In yesterday’s “Observer” the ever-excellent John Naughton drew attention to a survey carried out by a new kid on the block, a company called “Brave”. And they obviously are because Brave is trying to get going in the web browser market. Essentially this means Brave is taking on Google and Microsoft. They have filed legal complaints against Google.
On the second anniversary of the coming into effect of the GDPR Brave looked at a particular aspect of the relationship which exists between Big Tech and the regulators charged with enforcing our data privacy laws, the Data Protection Authorities (DPAs).
Allowing for potential bias in a survey commissioned by an entity seeking to challenge the established order, the findings Naughton discussed nevertheless drew attention to and quantified something many of us have known anecdotally for some time. Brave and Naughton deserve our thanks for doing that.
A major imbalance in resources
For practical purposes, on any given issue which is important to a large West Coast business, they can deploy an almost limitless number of lawyers and techie brains. What can DPAs do in response, at least on the techie side? It won’t be limitless but how limited will it be?
That is what Brave looked at in terms of in-house techie staffing resources available to the DPAs. Brave defined these as “specialists working in DPAs on tech investigations… people that have training or roles that are principally technical”. Brave drew on published data, checked, updated and confirmed via correspondence. The methodology is explained on page 13 of the survey report.
Of course DPAs can employ consultants, and some make it clear they do, but it is very rare to find consultants who are as readily available and subject to the same management and control protocols as direct employees.
In addition not all techies, howsoever defined, are necessarily equal. One uber-techie might be worth a dozen plodders. Then there is the age old problem that once someone working for a regulator becomes any good at their job Big Tech offers to treble their salary and away they go. This can create a residual sense that if you are working for a regulator it can only be because you are second rate or driven by messianic visions which means your judgement is not sound. Such is the end result of years of denigrating public servants. But that’s a culture war for another day.
Germany leads the way
The authors of the research estimated there were 305 tech specialist posts within DPAs across the EU. Germany’s Federal structure and consequential multiplicity of actors complicates things but the fact remains of all techies employed by DPAs in the whole of the EU (which still includes the UK) 29% (88) are employed in Germany. It would be 101 and 33% if all vacancies were filled. The German DPAs still think they are under-strength.
If you add the total cost of the German Federal DPAs to the total cost of the DPAs in the Länder Germany also spends the most on data privacy. The UK comes second overall in the spending league, or first if you don’t combine the German agencies’ expenditure. While the UK is a big spender it is only fourth in terms of techies employed. Behind Germany comes Spain with 36, France with 28, then the UK with 22 (including 1 vacancy). Given Spain and France have smaller budgets than the UK that is surprising, but not rivetingly.
Drawing comparisons based solely on the amounts of money spent is fraught with danger. It could only ever be the crudest of indicators. You might have comparatively few tech companies within your jurisdiction. In a given year if a DPA chooses to do more by way of public awareness and educational activities, who’s to say that is money less well spent? However, Naughton’s rather obvious point is that the complex way in which data collection and data processing works on the modern internet puts an absolute premium on having a strong reservoir of technical expertise to draw on otherwise enforcement actions could be extremely difficult to mount, sustain and win.
And let’s never forget after and with the techies come the lawyers. Bringing enforcement actions can be incredibly expensive. Is it really right that a DPA might be deterred from bringing a case against an Amazon or a Facebook solely because they are worried the drain on their budget would put other responsibilities at risk?
Is there a better way? Could there be some relaxation or amendment of the GDPR which would allow DPAs at least to share the cost of major cases, including the cost of the technical side of the investigations? If a cast iron case presents itself in a country not blessed with a well resourced DPA could that plaintiff or case be lost because the national DPA blanched at the thought of taking it on?
The guys at Brave make several interesting suggestions ( page 11) one of which envisages an enhanced role for the European Data Protection Board (EDPB).
The special case of Ireland
You will recall not long ago the Irish Government was found to have been providing illegal benefits to Apple in order to attract them to their shores. I am pretty sure other tech companies were benefitting in like manner and this in part explains why so many chose to establish their European Headquarters there.
But it seems the Irish Government has been helping Big Tech in other ways . They get the whole of page 9 to themselves in Brave’s report. Ireland has the highest “Lead authority case load” in the whole of the EU, 127, compared with 92 in Germany, 87 in Luxembourg, 64 in France and 56 in the UK.
While the number of cases the Irish DPA has to address has been going up, their budget is not increasing commensurately. Cui bono?
Again these sorts of numbers don’t necessarily tell you anything of importance, but they certainly hint at something. The same is true for Austria.
The position of the Austrian DPA is interesting only because its Head, Andrea Jelinek, is also the Chair of the EDPB. How many techies does the Austrian DPA directly employ? According to Brave, none.
Food for thought for all of us, not just those who are concerned about the position of children in this “tangled web”. No pun intended. Honest.