The Future of Privacy

Thank you. I was asked to give about 20 minutes presentation about what we are actually doing and how GDPR works for us and it may be a rather dark presentation if you actually try to enforce all of that. But at the same time we can also go into what actually could work and what could make stuff better. So basically the GDPR violations we work on what was mentioned is typically the issues with international data transfers, espionage by the US but also by other countries which we did more on. That's that's kind of known.

But we actually work mostly on let's say willful privacy violations by big tech companies. So how do you make money by just not complying with the law? That is actually where our main focus is. There is a couple of cases we brought starting with Google analytics cases. We did cases for example when on disinformation and and personalized advertisement by political groups that could actually target you on your political beliefs and thereby flip them. There are cases that we bring on credit scoring.

So a lot of countries there are these credit scoring companies in other EU countries they're not known as even existence. So in many countries they don't know something like shva could even exist. But in countries like Germany, SVA is a thing and everybody knows who they are. But it's interesting 'cause some of them, for example the the algorithms that they use are extremely weird and you can really prove easily that the result has nothing to do with your actual credit worthiness.

There's other cases where for example, one of my like small case that we brought but where data was secondarily used by a payment provider. So they did not just get, you had to pay 300 euros but they also got all the items you purchased and that was implemented for example at an online sex store so they could see each dildo that was bought but also for example an online pharmacy where you could see all the health products that someone bought. So that is stuff that we deal with. Another one that was kind of funny was or interesting was Grindr one of the gay dating apps that exists.

They had a pixel or a tracking SDK put in by mop that was part of Twitter at the time. And we could show with together with the region consumer council that more than 4,000 people would get where you're opening Grindr and where you are right now whenever you open this dating app that is not dating is probably a bit of a euphemism. It's very much about getting a sex date right now right away. And all these partners would pretty much get that information right away.

We also brought the first cases now on some of the AI situations like chat GPT where they cannot correct any of the data anymore, stuff like that. So that is what we generally do and our organization is mainly dared to do enforcement. So the idea of enforcement is no one ever complies a hundred percent with the law. Like anybody that ever crossed the red light late night knows we don't have to really comply with the law a hundred percent. But at the other hand, if no one follows the law then why do we even have it?

So the idea of enforcement is how to do you get reality and loss somehow closer together always knowing it's not gonna be a hundred percent. One of the things that we have had as a discussion for the last 20 years is that we can solve privacy by more education and by being more aware of the problem we now learn that doesn't really change anything because people don't really have an option to go anywhere else. They're in intertwined in systems so much that just the educational idea doesn't really get you very far.

The next step that we had in the discussion was the idea that people have to be more self-aware, which is a bit connected to the educational part but then should take on their own decisions. It's a wonderful paring to basically say you're the problem, you did something wrong in privacy, not we as the company. So we usually have a bit of an issue with that idea as well. 'cause the average customer is not really a able to make these decisions.

Anybody that has ever tried to read a privacy policy probably knows no one understands any of this and you usually don't have any reasonable options in most products where you can just say yes, I want that or not. So this idea is, is not really getting us all too far. Obviously there is the technical idea of having encryption, having safety systems where basically the other side can't even get your data.

And I'm aware a lot of people in the room here may be be capable of that but a large percentage of the society is not gonna be capable to have their own little cloud server somewhere in the basement and and manage all that themselves. So what we are working mostly is actually the enforcement under the law. And that is quite interesting 'cause we now have the GPR for more than eight years since it was actually issued the first time. And what was interesting is back then the law was actually extremely supported. We had more than 90% in the European Parliament that voted for the GDPR.

All the member states voted for this law other than Austria because we thought it's not strict enough for whatever reason. But politically and democratically this, these rules had extremely strong backing. But what we saw is that in reality the compliance hasn't really picked up to the same level and it's talked down and there's this kind of crazy law that you shouldn't comply with or can't even comply with. So for us the interesting thing is as a, as an NGO O that does enforcement as an end game, we basically have corporate behavior.

So we have the question of how can we get companies to comply with the lawnmower as a whole institution. So it's not just about individuals that think it's cool or not cool. How do we get whole institutions to follow a law that didn't exist so far Right now we see after the first hype of GDPR more of a downward spiral. Like people realize actually if you don't follow there is no consequence. It costs a lot of money. So a lot of the kind of initial hype around GPR we see kind of going away a bit and not really having a like continuous move towards more privacy.

