to watch if you are interested in assessing how the GDPR works, as many technology giants have decided to place their international data streams under the control of the Irish DPC.
Other cross-border complaints
"The role places the DPC in an obligation to protect the privacy rights of hundreds of millions of people across the EU, a duty that must be met by the DPC DSGVO in collaboration with other regulators," writes the DPC The report discusses the role of the regulator for several multinational technology companies and recognizes both a "greatly enhanced role under the GDPR" and a "significantly increased workload".
A Breakdown of the GDPR and Data Protection Act 1998 Complaints Types Compared to the Reporting Period indicates that complaints directed against multinationals have jumped under the new DP regime.
Some types of complaints are governed by the old rules. As a result, only 2% of complaints were against multinational companies, while in the same category, DSGPR was one quarter (22%).
This is the clearest difference between the old and the new rules – which underlines the increased workload of the DPC as a hub (and often acts as a senior supervisory authority) for cross-border complaints under the One Stop Shop mechanism of the GDPR.
The category with the largest shares of complaints in the context of the GDPR during the reporting period were access rights (30%). The DPC received a total of 582 complaints regarding individuals who feel that they are not receiving their data. Access rights were also most frequently objected to under the rules for earlier data during this period.
Other conspicuous types of complaints are still unfair processing of data (285 GDPR complaints against 178 according to the Data Protection Authority). Disclosure (217 vs 138); and electronic direct marketing (111 vs. 36).
The purpose of the EU's DSGVO policy is to eliminate the imbalance of weakly enforced rights, including by creating new ways of enforcing excessive fines. (The GDPR provides for penalties of up to 4 percent of annual turnover, and in January, the French Data Protection Supervisor suggested Google with a BNEP fine of $ 57 million related to transparency and consent – but still far from this theoretical maximum
It is also important that the Regulation also introduced a collective redress option adopted by some EU Member States
This allows third-party organizations such as consumer rights groups to file data protection complaints on behalf of individuals has resulted in a number of strategic complaints being filed by organized experts since last May (including the above-mentioned Google fine), which has accelerated collective action by consumers against erosion of rights, which is also a complex issue which for the consumers na It is still difficult to navigate without expert help.
For the acceptance of complaints the "nuclear option" of the GDPR is not a fine; Data protection authorities may mandate data controllers to stop processing data.
This remains the most important tool in the regulatory toolbox. Depending on the outcomes of various ongoing DSGVO strategic complaints, it may prove very significant to reorganize the experts as a systematic intrusion into the privacy of Adtech platform giants.
And while well-equipped technology giants may even be very fleshy financial penalties, since only a very lucrative business can incur costs, data-driven business models are far more precarious when processors can suddenly be beaten with an order to limit or even discontinue data processing. (As a matter of fact, Facebook's business has just had to do with Germany, where antitrust authorities have collaborated with privacy monitors.)
Reports of data breaches also
The GDPR also poses an important issue in terms of security prerequisite for rapid Report of data breaches throughout the block, with very harsh penalties for non-compliance.
Regarding the data protection breach, the Irish DPC announced that it had received a total of 3,687 notices of data breaches between May 25 and December 31, stating that only four percent (145 cases) of the definition of a DSGVO infringement of personal data. This means that a total of 3,542 valid data breaches were recorded in the reporting period. This represents an increase of 27 percent compared to the 2017 reporting figures.
"As in other years, the highest category of data breaches was classified as DSO. It was classified as unauthorized disclosure and accounted for nearly 85% of total data breaches she added: "The majority was in the private sector (2,070).  The watchdog has reported more than 4,000 data breaches for the full year 2018, the report said.
The DPC also announces that 38 people have been associated with 38 people for violation of personal data in the period following the GDPR by 2018. This means violating tech giants.
"A significant number of these notifications involved unauthorized disclosure and access to personal information. The Software bundles software flaws provided by data processors used by the organizations," he writes, and then opens several investigations ( for example, after the Facebook token infringement in September 2018).
Open Probes of Technology Giants
Until December 31, 2018, the DPC announced that 15 investigations into GDPR adherence by multinational technology companies were open.
The following is a complete list of DPC's ongoing investigations into multinational companies – including the tech giant under investigation; the origin of the investigation; and the questions studied:
- Facebook Ireland Limited – Complaint-based investigation: " Right of Access and Data Portability. Examine whether Facebook has complied with its DSGV obligations regarding the right of access to personal data in Facebook's "hive" database and the portability of "watched" personal data
- Facebook Ireland Limited – Complaint Investigation:" Lawful basis for processing. Examining whether Facebook satisfies its DSGV obligations with respect to the lawful basis for the processing of personal data in the context of behavior analysis and targeted advertising on its platform. "
- Facebook Ireland Limited – Free-will investigation:" Facebook trademark infringement in September 2018 Considering whether Facebook Ireland's DSDPR obligations to implement organizational and technical measures to secure and Protection of the personal data of its users. "
- Facebook Ireland Limited – Ownership responsibility:" Facebook September 2018 Infringement Checking whether Facebook respects DSGVO's obligations to violate violations.
