Third (T): Five years after your article and six years after the implementation of the GDPR¹ in Europe (followed by numerous other regulations in other countries), do you think these legal rules have reduced the phenomenon of “surveillance capitalism” that you denounced?

 
Alexander Hanff (AH): There is certainly more awareness within companies (and among the general public) of what the GDPR is and what their obligations are. Whether or not these obligations are being met is an entirely different story. There is still too much unlawful surveillance going on, mainly because of a lack of enforcement of data protection rules. This is in particular true in the Internet of Things (IoT) space. It has been very difficult to get the supervisory authorities to respond appropriately to complaints.

For example, I filed my complaint against Withings with the Commission Nationale de l’Informatique et des Libertés (CNIL) in 2019 but there still has not been any decision. I was told that there was a much wider investigation into the IoT space, both at CNIL and European Data Protection Board (EDPB) level, which could explain a delay. But I still do not understand what is taking so long because they were provided with a massive amount of information and a detailed complaint. In addition, Withings has still not change their behavior, even though they know that they are under investigation. I filed a number of complaints with the CNIL and probably over a hundred complaints across the European Union in the last five years and they are all still pending.

Yet, we have seen the CNIL very active with big global tech companies (Amazon, Google etc.) but they seem to not be doing very much – at least publicly – in relation to everyday violation by IoT or smart device manufacturers. And keep in mind that I have a very good relationship with supervisory authorities because I work in the EDPB pool of experts². So if I am unable to get them to take appropriate actions in an appropriate timeframe, the regular citizen really does not have much of a chance at all because (i) they probably do not understand the law and the technology as well as I do and (ii) they do not have the regulatory connections that I have.

What is the point of having these laws if they are not being applied and enforced? The number of complaints has increased since 2019 as a result of more awareness, but I suspect that this number will decrease in the future. On the one hand, citizens do not have any trust in the supervisory authorities anymore, they do not believe that their rights are protected, so they do not bother filing complaints anymore. On the other hand, we have companies who are not meeting their obligations because there is no fear, no incentive on their side to do so as a result of a severe lack of enforcement. It seems that the only way forward is going to be civil litigation, but there is a cost associated with that.

I try to remain optimistic but, at the moment, I would say that the GDPR has been something of an unmitigated disaster from an enforcement perspective. We had a couple of very big cases but if you look at the amount of collected fines and penalties over the past six years they are dominated by these big cases. We are still seeing penalties for large data breaches at € 2.000 in Czech Republic. Or we see the same companies being fined over and over again with relatively insignificant fines such as Vodafone in Spain. Authorities thought that if they took on big players, other companies would see what the consequences might be and start changing their own behavior. Reality is, it has not happened – they just feel like they are unseen. It is like there is a fog of GAFAM over the entire battlefield and everybody else can hide under the fog.
 

T: Would you say that this lack of enforcement is due to a lack of resources from a financial and a technical standpoint?

 
AH: Absolutely. For example, in the EDPB pool of experts, we have experts in law and experts in technology. I am one of the 4 % with an expertise in both (750 experts in total). That gives you an idea on the lack of talents within the European Union, particularly within the supervisory authorities.

When it comes to lack of financial resources, Member States have a part to play but so does the European Commission. The GDPR states that the European Commission has a legal obligation to ensure that Member States are effectively resourcing their supervisory authority. When you consider that CNIL is one of the better resourced supervisory authorities, it really does not paint a pretty picture for the rest of the European Union. Some of the supervisory authorities do have some pretty strong technical expertise on board but then lack the financial resources that they need to be able to go against big tech companies. A single case against Google can eat an entire budget for a year.

Maybe now that the European Commission is responsible for enforcing the Digital Market Act (DMA) and Digital Services Act (DSA), it will take some of the focus away from these giant tech companies and allow them to focus on smaller companies.
 

T: Do you see GDPR and the ePrivacy Directive³ as a way to have legal grounds to build models of surveillance capitalism – meaning that if you comply with regulations, you are authorized to have a business model exploiting privacy?

 
AH: Meta has tried it with its ‘pay or okay’ system, but any consent given with this model should not be considered as freely given: if you are in a ‘take it or leave it’ situation and you have many years invested in a platform, of course most people are going to consent but that does not mean that it is a free choice. Agreeing to such practice would completely undermine any protection of privacy and data protection.

Any company which has built a business around surveillance capitalism has built an illegitimate business if it has not obtained valid consent from individuals. I do not think it is sensible for a democratic society to start changing laws around human rights just because it is inconvenient for companies because they have chosen to develop a business model which does not comply with the law.

Regarding such models, another issue related to the lack of enforcement is the nature of the sanction themselves. Indeed, we are not seeing disgorgement of profits from unlawful processing. When a behavior has been determined as unlawful, the data is simply deleted. In the case of artificial intelligence, we are not seeing any deletion of models which have been built on unlawful data. The companies are being permitted to keep the unlawful fruits of their labor and continue making revenues off the back of the unlawful processing. I understand the environment argument to not delete those models because they take a lot of energy to train but I do not think it is a compelling argument when it comes to fundamental human rights. Maybe those models could be put into the public domain. But the company should certainly not be able to continue to profit from such unlawful processing.
 

T: In 2019, you mentioned that the number of connected objects was expected to triple in the next five years with the development of consumer-targeted objects. Is this still a growing phenomenon?

 
AH: Absolutely, there is an exponential climb at the moment, particularly with the emergence of smart devices. It is becoming more difficult to buy a home domestic appliance which does not connect to the internet (fridges, washing machines etc.), which is what we were expecting back in 2019. But alongside that, we have seen the number of violations increase massively as well because we are still seeing a significant lack of security when it comes to IoT.

We see it in the press all the time, particularly when it comes to organized crime or big hacking group taking over things like cameras and using them for surveillance purposes or use them for bot nets to attack other infrastructures. It is an issue that we predicted way back in 2010, and the situation is getting worst.

1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (Retour au texte 1)
2. The EDPB’s Support Pool of Experts was developed as part of the EDPB strategy to help data protection authorities increase their capacity to enforce by developing common tools and giving them access to a wide pool of experts. (Retour au texte 2)
3. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector. (Retour au texte 3)