We actually did for the first time a study of more than a thousand data protection officers. So larger companies need to have a data protection officer and we asked them a bunch of questions and one of the questions was if you, if an average data protection authority would walk into the door of an average controller tomorrow, would they see relevant GDPR violations? 74% of the companies or DPOs say yes. And it's really interesting that the people being in charge of this in companies themselves say in an average company you'll find relevant violations right away.

So that is a bit the reality that we have right now. So how can we close that gap? The first option you usually have is you go to your regulator, the data protection offices that have to be in each country for long while the Irish data protection office looked like this. This is a supermarket, the TUR part, the blue thing back there is the data protection officer that was in the countryside somewhere in Ireland.

They had I think 20 people at the time when we started and were regulating, I think Microsoft, Google, Facebook linked in Twitter, like basically all the big brands are all regulated out of this. After we put this picture into international media, they now got a fancy big new office in Dublin because no one wanted to see that picture anymore. Which is exactly the reason why I keep it in my PowerPoint presentations. But that's not an an isolated incident. If we look at our cases, we actually have all our cases online.

So you every night, three o'clock in the morning, all our case files get updated and everybody can click through them. If you look at what happens to data protection cases, the green ones are the ones that were somehow successful. All the gray part is all the stuff that isn't decided. So you largely have cases that just never get decided, get decided years and years delayed. So overall we have a problem that theoretically you can go to some DPA and have your case dealt with but if they don't do anything about it you have very little options.

For example, in Germany you can go to the local court to actually sue the DPA to do something dish costs you roughly 5,000 euros so you have a free complaint. But to have anybody deal with your free complaint may cost you up to 5,000 euros and you don't get the money back even if you win at the court. So that's the situation where in reality a lot of that doesn't really work as as planned. Going back to Ireland, because that's my favorite exercise, they even claim that they can handle cases. The law requires that they handle cases by just throwing them away.

So basically they have about 10,000 complaints a year but only eight, nine decisions a year. All the rest got handled without an outcome. So it's quite interesting that you see a situation where that doesn't really get you anywhere. We have now even a case where this is just a symbol picture for that in Belgium where the Belgian DPA started to investigate us and questioned our complainant if she even was voluntarily really trying to make a complaint. We got her into the courtroom for a whole day testifying that she really, really wanted to make this complaint.

The Belgian DPA decided she was actually forced by us to make the complaint because she was previously a trainee and therefore the whole case doesn't have to be dealt with. So it's interesting how like as an authority even try to get rid of any of these complaints with investigating the complainant instead of the companies that you want to have. Now this is kind of a bit the reality with a lot of the authorities.

We are, I usually say kind of snowplowing a lot of that. So we do have go to courts, we do sue them, we do say you have to do that with success but for an average person it's not really realistic that you get there and that you're gonna have any option to enforce your rights. Now the second option that you have is civil litigation. You can theoretically go to your local court and you can then basically have all the damages and all these options. The reality of that in practice is that we usually have a lack of knowledge of the courts. They have never heard about the GDPR.

They do contract law, they do everything else but GDPR they have never heard of. They are usually very interested in rejecting all these cases for exactly that reason. Most of the judges are rather hostile.

They've, they again have to deal with a law that they don't know themselves. They have to deal with technology that they hate because emails get printed not looked at and you have extremely high costs also and the durations are mixed. In some countries it's actually quite quick. So the reality is you can also go to court instead of going to these regulators. But if you want to do that and normal civil court costs you about 20,000 euros, something in that ballpark, at least you get your money back if you win.

But for an average person to actually say I'm unhappy about something that was done with my data, this is not really gonna happen. However, there is a new thing around and that's really interesting. There is now the option for having collective redress in the European Union. So after Dieselgate where everybody had to sue individually over their diesel motor, they now introduced a law that is a collective redress directive. It's now gradually implemented in member states and it allows to actually group cases together. And it's very simple.

If you, we had a Facebook case for example in Austria where class actions were already possible and we were able to have nominal torts. We asked for 500 euros a piece. You can basically get unjust enrichment, which means whatever profit the company made from your data, you can have injunctions. So stop doing it at the time we got 25,000 PE participants just in seven days, which is quite the number. And you could usually get that finance by procedure financing company that takes all the financial risk of the whole exercise. So that's quite an interesting situation.

