12. @johnnyryan
There must be a way for an individual to
prevent information about him that was
obtained for one purpose from being
used or made available for other
purposes without his consent.
“
”
Report to Sec. Caspar W. Weinberger. Advisory Committee
on Automated Personal Data Systems, July 1973.
13. @johnnyryan
-GDPR, Article 5 (1) (b)
(b)collected for specified, explicit and legitimate purposes
and not further processed in a manner that is
incompatible with those purposes; further processing for
archiving purposes in the public interest, scientific or
historical research purposes or statistical purposes shall,
in accordance with Article 89(1), not be considered to be
incompatible with the initial purposes
Personal data shall be:
16. @johnnyryan
1 O 1 O1
1 O
1 O 1 O1
1 O 1 O1
1 O 1 O1
Put a company’s
data under the
microscope.
17. @johnnyryan
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 1
1 O 1 O 11 O 1 O 1
1. An organization
collects some personal
data. It is lawful.
2. The organization has
many purposes that it
wants to use the data for.
3. The organization has an internal
data free-for-all.
4. But this is vulnerable to
enforcement of GDPR Article 5(1)b.
18. @johnnyryan
1 O 1 O 1
Many purposes.
But few lawful
data.
@johnnyryan
33. @johnnyryan
Data through Google’s own
properties (all purposes)
Data collected on other companies’
properties (all purposes)
All data used across all Google
businesses, in all markets
42. @johnnyryan
680825215436839605534 105 140 170 20 30 44 12 182101 24 39 49 47 191 792361821 38
UKGermanyAustria Belgium Bulgaria Croatia Cyprus Denmark Estonia Finland France Hungary Ireland Italy Latvia Lithuania Lux. Netherl.MaltaCzech
Republic
Romania Slovakia Slovenia Spain SwedenPortugalPolandGreece
3,520 people work at European DPAs that regulate the private sector.
101‡
4‡ 42641†8
21
28
3842†55† 7† 2 4
22
36‡
4
11‡
82
12
But only 8.6% are specialist tech investigators.
43. @johnnyryan
UKGermanyAustria Belgium Bulgaria Croatia Cyprus Denmark Estonia Finland France Hungary Ireland Italy Latvia Lithuania Lux. Netherl.MaltaCzech
Republic
Romania Slovakia Slovenia Spain SwedenPortugalPolandGreece
101‡
4‡ 42641†8
21
28
3842†55† 7† 2 4
22
36‡
4
11‡
82
12
3,520 people work at European DPAs that regulate the private sector.
This is the thin line
policing big tech
But only 8.6% are specialist tech investigators.
44. @johnnyryan
2017 2019 2020
€16.5
€32.3
€56.1
€32.6
Increases to DPA budgets
accelerated before the GDPR.
2018
But governments have reduced DPA
budget increases since the GDPR.
Total increases to DPA annual budgets,
in millions of Euro, rounded.
The GDPR was
applied on 25 May
45. @johnnyryan
41
127
92
87
64
56
45
25
20 18 17 16 14
11 10 9 8 7 6 5 4 3 2 2 1 1 0 0
Ireland
Germany
Lux.
France
UK
Netherl.
Spain
Belgium
Sweden
Malta
Austria
Italy
Cyprus
Hungary
Estonia
Poland
Czech
Finland
Denm.k
Latvia
Lithuan.
Romania
Greece
Portugal
Bulgaria
Croatia
Slovenia
Slovakia
One Stop Shop “lead authority” case load per country
46. @johnnyryan
2010 20202000
Lead authority case load per country
Twenty years of
annual budgets
30
60 UK
56 cases
Germany (federal € only)
92 cases
Ireland
127 cases
France
64 cases
Luxembourg
87 cases
0
€61
MillionsofEuro,rounded.
The GDPR was
applied on 25 May
47. @johnnyryan
But only 3% of its staff are tech specialists.
Organigram of ICO staff whose roles or training are primarily technical.
Head of tech.
policy
Head of privacy
innovation
Tech. adviser
(secondment)
Tech. adviser
(secondment)
Data ethics
adviser
Executive director
Technology policy & innovation unit
Group manager
technology
policy
Group manager
digital economy
Principal tech.
advisor
Principal tech.
advisor
Post-doctoral
fellowship in AI
Senior tech.
officer
Senior tech.
officer
Team manager
Group manager
Cyber incident response & investigation unit
Principal cyber
investigations
officer
Principal cyber
investigations
officer
Principal cyber
investigations
officer
Lead technical
investigations
officer
Lead technical
investigations
officer
Vacancy
Team manager
Lead technical
investigations
officer
The UK ICO is Europe’s biggest DPA.