- Facebook Inc. – Property investigation: " Facebook break with Facebook in September 2018 . Examine whether Facebook Inc. has fulfilled its DSDPR obligations to carry out organizational and technical measures to secure and protect the personal data of its users. "
- Facebook Ireland Limited – Ownership:" In response to this began numerous violations that were reported to the DPC in the period since May 25, 2018 (separate from trademark infringement). Examine whether Facebook has complied with its DSDPR obligations to implement organizational and technical measures to secure and protect the personal data of its users.
- WhatsApp Ireland Limited – Personality Investigation:" Transparency Examine whether WhatsApp has its DSDPR transparency obligations regarding the provision of information and the transparency of this information to both users and non-users of WhatsApp services including information that informs individuals about the processing of information between WhatsApp and other Facebook companies.
- Twitter International Company – Complaint Investigation: " Access. Examining whether Twitter complied with its obligations regarding the right of access to links retrieved via Twitter. "
- Twitter International Company – Investigation of their own volition:" In response to the plethora of reported violations started at the DPC in the period since May 25, 2018. Examining whether Twitter has its DSDPR Obligations to implement organizational and technical measures to safeguard and protect the personal data of its users.
- LinkedIn Ireland Unlimited Company – Complaint-based inquiry: " Permitted basis for processing Examine whether LinkedIn has met its DSGV obligations regarding the legal basis on which it is responsible for processing personal information Data is based on behavioral analysis and targeted advertising on its platform.
- Apple Distribution International – Complaint-based investigation Legal basis for processing. Examine whether Apple has complied with its DSGV obligations with regard to the legally required basis for the processing of personal data in the context of behavioral analysis and targeted advertising on its platform.
" The DPC's role in overseeing the data processing operations of The many large, high-volume, multinational corporations – including internet technology companies and social media companies – headquartered in the EU in Ireland have moved on 25 May 2018 immeasurably changed, "admits the Watchdog.
" For many, including Apple, Facebook, Microsoft, Twitter Dropbox, Airbnb, LinkedIn, Oath [ Disclosure: TechCrunch is owned by Verizon Media Group; aka Oath / AOL ] WhatsApp, MTCH Technology and Yelp, the DPC acts as senior au Inspectorate within the framework of the GDPR OSS [one-stop shop]. "
The DPC states in the report that it is between May 25 and December 31, 2018 Under the OSS procedure of the Regulation (ie, submitted by individuals to other EU data protection authorities) 136 cross-border processing complaints.
A collapse of these (probably) DIGPR-related complaints from tech giants shows a strong focus on consent to the right to deletion, right to information and lawfulness of data processing:
While the Irish DPC acts as senior supervisor for many high-profile GDPR complaints that relate to the handling of data from tech giants, it should be emphasized that the OSS mechanism does not mean that Ireland alone in terms of the rights violations of Silicon Valley in Europe sits.
The mechanism allows other DPAs to participate in these cross-border complaints.
And the European Data Protection Board, the body working with all data protection authorities of EU Member States to ensure uniform application of the Regulation, may initiate a dispute resolution process if a lead agency does not consider that it has an objection from the Agency can implement. The goal is to counteract the forum shopping.
In a section on "EU Cooperation," the DPC also writes:
Our EU counterparts, with whom we sit together in the European Data Protection Board (EDPB), closely follow the activities and results of the Irish DPC because a significant number of people in each EU Member State can potentially be influenced by the processing activities of Irish-based Internet companies. The EDPB activities are intensive, with monthly plenary sessions and a new system of online data exchange in the context of cross-border processing between authorities. The DPC has promoted the development of the EDPB Guidelines on Provisions for Codes of Conduct under the GDPR. These should be approved and published by the EDPB in the first quarter of 2019. The DPC expects the industry to accept codes of conduct and raises the bar for individuals to sectors in terms of privacy and transparency standards. Codes of conduct are important because they more fully reflect and clarify the context and reality of data-processing activities in a given sector, subjecting them to the standards that can be achieved in addition to external monitoring by an independent body. It is the clarity of the standards that will lead to real results.
During the period, Watchdog also revealed that it had made 23 formal requests for detailed information on how to comply with various aspects of the GDPR of technology giants and had a "broad range of topics" platforms, citing following concerns to convey an impression of these concerns:
- Google for the processing of location data
- Facebook on topics such as the transfer of personal data data from third-party apps for the cooperation of Facebook and Facebook with external researchers  Microsoft processing telemetry data collected by its Office product
- WhatsApp on questions of sharing personal information with other Facebook companies
"The oversight of these companies regarding the matters described is still ongoing" , adds the D PC.
