Who is to blame for the patchy enforcement of the GDPR?

The General Data Protection Regulation's (GDPR) history of enforcement is the aspect of the law that has received the most criticism.

According to the European Data Protection Board (EDPB), cumulative fines imposed by data protection authorities (DPAs) under the GDPR as of the end of 2021 totaled more than 1.5 billion euros ($1.6 billion). However, some detractors contend that sum should have been imposed as a single fine for any of the (relatively few) fines levied thus far against Big Tech companies, none of which have come close to the maximum 4 percent of global turnover permitted by the law.


"We are still not seeing sufficient (GDPR) enforcement, in particular against Big Tech," EDPS Wojciech Wiewiórowski acknowledged to attendees in a speech on June 17 at the European Data Protection Supervisor's conference on the future of data protection and enforcement.


He listed three main "structural barriers": unequal burden distribution among DPAs, procedural legal distinctions impeding DPA cooperation, and "too late" and "probably too little" involvement by the EDPB to promote cooperation and hasten decision-making.


On April 29, the EDPB members decided to expand their cooperation in strategic cases and broaden the range of methods they employ, with the EDPB, if necessary, serving as the task force leader.

Wiewiórowski drew attention to the disparities in GDPR compliance that all but the biggest companies were experiencing.


He claimed that "way too often, the GDPR puts its constraints on small entities but spares the big ones. In a way, instead of achieving level playing field, we observe how big companies, thanks to their resources, can benefit from the lack of strong enforcement and further expand their advantage over small competitors."


In addition to criticizing the length of time it can take for people to receive a decision on a complaint, he supported calls for a study comparing GDPR enforcement decisions for businesses and public-sector organizations.


"We… see individuals who wait years to obtain justice, even in what can be seen as a small and simple case. With the plethora of the new legislation, the so-called Digital Rulebook, the data protection framework is at risk of becoming an orphan of the EU law ," he warned.


Wiewiórowski agrees with others that DPAs should work more closely together to make decisions that everyone can agree on. He contends that the national laws governing the GDPR complaint process in EU member states pose "critical problems" for cooperation among data regulators.


Wiewiórowski added that "limited harmonization" will "not radically improve" the operation of the one-stop shop mechanism, in which national DPAs submit cross-border complaints to a company's European home regulator to act as lead, due to the need to get around the procedural barriers that have so far prevented decisions in the most contentious Big Tech cases from being made. He acknowledged that the mechanism was turning into a "expensive shop."


A pan-European data protection enforcement model, according to Wiewiórowski, "is going to be a necessary step to ensure real and consistent high-level protection of fundamental rights to data protection and privacy across the European Union" in terms of improving enforcement. A similar approach, he claimed, "would not only mitigate the problem of uneven allocation of responsibilities, but would also ensure real consistency across the EU, including through strong mechanisms of collegiality."


As "key" investigations—particularly those involving Big Tech—could be conducted on an EU level and subject to direct scrutiny of the Court of Justice of the European Union rather than being led by a supervisory authority operating within its own national legal framework, the model could also address the specific differences between procedural laws delaying final decisions.


The uneven enforcement of the GDPR was a topic brought up by other speakers at the EDPS conference. Max Schrems, a privacy activist and the creator of the data privacy group None of Your Business (NOYB), cited DPAs as the culprit.


"The GDPR has enforcement mechanisms within it, but no one uses them. For example, there is the power for DPAs to do in-person investigations, but so far no DPA has done one," he said.


The GDPR is unusual as a piece of legislation, according to Schrems, because it specifically calls for cooperation between regulators without specifying how such cooperation should be carried out or what constitutes consensus.


Paul Nemitz, the director-general for justice and consumers at the European Commission, criticized DPAs' claims that they lack resources and blamed them for lax enforcement. According to him, it is up to DPAs to make sure they receive adequate funding from their national governments so they can carry out the tasks required by the GDPR and live up to consumers' expectations of an efficient regulator.


According to Nemitz "DPAs should be brought before a court if they fail to act. There needs to be more organizations like Schrems’s NOYB in each EU member state to hold DPAs to account." 


Targeted specifically was the Irish Data Protection Commission (DPC), the principal supervisory body for Meta, Twitter, Microsoft, and Apple in the EU.


BEUC deputy director general Ursula Pachl criticized the Irish DPC's choice to classify inquiries into Google and Facebook as "own volition" inquiries as opposed to international complaints brought on by individuals, consumer organizations, and privacy campaigners. She argued that any financial penalty and the scope of a "own volition" investigation would "inevitably" be reduced.


Since national DPAs' purview under the GDPR is pan-European, according to Tobias Judin, head of international at the Norwegian DPA, it is not appropriate for national governments to set their budgets. Budgets for regulators "need to be set at EU level," he stated.


Bojana Bellamy, president of the Center for Information Policy Leadership at the law firm Hunton Andrews Kurth, defended data regulators and laid the blame at the feet of the GDPR's monitoring requirements and scope limitations.


"EU DPAs have been given a bad set of cards under the GDPR. These authorities have other work to do with limited budgets than just monitor and regulate the GDPR. The EDPS has to take a bigger leadership role,” she said.

By fLEXI tEAM