It has 680 staff.
Its budget doubled from 2018 to 2020, to €61M.
22 people
48. @johnnyryan
Team manager
Group manager
Cyber incident response & investigation unit
Principal cyber
investigations
officer
Principal cyber
investigations
officer
Principal cyber
investigations
officer
Lead technical
investigations
officer
Lead technical
investigations
officer
Team manager
8 peopleactually conduct ICO tech investigations
1 vacancy
+
49. @johnnyryan
2017 2019 2020
37% requested from
government
10% actually given
79% 75%
60%
31%
% increase in budget
% increase in GDPR complaints received
Ireland’s DPA supervises Google and Facebook in Europe.
Even though increases in complaints are accelerating,
2018
56%
increases
to its budget are decelerating.
50. @johnnyryan
Annual budget (millions €)
Numberoftechspecialists
Spain
Netherlands
60
100
120
20
40
80
0
100604020 120800
Italy
Ireland UK
Germany
Greece
France
Other EU Member States
This includes Länder
(regional) and federal DPAs
German DPAs account for
nearly a third of Europe’s
specialist tech investigators.
51. @johnnyryan
German Länder DPAs
Not included on this chart:
Federal Commissioner for Data Protection and
Freedom of Information (BfDi): 185 staff, 22 of these
roles (including 10 vacancies) are tech specialists.
BfDI is responsible for postal and
telecommunications services, government
departments and federal institutions.
Bayern has a separate DPA that deals with the public
sector. Its 44 staff include 5 tech specialists.
‡Saarland tech specialist figure is an
estimate based on DPA response.
8 3
288
8 25
456
716
53
27
23
24
10
5
5
4
3
4
3
3
1
19
19
25
Baden-Württemberg
Bayern
Berlin
Niedersachsen
Hamburg
Bremen
Rheinland-Pfalz
Brandenburg
Hessen
Sachsen-Anhalt
Sachsen
Schleswig-Holstein
Vorpommern
Saarland‡
Nordrhein-Westfalen
Thüringen
1
465
283
5
29
49
52. @johnnyryan
Too few tech specialist
investigators, and too few
funds to defend decisions
in court.
54. @johnnyryan
I have submitted a request to
the European Commission to
launch an infringement
procedure against European
Governments for their failure
to implement the GDPR.
55. @johnnyryan
EUROPEAN COMMISSION
DIRECTORATE-GENERAL JUSTICE and CONSUMERS
Directorate C: Fundamental rights and Rule of Law
Unit C.3: Data protection
Brussels, 06.05.2020
JUST.C3/ks (2020)2747685
Dr Johnny Ryan
26 Dartmouth Road
Ranelagh
D06 FT98 Ireland
E-mail: johnny@brave.com
Dear Sir,
Thank you for your letter of 27 April 2020, which has been registered as a complaint under
reference numbers CHAP(2020)1136, 1137, 1138, 1140, 1141, 1142, 1143, 1144, 1145, 1146,
1147, 1148, 1149, 1150, 1151, 1152, 1153, 1154, 1155, 1156, 1157, 1158, 1160, 1161, 1162,
1163 (please quote these references in any further correspondence).
Ref. Ares(2020)2393042 - 06/05/2020
56. @johnnyryanNational recommendations
● far more specialist tech investigators, and competitive salaries to attract
talent.
● finance to allow DPAs to defend decisions against expensive legal
appeals.
EU-level recommendations
● The secretariat of the European Data Protection Board (provided by the
European Data Protection Supervisor) should establish a tech
investigative unit to support national DPAs. This unit requires a
substantial permanent staff, and a small rotating temporary staff from
national DPAs.
● The European Commission should should refer countries to the
European Court of Justice if necessary.
60. @johnnyryan
1. GDPR enforcers are currently
ineffective (not tech savvy, small
legal budgets, low confidence).
2. Processing purpose is an elemental
unit of account that transforms
enforcement.
3. Purpose limitation is big tech
kryptonite, which can fix the market.