Last month, noyb and Access Now jointly hosted a three-day meeting in Vienna, celebrating the first year of the General Data Protection Regulation (GDPR) and focusing on advancing rights under the regulation through effective enforcement actions. The meeting mapped best practices on how to detect data protection violations and how to strategically lodge complaints with the various data protection authorities. Among the diverse set of attendees were representatives from data protection authorities, consumer rights organisations, researchers and NGOs from across Europe, including Privacy International, Bits of Freedom, Algorithm Watch, Open Rights Group, Digital Rights Ireland, D3, Homo Digitalis and Data Rights.

What did the meeting focus on?

The meeting was divided into four sessions, which covered several practical elements to take into account when litigating under the GDPR, such as the choice of jurisdiction and the differences between the various enforcement options available under the European regulation. Participants shared lessons learnt from their own experience with data protection cases and several breakout sessions saw participants joining forces in small groups to solve specific data protection problems. The two days of discussions were informed by analysis carried out by participants on actual privacy policies and data sets obtained through subject access requests, with a view to ascertaining areas for challenge. Other sessions zoomed in on the numerous differences contained in the GDPR transposing laws of different EU Member States, with a discussion around what the best venues are for certain kinds of challenge.

What were our findings?

Following the different panels, activities and discussions, the group observed that a substantial number of companies’ privacy practices are violating the GDPR, including some of the regulation’s most basic principles. Despite expanding their compliance programmes, businesses still appear to be grappling with their duties and responsibilities under the GDPR. It was noted that controllers often fail to comply with their duties, such as providing transparent and intelligible privacy policies or facilitating the exercise of data subjects’ rights. Eventually, the group observed that although it consists of a regulation, attention should also be given to the adaptation laws of Member States to determine whether they are consistent with the margin of manoevre allowed by the regulation.    

Collaborating at a European level

The event was a great opportunity for participants to share knowledge, join forces, collect feedback from practitioners, and engage in fruitful discussions on the most strategic ways to advance citizens’ rights through effective enforcement actions. Collaborating at a European level between NGOs is a priority and, in this regard, the event certainly was a positive step forward as participants actively engaged in all activities and committed to continue working together.

About the authors: Gaëtan Goldberg is a Data Protection Lawyer at noyb – European Center for Digital Rights, a non-profit organisation that aims to safeguard the fundamental rights to privacy and data protection. Estelle Masse is a Senior Policy Analyst and Global Data Protection Lead at Access Now.