So you can, instead of having one person group all of that together, which means if you have litigation costs that are let's say a hundred thousand euros but you divided by 1 million people, your litigation costs went down to 10 cents and that is pretty what pretty much what collective address can do here. The factors that you usually look for collective address are large numbers, large claims and very similar factual issues. And that is exactly what it, technology has usually have huge numbers.

You have somewhat large claims and usually everybody used exactly the same software and it's exactly the same situation. So it's not like when you have an investment case, everybody had a different bank person describing what the investment risks are. You have a very unified situation and that's perfect, perfect for collective. For address, what you can do there is basically a cross country case. You have to do opt-in.

So basically each person has to say yes, I wanna join the collective address opposite than in some member states and especially opposite as in the US where there is a class action where basically a lawyer just walks up and say hereby I represent every customer. That's not possible in Europe. Everybody really has to say I wanna join and there must be some option to also have some kind of procedure financing or something like that. We way back when did the first version, the 25,000 people option in Austria and we even had like an like website, a mobile app so to say.

And it's quite nice because you can even automatically collect your claimant. So we had a login with Facebook for example to verify that they actually already have a Facebook account and that really allows you to kind of do a lot of these cases. Quite interest in a quite interesting way. Now when you come to data protection cases, the big question is what, how much does it cost? How much money is in it? What's really interesting is the court of justice has gone pretty much forward on the emotional damages in the GDPR.

So you can have out-of-pocket losses, but usually if you have a right like freedom of speech or or privacy, there is no out-of-pocket loss. There is usually what we call emotional damage, which doesn't mean someone has to cry, it's just a non-tangible damage and the court of justice is not going very far on that but also doesn't limit it in any way. So we do have an option now that in a lot of these privacy cases we will see damages per person which may be just a couple of hundred euros or even less combined with a very large number of people.

So if you do the math and you have 1 million affected people, 10 million affected people and everybody wants to have a hundred euros that reaches numbers that even large companies have to think about twice, there is an option to do something similar like that. On the article 80 of the GDPR, I just wanna mention it that there's also options other than collective redress where you can do more or less the same thing. Last but not least, the other thing that we realized worked quite well was what we call mass complaints.

So one of the big problem in GDPR litigation is no one does something like that. Like a speeding camera?

No, like in Austria the speeding cameras are automatically, they automatically read the license plates, they automatically check who the owner of the car is and automatically issued a ticket that no person ever touches a speeding ticket. It's just basically automatically done and then you get an ID and under that ID you pay the money and when the money reaches the thing, it's canceled. No one has ever touched a speeding ticket there. Now you can do a lot of that with privacy violations as well. We for example, looked into cookie banners.

I mean I think everybody hates cookie banners as a given, but we try to find out how they are designed and how they use dark patterns so that you actually click on something that you don't wanna click on. And what was interesting is almost all of these companies have adjacent configuration file where each element, like for example banner show reject all button falls. So the reject all button is suddenly gone on the front end is actually in the JSON file.

So you can automatically track that and figure out how they manipulated the banner in different ways and we were able to basically scan websites automatically. We did send every company that we sent the complaint to a compliance guide, which really you can log in exactly at this page, go there, click that button to be compliant. So we gave them a lot of space to actually be compliant without any cost or anything charged to anything like that. But it was interesting to see how we can get companies to comply without going through the whole like legal system so to say.

Part of what we did is because companies love to do B testing, we also did B testing, which is B tested different emails to the companies and said, okay, which formulation actually gets more compliance? Which is actually something that a company forwards internally and gets someone excited to comply or not. I can show you the statistics of the end result. So that's basically over three weeks, four weeks if they open it and if they complied with. And what's interesting is the kind of more pushy email got way quicker responses.

But overall, and I I'm I that helps me with trust in society, the very neutral one actually succeeded in the end. So it was interesting also to see what gets compliance on the other side. With this system we got a 42% compliance rate just with one email. So much more efficient than anything than going through the public public bodies and the the authorities or the courts. But what was even more interesting than than the first round was we actually scanned about 5,000 websites and three months later wanted to continue which is basically sent the the emails just to 500 websites.

