The regulation has been in force for three years but questions abound about effective enforcement with Ireland’s DPC in the spotlight.
The General Data Protection Regulation, the EU’s equally vaunted and criticised data protection law, turns three years old today.
GDPR came into force on 25 May 2018, promising a new age in privacy rights for Europeans. On paper, the legislation was a significant achievement but its enforcement since then has been tumultuous to say the least.
Many proponents of the law focused in on the remit for issuing very large fines – up to 4pc of global turnover or €20m, whichever is higher – as a game changer and deterrent against lax compliance at companies, especially the larger tech firms.
To date, around 660 fines have been issued by various data protection authorities in Europe with a tally of €292m.
One of the first major fines was €50m imposed against Google by French authority CNIL over lack of transparency in its data consent terms in France.
Other bumper fines included €35.3m against H&M for snooping on employees, €27.8m against Italian telco TIM, €22m against British Airways and €20.4m against Marriott International.
It’s not just big companies that have felt the wrath of fines. A school in Belgium, a supermarket in Italy and a police officer in Estonia have all been hit with GDPR fines of varying amounts.
But the promise of whopper fines against the biggest, data-hungry tech companies hasn’t quite come to fruition.
DPC in the spotlight
Enforcement of GDPR has attracted a lot of criticism, with a great of deal of that placed on Ireland’s Data Protection Commission (DPC). It is an authority that found itself at the centre of the world’s gaze with GDPR.
By virtue of the fact that so many major US tech companies have their EU headquarters in Ireland, these firms are answerable to the DPC under GDPR. It has meant a hefty workload for the regulator.
GDPR established a mechanism called the ‘one-stop-shop’, which allows the likes of Facebook, Google, Twitter and most recently TikTok to handle much of their GDPR responsibilities in one country. In this case, Ireland.
The DPC handles many cross-border complaints under GDPR against several major tech companies. While there are around two dozen major tech probes in the works, the DPC has faced much scrutiny from civil society groups and fellow regulators around the pace of its investigations.
The DPC has pushed back on these claims, arguing that investigations take time and resources and are not something to be rushed. In a recent Oireachtas hearing, Data Protection Commissioner Helen Dixon accused some of her critics of “exaggeration”.
At that same hearing, virtually, was Max Schrems, the Austrian privacy activist that has led a charge against the data practices of Facebook and is a regular critic of Europe’s data protection authorities in their enforcement of GDPR. Schrems took the opportunity to double down on his critiques of the Irish DPC.
As of this writing, the DPC has handed down one sanction against a major tech company in a cross-border investigation. That was against Twitter with a fine of €450,000. The investigation was subject to a review by the European Data Protection Board and the figure drew much scrutiny.
It sums up the tense relationship that has emerged through GDPR between expectations and due process.
That boiled over last week when MEPs in the European Parliament voted in favour of opening infringement proceedings against Ireland over its approach to enforcement.
But placing the spotlight on the DPC has drawn some pushback as well with Irish MEP Clare Daly, when speaking to reporters last week, saying the scolding of Ireland is disproportionate and that the system itself is flawed.
“There are weaknesses with GDPR enforcement, there’s no question about that. But laying the blame of that almost exclusively on the door of the Irish DPC is absolutely wrong and unfortunately the media has taken that stance in a lot of countries,” she said.
“It ignores the fact that the system and the way in which the GDPR is structured in and of itself facilitates delays.”
Other regulators have come under scrutiny for perceived slow actions too. Luxembourg’s data protection authority, which has oversight on Amazon in Europe, has faced censure over its enforcement of GDPR.
Many critics of the current GDPR system would like to see the end of the one-stop-mechanism and greater collaboration between authorities in Europe to share the workload around and speed up inquiries.
Hamburg’s regulator, which has been particularly active against major tech companies and levied the large fine against H&M last year, is one of the most vocal critics of the system.
“The one-stop-shop procedure has shown massive deficits as it leads to inefficiency, bureaucratic structures and to massive differences between law enforcement in purely national and EU-wide procedures,” Johannes Caspar, the Hamburg chief, said earlier this year.
Wojciech Wiewiórowski, the European Data Protection Supervisor, has also said some reforms to the one-stop-shop may be needed, but others have flagged that reforming a law that is only three years old is unnecessary.
Despite the intense debates around enforcement, GDPR is still held up internationally as a benchmark for data protection laws. US states, namely California, have followed suit with their own state privacy laws that take many cues from GDPR, while Brazil enacted its federal data protection law in 2020, bearing many similar hallmarks to Europe.
Back in Dublin, the DPC is expected to soon announce the results of its investigation into WhatsApp with a large fine in the region of €30m to €50m mooted by sources. After three years of bedding into a vast new law, it could set the stage for the coming years of GDPR enforcement.