Anniversaries always offer an opportunity for reflective evaluation and the very recent second anniversary of the EU General Data Protection Regulation’s (GDPR) entry into force is no exception. How far has the GDPR gone in becoming a ‘global standard for privacy and data use’ that will ‘force Big Tech to change its operating methods’ and ‘empower’ consumers by ensuring business compliance with data protection safeguards?
Probably not as far as EU institutions would have liked. As if pre-existing struggles of Data Protection Authorities (DPAs) to enforce the regulation due to insufficient resources were not enough, the ongoing coronavirus pandemic, among its numerous significant repercussions, has created further complications for realising the aims of EU data protection law. Since the early days of the pandemic, reasoned judgment started becoming a scarce commodity and anxiety increasingly got the better out of data protection authorities and policy-makers. COVID-19 has put the GDPR’s aspiration to homogenise data protection law in the EU to a serious and, arguably, unfairly premature test.
Why Homogenise EU Data Protection Law?
Why is homogenisation of EU data protection law important? Before coming to COVID-19 and its impact, it is helpful to provide some background on the so-called ‘Europeanisation’ of data protection law, i.e. the creation of an EU-level system of governance that enacts EU-wide binding data protection rules. One of the main weaknesses of the pre-GDPR data protection law framework in the EU was its decentralised character, i.e. the reliance of monitoring and enforcement on independent national supervisory authorities. Independence from EU institutions allowed national DPAs to develop divergent approaches that were making the chain as strong as its weakest link. In the absence of a pan-European regulator that would ensure consistent application, companies like Facebook were able to ‘forum shop’, choosing their preferred DPA and national jurisdiction.
The GDPR sought to change this: DPAs are now legally obliged to ‘contribute to the consistent application of this Regulation throughout the Union’ (art 51) and apply data protection rules in a ‘consistent and homogenous’ (recital 10) manner. There is a newly established ‘consistency mechanism’ (arts. 63 ff), supervised by the European Data Protection Board (EDPB), the EU-level supervisory authority comprised of national DPAs as its members. The EDPB issues legally binding decisions to resolve disputes between DPAs in a number of different scenarios (art. 65). Has this ambitious legal reform yielded the desired outcomes two years after the GDPR’s entry into force? In other words, do we now see a more harmonised and consistent application of EU data protection law in practice?
The COVID-19 Factor: Fragmentation and Divergence
While it would be unfair to extrapolate from an emergency to the overall state of EU data protection law, the aftermath of the COVID-19 outbreak brought to the fore the main barriers for ‘Europeanisation’: the EDPB’s reliance on increased (two-thirds) majority to issue a legally binding decision (art. 65) and its tendency to reactrather than proactively guide DPAs. These barriers created complications for the EDPB’s efforts to harmonise national responses to the pandemic. Two major areas where European DPAs have been developing divergent approaches will be discussed here: contact-tracing and health data processing in the workplace.
Since early April, the EU commission had fully realised the potential of contact-tracing apps to assist in the monitoring and containment of COVID-19. Such apps have been at the epicentre of scholarly interest in the last few months and the implications of their use from a data protection and human rights law perspective have been vividly recounted before on this blog. A divide between ‘centralised’ and ‘decentralised’ software applications quickly emerged: in the first case, historical location and proximity data would be shared from individual mobile phones to health and other state authorities, whereas, in the second case, all identifiable data would remain on the individual devices and only non-identifiable information would be passed on. Officials from the French and Italian governments expressed their preference for centralised models, whereas other Member States like Austria and Estonia announced that they plan to adopt a decentralised approach. In spite of nudging DPAs to decentralised apps as more consistent with the principle of data minimisation, the EDPB failed to authoritatively bridge the divide. The members of the Board could not reach consensus on a recommendation that would harmonise solutions in the EU, allowing Member States to decide themselves whether they will opt for a ‘centralised’ or a ‘decentralised’ solution.
The picture is not dissimilar in the context of health data processing in the workplace. The EDPB deferred the crucial question of determining the types of data processing that fall within the ambit of ‘necessary’ measures (arts. 6 and 9) to national legislation governing special protection obligations of employers. As a result, starkly different interpretations of the GDPR requirements in the context of employee data processing have emerged across the Union. To take the example of disseminating health-related questionnaires in the workplace, countries like Luxembourg, France and Belgium have categorically opined against the lawfulness of such a practice. Other countries (e.g. Lithuania and Spain), however, have allowed this under certain conditions, whereas DPAs from Germany, Hungary and Austrian have been broadly permissive as long as this is ‘necessary’ and ‘proportionate’ to the aim of protecting public health. A similar pattern of fragmentation and divergence is reflected when it comes to the lawfulness of employing temperature measurement technologies in the workplace. Are these divergences, however, necessarily alarming from an EU data protection law perspective?
The Importance of ‘Europeanisation’ in Times of Crisis
To an extent, it is true that novel and complex challenges like the ones associated with the coronavirus pandemic will always trigger divergent responses. It is also correct that the GDPR employs principle-based regulatory techniques, often relying on generic terms like the ‘public interest’ or ‘legitimate interests’ to facilitate the conformity of a multiplicity of actors, operating in a multiplicity of localities, with substantially similar data protection safeguards.
Yet, even if ‘Europeanisation’ is an ideal with limitations and a work-in-progress, it remains a noble aspiration, more than ever in times of crisis like the present ones. As the wave of a pandemic sweeps across Europe, both in the case of COVID-19 and in the case of future health crises, worries about economic survival and public health (will) dominate policy agendas, leaving little space for seeing data protection and privacy as priorities. Other, non-EU countries, unencumbered by robust data protection restrictions, are likely to seek competitive advantage in managing relevant risks by implementing enhanced surveillance techniques like facial recognition. In the absence of homogenous data protection rules, many national authorities in the EU may, then, find themselves strongly disinclined to sacrifice expediency and efficiency on the altar of ensuring heightened protection for data subject rights. In the words of the Estonian DPA, this may be seen as not the time to ‘stubbornly assert rights’. Permitting diversity could be translated into permitting a race to the bottom.
What could the EDPB do to harmonise the responses of national DPAs around common interpretations of the key legal principles in the GDPR? A key move would be to act before significant divergences like the ones analysed in the present contribution emerge, setting the terms of the debate with its comprehensive and authoritative guidance, rather than reacting to resolve an already established and hotly contested conflict. This is not to say that EU institutions have stood still during the pandemic, but such issues as the ones analysed in this contribution could have been addressed more urgently. A more proactive stance on behalf of the EDPB would incentivise both more and less rigorous DPAs to conform to the Board’s guidelines. This would breathe new life into the incremental process of ‘Europeanisation’ of data protection law, utilising both the EDPB’s legal mandate and the institutional incentives of DPAs to achieve clarity in times of overall uncertainty.
This contribution is based on a longer publication, which is forthcoming in the Journal of European Consumer and Market Law