So there were still 4,500 websites with violations that we haven't even emailed or done anything about. What happened was a chain reaction is that companies realized, oh I'm using the same software, they're going for that software and suddenly all of them were compliant without ever being touched or ever having any email. That's what in legal sociology you call a word that I can't recall right now. General prevent prevention. So to say that just the knowledge of enforcement makes people comply automatically without having to go to everybody automatically.

So it's kind of this knowledge of there are speeding cameras which makes sure people don't speed crazy and that is pretty much what we could do in the GDPR as well and what especially the regulators could do as well because this software is something that is happily shared with any regulator as well and would really allow us to move stuff forward and and get enforcement done somewhat in an efficient way.

Last but not least, also to protect the companies that already comply because we see a big divergence of people that actually invest a lot in this and try to do the right thing, but they have to compete with a lot of people that do not and proper enforcement can hopefully help in this relation as well. Thanks a lot. I hope that was useful for you guys and we still have a conversation here.

Anyways, That was a great presentation. Thank you so much. There will be a panel afterwards in which you will be taking part. When I was looking at your website I saw a lot of use cases for abuse for data. Yeah. Pirates.

So what, in your opinion, what is the the the most important one that that we need to fight first? That's really hard to see and what I think what triggers me mostly is oftentimes the secondary use of data. I mean the GPR had this idea of you have to tell people what you're gonna do with their data and you keep it at that. And now we see, especially for example with this whole idea of AI that there is more and more the idea of okay, we just have this data anyways, let's just use it for something else.

Best example is meta is now saying we use all your data from the last 10, 15 years that you ever put in a social network to put it into some AI technology that is not even further defined. So there's a lot of the secondary use of just taking stuff you have for one purpose and using it for something totally different.

Yeah, So purpose binding, which is one of the requirements. Yeah. Purpose limitation is Not adhered to. Yeah. And also third party sharing and right to be forgotten. Yeah. It's part of the third party sharing but there's also a lot of internal further use. So the purpose limitation also binds companies within their use.

So if I, you know, consent for this one purpose, they shouldn't use it for something else. Yeah. These principles are oftentimes the the core issues that we deal with. Yeah. And if we look at all the things that are happening, cookie banners online and mobile tracking data, credit scoring, data transfers, there's I think 30 use cases. Which one is the most important of that? I think they're all equally important, at least in my heart. They're all dirty, but you can exactly go through all the cases and pick the one you find interesting or not. Yeah. So we try to do a lot of cases.

We just filed one today for example with Microsoft in schools because we realized that a lot of the big tech companies just shift the responsibility to some local school that should then be in charge of everything that happens to to student data. Which is also a big promise, this responsibility shifting between the different companies because oftentimes the companies that don't even know what's going on in the system are suddenly liable for it. Which yeah, also usually doesn't make much sense. So That brings me to the last question before the panel will start.

How do you find your data protection professionals? Because in my country we have of course the authority, the data protection authority and it's very difficult. They can't answer the questions 'cause they don't have personnel and knowledgeable experts. What do you do about that? How do you Solve that? So we are in a very lucky position because we usually get a hundred applications per opening. So that's you Company In this bubble.

Very, very exceptional. Exceptional. But what we have to say is we have a huge quality prom in the data protection field. I usually joke like in 2018 everybody that read two lines of the GDPR suddenly got a job. Yeah. And not a lot of the quality is really there.

So it, it's not an easy task. You also especially have to understand technology. 'cause as a lawyer, if you don't know the facts, what are you gonna do? Yeah. So we are lucky because we can find people, but overall we see a negative trend because as a data protection officer, if you butter people too much, you're not gonna get your next rise. Companies are not over interested in having you understand stuff all too well. So unless there is a consequence, I think there is a, a lot of incentives to not really go forward.

I have to put a asterisk because we're in Germany, the DPOs in Germany usually are a bit of a different breed because there is tradition of DPOs in Germany that existed before the GDP D that to in all other member states that job didn't even exist before. Yeah, Yeah. So the com the combination of technology and legal knowledge that makes, I think that's, that could be a nice thing to look at for The future. Yeah. And that can also help companies to actually comply to not go too far.

Because we also see that that a lot of DPOs because, or a lot of privacy EXP experts, so to say, because they don't know the law, they also suddenly demand things that the law has never said. So we sometimes see the quality goes in all directions. Yeah. And that's at least what we see. Yeah. Thank you so much. Thank you. And enjoy the panel.