Europe’s Data Protection Board criticised after failing to comply with GDPR

Ironically, EDPB received a formal complaint just 5 days after GDPR was implemented

Just 5 days after the General Data Protection Regulation (GDPR) came into effect, Europe’s Data Protection Board (EDPB) faced a formal complaint. Alexander Hanff, consultant at Singularity University faculty for Data Ethics, voiced his frustrations with the contradictory body in an email.

The EDPB is an independent European body, “which contributes to the consistent application of data protection rules throughout the European Union,” according to the board’s official website. It was created to govern all the supervisory authorities and was established by the GDPR.

Despite preaching good intentions, it came to Hanff’s attention that the new EDPB website was using some of the most intrusive technologies on their own website. Device fingerprinting and tracking cookies require consent (opting-in) under the ePrivacy Directive, but the EDPB website only offered an opt-out option.

Hanff published a statement on Medium, in which he stated “it has long been a frustration of mine (and many of my colleagues) that several Supervisory Authorities make bad choices with regards to their own compliance efforts on their public facing web sites.” Hanff thus attempted to persuade the corporation to comply with their own rules. 

He added that despite “many efforts to persuade these Supervisory Authorities to take the correct approach, they have hidden behind weak interpretations of the Directive.” Technically, EDPB are not obliged to comply with the same regulations they enforce.

EDPB are governed by Regulation 45/2001, rather than GDPR or the ePrivacy Directive. According to Hanff, this regulation is “currently undergoing a review to bring it in line with GDPR but will not be ready until the end of 2018 at the earliest.”

This hypocrisy could hinder the widespread adoption of GDPR. Tech giants Apple, Google, Facebook, and Amazon are still failing to comply with the new European privacy rules, according to a study conducted by the consumer group BEUC.

Hanff explained this predicament to EDPB, in which he outlined “how difficult” their policy makes it for “advocates and advisers to persuade organisations to behave appropriately.” He argued that “Europe’s leading body for the protection of those fundamental rights” should be “leading by example not hiding behind a technicality of law.”

The data aquistition scandal has sparked Hu-manity.co to campaign for the introduction of a 31st human right – the right to our own data. Founded by Richie Etwaru, the foundation is the world’s first and only organisation developing human rights in a decentralised manner on blockchains.

Hanff echoed this sentiment, and stated that the principles are “based on the protection of our fundamental human rights.” His concerns were finally addressed in a plenary, and the EDPB stated that they had “decided to disapply the opt-out configuration with an immediate effect and switch to the opt-in as soon as technically possible.”

The nuanced nature of data laws means that organisations require a highly scaled service provider to automatically manage new regulations. The complex legislation thus has the potential to provide a fruitful opportunity for firms offering this service – like Amazon or Google.

Ironically, those companies who are (subjectively) the most accountable for non-consensual data acquisition may come out on top. Hanff stated that the European Commission and various other bodies are still protected by Regulation 45/2001, and are therefore failing to practice what they preach.

The hypocrisy of these bodies renders their regulations almost worthless. When it comes to convincing big tech companies to take the ethical approach, the regulators must lead by example.