The Adtech sector "has to comply with the GDPR
T". Englisch: emagazine.credit-suisse.com/app/art … = 120 & lang = en. Emagazine.credit-suisse.com/app/art … = 157 & lang = DE […] is systematically processed into behavioral ads, represents another open complaint on the desk of the DPC.
The strategic complaint was filed by several people in several EU countries (including EU states) Ireland) last fall. Since then, the individuals behind the complaints have continued to submit and publish evidence arguing that they have set their arguments against the behavioral advertising industry (mainly Google and the IAB, which have the specifications involved in the real time bidding system (RTB)), support.
] Referring to this RTB complaint in the annual report, the Irish DPC gives a written warning to the Adtech industry that the advertising ecosystem is "complex" and multiple parties are involved in "fast, large-scale transactions." Advertising space bid and Provision of Ad Content "The protection of personal data is a prerequisite for the processing of personal data within this ecosystem and, ultimately, the sector must comply with the standards set by the GDPR."
The Watchdog also reports that "multiple stakeholders, including On the one hand, publishers and data brokers, and on the other hand, advocates of privacy and stakeholders ', -a agrees with the RTB complaint, stating that they will continue to prioritize their review of the 2019 sector -' in collaboration with their counterparts at EU level to one consistent approach in all EU Member States ".
Some of the 15 open investigations into tech giants will come to a close this year and "help answer some of the questions that relate to this complex area." So, look at this room.
In response to DPC comments on the RTB complaint, Dr. Johnny Ryan, Chief Policy and Labor Relations Officer of Brave Private Browser – and also one of the complainants – that they expect that DPC should act "urgently".
"We filed our complaint with the DPC and other European regulators because Adtech urgently needs repairing to make sure it works," he told TechCrunch. "The DPC itself recognizes that online advertising is a priority. IAB and Google's online auction system allows companies to transfer what each person reads, monitors online and listens to countless parties online. There is no control over what happens to this data. The evidence we presented to the DPC shows that this happens hundreds of billions of times a day. "
" Given the upcoming European elections, it is particularly worrying that the IAB and Google systems allow voter profiles in this way, "he added. "This clearly violates the safety and integrity principles of the DS-BER, and we expect the DPC to act urgently."
The IAB had previously dismissed the complaints as "wrong" because the security risk was "theoretical"; Google has set policies that prevent advertisers from accessing sensitive data categories. However, the RTB complaint is based on the GDPR's security requirements that the processing of personal data must be done in a manner that ensures "reasonable security", including "protection against unauthorized or unlawful processing and accidental loss".
The security of the RTB The system is the core problem that the Irish DPC has to deal with first and foremost with agencies in the UK and Poland this year.
The complainants also said they intend to file further complaints in more markets across Europe. Therefore, more data protection authorities are likely to join the audit of RTB as concerned regulators, which could increase the pressure on the Irish DPA to act.
Schrems II vs. Facebook
The Watchdog's report also includes an update of ongoing litigation filed by European Data Protection Supervisor Max Schrems on a data transfer mechanism known as Standard Contractual Clauses (SCCs), originally aimed only at Facebook e of the mechanism.
The DPC decided to sue Schrems' original challenge to the Irish courts. These have now broadened the case by referring a series of legal issues to the EU Supreme Court with (now) potential legality implications for the EU's flagship Privacy Shield mechanism.
This was negotiated after the sinking of its predecessor Safe Harbor in 2015, also in the context of a lawsuit filed by Schrems in August 2016 – despite ongoing concerns over data experts. Privacy Shield is now used by nearly 4,500 companies to authorize the transfer of EU users' personal data to the US.
While Schrems' complaint about SCCs (sometimes referred to as "model contract clauses") targeted on Facebook, litigation could have a significant impact on many more companies if Privacy Shield itself no longer works.
Recently, Facebook has attempted to block the referral of legal issues by Irish judges to the Court of Justice of the European Union (ECJ). Permission to appeal last summer (though the judges were not in the transfer in the meantime).
In their report, the DPC notes that the hearing of the appeal by Facebook on January 21, 22 and 23 took place before a Supreme Court with five judges Panel.
"Oral arguments were made for Facebook, the DPC, the US government, and Mr. Schrems," it writes. "The key questions that arise from the appeal include the following: Can the Supreme Court re-examine the High Court's findings regarding US law? (This follows from Facebook and the US Government's allegations that the High Court ruling, which underpins the reference to the ECJ, contains various factual errors in relation to US law.)
"When the Supreme The Court then raises further questions as to whether the judgment actually contains errors and, if so, whether and how to deal with them. "
" At the time of going to print, there is no indication as to when the ruling of the Supreme Court will be issued, "he adds. "In the meantime, the Supreme Court's reference to the ECJ remains valid and pending before the ECJ."