Mr. Max Schrems:

Exactly. On the number of heads, there are a couple of reasons for that. One good reason is conflict of interest. If, let us say, the brother of the current commissioner is bringing a case, who would even decide on that case because she would be inherently conflicted? We have these situations. That is very much connected to the advisory part which has just been mentioned. We have cases where the DPC has advised Facebook in ten meetings how to, in my view, bypass the GDPR. We filed a case exactly the very first day of the GDPR about that bypass only to figure out later that there were previous engagements. We are not allowed even to see these engagements or to know what they are. They are apparently half a State secret. It leaves a very problematic situation. It would not allow us to appeal any decision on the basis of that prior engagement and the independence issue. If there are multiple heads, there could be options to separate these parts from each other and thereby ensure there is no conflict.

On the complaints numbers, the view of the GDPR and of European DPAs is that there is an easy access to justice if you have a complaint. The whole idea is there is a free procedure that is easy for every average person to use to get his or her access request or whatever it is. Obviously, free procedures in such areas draw a lot of attention from people who just submit stupid complaints and probably not the most relevant ones. That is common across the EU. Every DPA has that problem, but there are ways of getting rid of them. We see numbers where probably a third, 25% or 20% of these complaints do not make it into actual handling and 99.9% of cases do not see a final decision.

That leads to something of a negative spiral. The companies in their webinars and their rationale are risk-based. They are basically thinking that if it costs €1 million to comply with the GDPR but there is no realistic scenario in which they are going to get a penalty, then it makes business sense that they do not really comply with GDPR. If I know the regulator is doing that regularly, it ends up in a negative spiral where there is less compliance and more complaints which lead to an even greater clogging up of the system. This is a bit like the situation where if we are on the street and we all feel that there is terror all over the place, clearing the street is very hard. Once that situation arises, if when someone oversteps the law the police are always there and present, people then usually self-police and comply with the law from the get-go, which does not require any complaints or DPAs, and so on.

One country where that worked quite well is France. There are hefty fines that are meant to be seen as dangerous.

In France, for example, it was decided that websites have to display cookie banners that actually state "Yes" or "No" and not "Yes" or an endless maze of options. Once the data protection authority there announced that, we saw in our statistics that we were running that most of the cookie banners in France were suddenly compliant with the law. It did not really need complaints and it did not need enforcement. It just needed a credible threat of enforcement and that is how law works in general. That is how we work in most other areas.