vectorfusionart - stock.adobe.co
The landmark introduction of the General Data Protection Regulation (GDPR) in May has triggered a resource and budgetary headache at Datatilsynet, Denmark’s data protection agency (DPA).
The DPA has logged a significant surge in GDPR-related cases since June, especially cases linked to social media organisations, including Facebook and Google. The uplift in workload is happening at a level that is testing the DPA’s capacity to process, investigate and efficiently manage cases.
A cause of concern for the DPA is that its rapidly expanding GDPR duties could potentially impair its ability to deliver a full service across the full personal data protection spectrum within the regulatory domain. The DPA has sought an increase in government funding to expand the agency’s case handling efficiency. It also wants to recruit additional expertise and professionals in core areas such as consumer and legal affairs.
The adoption of the GDPR across the European Union (EU) and the European Economic Area states coincided with a government initiative in Denmark to enhance data protection and privacy rules for all individuals. Moreover, Denmark sought to impose a higher level of obligations on organisations, including the major global actors such as Facebook, Google and Apple, that are engaged in the processing of personal data.
The EU’s GDPR framework fitted neatly into Danish plans for an updated Data Protection Act. The Danish parliament, the Folketing, ratified the incorporation of the GDPR into the new Danish Data Protection Act on May 25.
The DPA, in order to deal with the increasing number of contacts from the public, local authorities and enterprises, assigned extra resources and frontline personnel to deal with telephone inquiries.
“One of our core tasks is to advise citizens, companies and authorities about legal rights and rules. We are responding to the increased need for information about all aspects and areas of privacy protection,” said Cristina Gulisano, the DPA’s director general.
Read more about the GDPR
- Sweden provides an interesting challenge for the European Union’s data protection regulation due to its laws around freedom of press and free speech.
- Many UK firms are not insured against information security breaches and data loss, and would have to spend £1m on average to recover from a breach, a report reveals.
- Norwegian healthcare authorities failed GDPR requirements for notifying those affected by a personal data breach by waiting a week before disclosing a breach discovered on 8 January 2018.
The GDPR-factor began to have a visible and immediate impact on the DPA’s caseload after May 25. The agency, based on the month-by-month scale of logged inquiries in the third quarter alone, is expecting its workload to increase from the 5,000 cases it handled in 2017, to over 20,000 individual cases annually after 2019.
“Having to deal with many more cases is obviously a huge challenge for us, even though we have strengthened personnel on the administration side by 30%,” said Jesper Husmer Vang, the DPA’s head of office and supervision. “Should the growth in GDPR-type inquiries we are seeing continue at this rate, it will render our already bolstered staffing level inadequate.”
The advent of GDPR has also changed the substance of the DPA’s work as it relates to dealing with legal rights inquiries from the public, enterprises and authorities about core issues such as data treatment and storage. The vast majority of new cases being processed by the DPA fall into one or both of these often complex and legally intricate categories.
The DPA is also receiving an increasing number of public notifications on security breaches relating to hackers gaining access to personal data.
Danish municipalities, concerned that their websites are being used by social media actors like Google and Facebook to track user activity, are also adding to the DPA’s caseload.
Local authorities in Denmark have conducted a sweeping review of their public websites to ensure that security and personal data protection levels are fully compliant with GDPR rules and the Danish Data Protection Act.
Tracking and collecting data
The GDPR compliance review conducted by municipalities found that public websites using social plug-ins, and which allow users to “like” and “share” content including advertising cookies, can be used by companies like Facebook and Google to track and collect data on users’ behaviour and online activity. To comply with the GDPR, municipalities were advised to discontinue using social plugins on their websites.
The Danish Data Protection Act makes it possible to impose financial penalties on municipalities that are found to be in breach of personal privacy protection rules. The fine, in the most serious cases, can reach a maximum of 4% of the total annual payment to local authorities from the central government.
Under the Act, private data processors that process personal data on behalf of public authorities can face even heavier financial penalties if found to be in breach of GDPR rules. In most such cases, issues concerning penalties for infringement of data protection legislation must be resolved through the legal process and before the courts.
Working within the expanded parameters of this new legal framework, both the DPA and the Danish Consumer Council (DCC/Forbrugerrådet Tænk) are expected to bring a larger number of high-profile cases against equally high-profile “offenders” they suspect of violating GDPR rules.
The DCC is currently investigating Facebook’s data policies and compliance with Danish law. The investigation was triggered by the disclosure that Facebook is generating ads based on information about users’ religious, sexual, political and other interests. The DCC decided to take on the case after the DPA showed a clear lack of appetite to confront the social media giant on the matter.
Collaboration with BEUC
The investigation into Facebook is being conducted in collaboration with BEUC (Bureau Européen des Unions de Consommateurs), the Brussels-based umbrella consumer organisation that represents 43 different European consumer organisations in 32 countries. Because Facebook’s European headquarters is located in Dublin, the DCC has lodged its complaint with Ireland’s Data Protection Commission.
“Although Facebook has improved its terms, we share the view the company is still storing very detailed and sensitive information about individual users,” said Anette Høyrup, a senior lawyer with the DCC. “We need to look at all aspects of this from a legal perspective.”
The Danish regulatory spotlight shone on Facebook was magnified in the wake of the Cambridge Analytica affair. The DCC believes around 42,000 Danish citizens with Facebook accounts and profiles had their private data leaked to the controversial political consulting and data mining firm. Facebook estimated that over 87 million users had their personal data leaked to Cambridge Analytica.
Facebook isn’t the only social media and technology actor on the DCC’s radar. The agency has investigated Google over privacy rights and for suspected breaches of Danish data storage laws. Specifically, the DCC is concerned that Google’s indefinite data collection practices may breach Danish consumer rights and privacy laws.
The DCC wants Google to do more to protect consumer and privacy rights by “capping” the amount of personal data it stores on its servers.