A Q&A with INFO Assistant Professor Ido Sivan-Sevilla
Dr. Ido Sivan-Sevilla
In January 2019, Google was fined $50 million by the French Data Protection Authority for not providing enough transparency around user data collection on its Android operating system. This was one of the first major penalties under Europe’s General Data Protection Regulation (GDPR) and was brought about by two NGOs. Since then, NGOs have been responsible for some of Europe’s largest GDPR fines.
In a recent paper, University of Maryland College of Information Studies (INFO) Assistant Professor Ido Sivan-Sevilla, along with University of Haifa Postdoctoral Research Fellow Inbar Mizarhi-Borohovich and Georgetown University Professor Abraham Newman, examined the nature of NGO participation in the implementation of European data protection legislation since the adoption of GDPR in 2018. We sat down with Sivan-Sevilla to learn more.
Why is it so significant that NGOs are behind some of the largest GDPR fines in Europe?
NGOs have changed the balance of power in EU privacy enforcement. Without the involvement of NGOs, mega privacy breaches by companies like Google & Meta would never turn into giant fines; surveillance-based monetization of online content would never be reconsidered; and the sneaky privacy harms of popular mobile apps would have remained far from the public eye.
From a two-party asymmetrical system of enforcement, where corporations are much more knowledgeable and powerful than their consumers, NGOs became a third-party to privacy enforcement actions in Europe: They represent data subjects in front of privacy regulators across national jurisdictions, put legal and technical expertise to work on behalf of consumers, and utilize their role to turn companies’ and regulators’ attention to what we frame as ‘strategic’ privacy issues: problems that affect millions of consumers, span boundaries, and require proactiveness and novel research that lead NGOs to cooperate with one another to hold firms into account and protect consumers.
What are the NGOs’ goals?
Different NGOs hold slightly different goals. Consumer organizations, organized under the umbrella organization BUEC, are mostly focused on creating a positive impact on the privacy of European consumers and tend to come together to hold ‘Big Tech’ firms to account. Traditional NGOs like Privacy International in the UK have traditionally focused on privacy threats from the government, but the elevation in NGOs’ potential influence through the recent European privacy regulation – The General Data Protection Regulation (GDPR) – led to the application of methods and privacy knowledge from those organizations to commercial privacy violations as well, closing privacy gaps in the market. The third type of NGOs was born with the GDPR. The Austrian noyb (none of your business) is the prime example. Its founder, Max Schrems, specifically stated that the mission of noyb is to create an even implementation of the promising GDPR across Europe, ensuring that Europe enjoys a clear and rigid pan-European privacy regime.
What are the downsides of this type of civic engagement in EU policy implementation?
We found that NGOs are converging toward a strategic transnational model of privacy implementation. They focus on the salient privacy issues that involve millions of consumers across national jurisdictions. This leaves out more ‘traditional,’ everyday, local privacy problems, like privacy malpractices from a local banker, without adequate care and attention by those civil society organizations. This potentially hurts the ability of consumers to utilize civic privacy engagement for their direct benefit in their local jurisdictions. For those issues with less publicity, consumers are vulnerable to the inability of national regulators to enforce the law, without NGOs fighting for their rights.
What are some of the benefits?
NGOs help close inherent enforcement gaps in the European privacy regime in various fronts: They inject legal and technical expertise that data subjects usually lack, and better represent their interests in front of regulators and tech companies in the enforcement process; they work collaboratively to pressure multiple regulators at the same time and address a burning transnational privacy problem; they name and shame companies, pressure them to change their privacy practices; and they lead to greater accountability by national privacy regulators in Europe. Those agencies are formally public agencies but provide selective and limited information on their discretion in the privacy enforcement process. I have been studying top-down privacy enforcement in Europe, and was able to get only 18 out of the 31 national privacy regulators to answer my straightforward questions, in an effort that spanned over a whole year. NGOs are constantly criticizing those regulators, nudging them to release information about their discretion in privacy cases to the public eye.
How do regulators and NGOs differ in their policy implementation patterns?
In my previous study on top-down privacy enforcement in Europe, I found that regulators are mostly limited in their resources and expertise and fail to meaningfully implement their promising strategy for privacy enforcement into actions. NGOs are obviously limited in resources as well, but are not obligated to look at each and every privacy complaint. They enjoy and utilize their liberty to go after highly-salient privacy problems or research practices to uncover new privacy problems in popular digital service providers. Regulators are also arguably constrained politically. The Irish data protection authority, for instance, might face a national conflict of interest when aggressively enforcing privacy rules over tech companies like Google and Microsoft in its jurisdiction, which are significant contributors to Ireland national tax income. NGOs are naturally more flexible than bureaucratic agencies and can quickly organize collective action over a privacy problem across NGOs and among various consumer groups, increasing pressure on companies to change their courses.
What are the implications of your research?
Our research highlights a much less-understood phenomenon in the regulation of privacy – NGO engagement in privacy policy implementation. NGOs have responded big time to GDPR’s Article 80 that enables them to represent data subjects in front of national regulators. They brought high-profile cases against leading tech companies that led to unprecedented fines.
Our work first offers a novel analytical map to better understand models of civic engagement in policy implementation. This framework can be applied across cases of civic engagement and tested over time. We then bring first empirical evidence after systematically analyzing NGOs who chose to engage in the privacy implementation process. We show how NGOs engage in actions beyond their member state and file cases with broad privacy implications. Those efforts increased the saliency of data protection issues, shaping the implementation of GDPR through bottom-up decision making and actions, potentially tilting the balance of power between companies and data subjects.
We show how any analysis of the EU’s problem-solving capacity should include not only interactions between member states and firms, but also an understanding of how third-parties engage and tilt implementation processes in a particular direction. Our study of the data protection domain suggests that NGOs play an underexplored role in filling certain implementation gaps, while leaving others potentially unaddressed.
Our article adds to a growing literature on the role of NGOs as more than simply agenda setters. While considerable research has drawn attention to how NGOs contribute to informal processes of naming and shaming, our research demonstrates the growing role that they play in activating and participating in legal complaints. In both representing citizens and directly taking on regulators, NGOs are increasingly part of formal compliance systems, which bring EU law to life.