When will GDPR Supervisory Authorities start to meet their legal obligations?
Today I wrote the following Open Letter to the Secretariat of the European Data Protection Board and I am publishing it here as a matter of public interest because I know many people have the same questions and would love some answers. I will post any responses I receive as future edits of this post.
Dear Secretariat,
I would like you to consider this email as a formal complaint to the EDPB because frankly I am sick and tired of the complete lack of compliance by Supervisory Authorities and the impact it is having on our fundamental rights.?Below, I am pasting a post I made on LinkedIn today in relation to my frustration as an experienced and tenacious privacy expert, with the Supervisory Authorities.
I am really starting to lose patience with Supervisory Authorities and the amount of time it takes them to handle cases and their lack of communication in relation to cases (communication they are legally obligated to provide explicitly under the GDPR).
I have been working in this space for a very long time, I have filed thousands of complaints, I know most of the Supervisory Authorities personally and I have an exceptional understanding of the law on these issues (it is literally my job) as well as having consulted on the creation and development of these laws.
So explain this to me - if someone with my level of expertise, experience, tenacity and connections cannot get CNIL (often celebrated as one of the most active Supervisory Authorities until you actually look closely and see that most of those activities are based against giant tech companies and very few cases against French companies have been meaningfully enforced) cannot get the Supervisory Authority to provide the information they are legally obligated to provide (let alone actually conclude an investigation and enforce the law) - someone tell me please, how are data subjects with no specialised knowledge, experience and connections supposed to have any confidence that the system is working and that the Supervisory Authority is not captured?
I have filed a vast number of complaints with CNIL, DPC Ireland and IMY and in every single case these Supervisory Authorities have failed to meet their legal obligations under the GDPR.
I am literally waiting for a call with CNIL at 2pm today because I now have to file a lawsuit against them under Article 78 because after FOUR YEARS of me filing an open and shut case against Withings (on issues which CNIL has since fined Facebook, Google and other tech giants many tens millions of euros for big headlines) CNIL have neither met with their obligations to update the data subject (me) or conclude the investigation. They have literally provided me with ZERO information despite me reaching out many times over the past 4 years.
It has become the case that the Supervisory Authorities are actually now WORSE and more of a threat to our fundamental rights than the companies processing our personal data illegally - because of their complete failure to meet their own legal obligations and issue meaningful enforcement within a reasonable timeframe.
Those who are tasked with protecting our fundamental rights are actually doing the opposite - they are causing more and more erosion of those rights by not doing their jobs and allowing the status quo to remain.
It is starting to look like GDPR and fundamental rights are just pretend - something that the EU want us to believe is real but are just an illusion to placate the masses.
That I am starting to think this despite having actively engaged in the process for the past 15 years and having worked closely with many Supervisory Authorities, should be a serious concern because if someone so favourable of the process as I, feels it is nothing more than a ruse - how do you think a “normal” data subject feels?
I have had IMY refuse to conduct investigations (despite being legally bound to do so with full due diligence) on multiple occassions, I have seen IMY close cases with no action despite the unlawful processing of extremely sensitive health data (I was asked to conduct a mental health therapy session for PTSD over Skype and IMY refused to take action despite it being an incredibly clear breach of the law and this is happening 10s of thousands of times EVERY MONTH in Sweden).
领英推荐
I have had IMY refuse to conduct investigations on the excuse that they do not have enough resources…(I have the correspondence to prove it).
I had a meeting with senior legal counsel of Ubisoft where they claimed that CNIL told them explicitly NOT to comply with the Planet49 judgment from the CJEU - a claim repeated by multiple parties.
To be clear - over the last 5 years I have filed many cases - not a SINGLE ONE has been concluded (with the exception of the IMY health data case which was concluded without action).
I am not even necessarily asking for fines - suspension of processing activities until a Controller is able to comply with the law remains (in my mind) the most effective enforcement activity yet to date such an action is a rare as teeth on a hen - yet such actions would have a concrete and effective impact on the protection of our fundamental rights.
Frankly I am ashamed.?I am ashamed that I constantly have to defend a system which is not just broken but I would argue deliberately sabotaged by those tasked with managing it - and all of you should be equally ashamed for allowing such a situation to arise.
Need I remind you all that these are fundamental human rights? Need I remind you all that these are all matters of law? Need I remind you all of the rule of law principle? Need I remind you all that the impact of such lack of enforcement simply leads to eroding those rights even further? Need I remind you all of your ethical, moral and legal obligations? Shame on you all if that is the case.
The fact that I am now forced to use Article 78 against a Supervisory Authority (who once hosted me at their office as a friendly ally) should be an embarrassment to you all
When is this going to change? When will our fundamental rights be truly protected? When will Supervisory Authorities start to enforce appropriately against ALL violations of those rights rather than just the cases against big tech because they generate headlines? You are servants of the People, you have an obligation to the People and you are failing those People in a dramatic and dangerous way.
You need to fix this.
I will be publishing this letter and any response(s) as a matter of public interest because I know for a fact that many others have exactly the same questions and want answers.?I would be happy to address the EDPB on these issues in person at one of your plenary meetings if desired.
Sincerely,
Alexander Hanff
Principal Consultant at adesso SE (Health) | RA | sebrof a/0
1 年The answer is: they never will. And the reason is that although the law has been enacted, it is fundamentally contrary to the economic goals of the countries that now have to live with the regulation. And perhaps not so much because of the wording of the regulation as because of the uncertainty it has brought to economic operators. You are calling - perhaps rightly - for this uncertainty to be reduced through clear enforcement of the law. But since this would lead to disadvantages for companies that couldn't get their way in Brussels at the right time, it won't happen. As you prove with your examples, nothing has improved for data subjects. One response is an open letter, another would be to adjust regulation to reflect realities. Using a law of an economic area to change the world was, in retrospect, a naive and unrealistic idea.
Linux / DevOps / Automation / Data Engineer / ETL / DataOps / Pentaho / Personal opinions here.
1 年#EUDPR (#GDPR for EU bodies) enforcement doesn't look better. :( * The "without undue delay" enforcement part is a joke. * Requesting data recipients (not categories) takes ages and sometimes EU bodies don't know which one is the responsible to provide it. * Principles interpretation is another joke. * Showing compliance..... All replies are a big #TRUSTMEBRO.... We are processing your data properly. * Nobody knows the difference between data processor and data controller. * Storage is a data processing activity.... You are joking right! Basically nobody knows, nobody cares. Main differences between #GDPR and #EUDPR are the fines you can get for non-compliances. Guess which sector get peanuts level fines.... Peanuts fines is the cost of doing business for EU institutions.
Senior Lecturer Commercial Law Uppsala University
1 年En fr?ga: ?r Du generellt tillg?nglig f?r att vara talare p? konferenser?