It is very nice to have a good infographic. See this infographic to understand (some of) the GDPR.
It is worth examining the infographic and contrasting it with Google’s latest boo-boo.
Significantly, that too, a belated recognition that the horse has bolted, was a feature of the Facebook/Cambridge Analytica scandal.
Every detail of that embroglio was long in the public domain before it was seen as a scandal. The “scandal” was the maturing of insights; it was a process of “learning”, of a realisation of what was already known and in the public domain.
What is new in the “current” Google scandal is this; the GDPR is now current law.
The GDPR, when it comes to members of the public, requires a complaint to be lodged with a supervisory authority before the authority is obliged to launch an investigation.
Except that’s not strictly correct.
That may be what the “spokesman” for the Irish Data Protection Commission means in his/her response to a media inquiry (although that’s doubtful).
“Ireland’s data protection commissioner is not currently investigating Google’s data-tracking controversy as the tech giant has not yet officially incorporated its data protection residency here, according to a spokesman.”
Article 57(1)(a) says each supervisory authority shall, on its territory; “monitor and enforce the application of this Regulation”.
If that provision is to be of value, it means that the Irish Data Protection Commission must act, when it learns of a potential breach of the GDPR, notwithstanding the absence of a complaint about Google.
As for the exact terms of the statement by the spokesman for the Data Protection Commission; there is no such idea in the GDPR (or the Data Protection Act 2018) as a data controller “officially incorporating a data protection residency”.
Is the Data Protection Commission denying that Google is in the territory of Ireland?
Or, more subtly, is the Data Protection Commission refusing to recognise that location tracking is a GDPR issue, as is the issue of data subject consent to data processing?
In fact, Section 110 of the Data Protection Act 2018 makes the situation clear;
“110. (1) The Commission, whether for the purpose of section 109 (5)(e), section 113 (2), or of its own volition, may, in order to ascertain whether an infringement has occurred or is occurring, cause such inquiry as it thinks fit to be conducted for that purpose.”
What is not clear is what the Data Protection Commission means by its obscure explanation.
Perhaps it means that only the private sector (data subjects and their lawyers) can secure justice for users and protection for their personal data?