The first fine from the Irish privacy commissioner has come to Facebook, or to be precise, to WhatsApp, of which Facebook is the owner. A fine of 225 million euros, a small thing compared to the turnover of Zuckerberg’s creature but which individually constitutes the second fine by value after that of 746 million euros imposed by the Luxembourg Privacy Guarantor a few weeks ago to another tech giant, Amazon .
In both cases, the two companies have announced that they will appeal because they consider the fines disproportionate. In this regard, please note that the maximum amount of the fines provided for by the GDPR, the European regulation on the protection of personal data, provides for a ceiling of 4% of the global turnover, a figure far from being reached in these two cases given the annual revenues of the two. giants.
But beyond the merits of the question, I would like to pause and reflect for a moment on a long-debated topic, namely that the ability of the national Guarantors, as the GDPR has been set up, to enforce it. The law provides, in order to favor companies and allow them to scale the European market, to be able to interface with a single Guarantor, that of the country where they have their head office. In this way, even the Startup will not have to worry about hiring lawyers in every State of the European Union because even requests from those countries will be managed centrally by its national Guarantor. Aided by a strong public relations campaign that began two decades ago in the United States, Ireland managed to persuade American Big Techs to settle there by offering a native English-speaking workforce and considerable economic benefits. In fact, with the exception of Amazon, all foreign Big Techs have their headquarters in Ireland.
This concentration of multinationals tech has however led to the creation of a bottleneck. With the entry into force of the GDPR in 2018, which also recognized the possibility of associations and NGO to assert the rights of users, despite the many reports received by the Irish Guarantor, over 10,000 per year according to ong NOYB by activist Max Schrems, this is just one of the first in three years. And the same can be said of colleagues from Luxembourg.
The issue of the efficiency of the sanctioning system it is not only important for those dealing with privacy as the latest European legislative proposals in the digital field, such as the expected Digital Services Act (DSA) to regulate platform liability and the AI Act on Artificial Intelligence, provide for new authorities whose composition is based on the model of the GDPR: one authority for each Member State, one “Leader” in the State where the company has its main office and a collegial board that meets in Brussels and which gathers a representative for each national authority.
And what happens if the lead authority is not diligent in its inspection and sanctioning tasks? The GDPR, as well as the new ones legislative proposals on the Brussels table provide for the possibility for other authorities to intervene by bringing their own requests to the board. This is what actually happened in the case of WhatsApp, where the other Guarantors, including the Italian one, had contested the amount of the penalty and the merit of the conclusions of the Irish colleague, thus bringing the fine to rise from the proposed 50 million to the next 225 million. of Euro.
Everything good so? Not really. In the case of WhatsApp, as we said, the company will appeal and this will mean that the process will close in a few years. To avoid the risk of procedural delays, in Italy, for example, the national law provides for the possibility of renouncing the appeal, obtaining a 50% penalty discount in exchange. It could be a way to go on other occasions to speed up the time after the sanction.
And first of the sanction? It is fair to remember that these investigations, especially when they concern giants tech that they perform numerous activities in different fields, require time and expertise technique and legal that should be supported by national governments with adequate economic and human resources. How can we think that in a few years it will be possible to investigate an artificial intelligence algorithm without engineers, lawyers, humanists, human rights experts, with the appropriate skills and able to work together? The recent open positions at the Ministry of Innovation bode well for the future both for the qualifications required and for the promised remuneration. But that’s not necessarily enough.
in the meantime the bottleneck problem remains. Some countries, even with the necessary resources, may not have an interest in being too strict not to divert investments. On paper, the GDPR defended itself well from a procedural point of view but perhaps there is still something to be done about the timing. I feel I can give the benefit of the doubt to this still young standard which still has a long way to go and it has to deal with the fact that it is applied in 27 different countries, a very different circumstance from that of the United States or China.
.