GDPR blame game: Who’s at fault for spotty enforcement record?

The European Data Protection Board (EDPB) likes to trumpet that as of the end of 2021, cumulative fines issues by data protection authorities (DPAs) under the GDPR added up to more than 1.5 billion euros (U.S. $1.6 billion). But some critics believe that amount should have been imposed as a single penalty for any one of the (relatively few) fines so far against Big Tech firms—none of which have come close to the maximum 4 percent of global turnover allowable under the legislation.

In a speech June 17 at the European Data Protection Supervisor’s conference on the future of data protection and enforcement, EDPS Wojciech Wiewiórowski admitted to attendees, “We are still not seeing sufficient (GDPR) enforcement, in particular against Big Tech.”

He cited three main “structural obstacles”: unequal burden sharing among DPAs, procedural law differences hampering cooperation between DPAs, and “too late” and “probably too little” involvement by the EDPB to aid cooperation and push through faster decision-making.

On April 29, EDPB members agreed to further enhance cooperation on strategic cases and diversify their range of methods used, with the EDPB leading a task force on particular cases if necessary.

Wiewiórowski noted the compliance inequalities the GDPR was having on all but the largest companies.

“We are still not seeing sufficient (GDPR) enforcement, in particular against Big Tech.”

Wojciech Wiewiórowski, European Data Protection Supervisor

“Way too often, the GDPR puts its constraints on small entities but spares the big ones,” he said. “In a way, instead of achieving level playing field, we observe how big companies, thanks to their resources, can benefit from the lack of strong enforcement and further expand their advantage over small competitors.”

He supported calls for a study into GDPR enforcement decisions for companies compared to public-sector organizations and criticized the length of time it can take people to get a decision on a complaint.

“We … see individuals who wait years to obtain justice, even in what can be seen as a small and simple case. With the plethora of the new legislation, the so-called Digital Rulebook, the data protection framework is at risk of becoming an orphan of the EU law,” he said.

Like others, Wiewiórowski wants greater coordination between DPAs to reach decisions they can all accept more quickly. He believes EU member states’ national laws governing procedure over GDPR complaints are causing “critical problems” for cooperation between data regulators.

Wiewiórowski added “limited harmonization” will “not radically improve” the functioning of the one-stop shop mechanism, whereby national DPAs submit cross-border complaints to a company’s European home regulator to act as lead, because the need to overcome the procedural structures that have so far caused bottlenecks in finalizing decisions around the most contentious cases involving Big Tech. He admitted the mechanism is becoming an “expensive shop.”

To improve enforcement, Wiewiórowski said a pan-European data protection enforcement model “is going to be a necessary step to ensure real and consistent high-level protection of fundamental rights to data protection and privacy across the European Union” in the future. He argued such a model “would not only mitigate the problem of uneven allocation of responsibilities, but would also ensure real consistency across the EU, including through strong mechanisms of collegiality.”

The model could also address the specific differences between procedural laws delaying final decisions, as “key” investigations—notably those involving Big Tech—could be conducted on an EU level and subject to direct scrutiny of the Court of Justice of the European Union rather than led by a supervisory authority operating within its own national legal framework.

Other speakers at the EDPS conference weighed in on the GDPR’s uneven track record of enforcement. Privacy campaigner and founder of data rights group None of Your Business (NOYB), Max Schrems, blamed DPAs.

“The GDPR has enforcement mechanisms within it, but no one uses them,” he said. “For example, there is the power for DPAs to do in-person investigations, but so far no DPA has done one.”

Schrems added the GDPR is unusual as a piece of legislation because it specifically calls for cooperation between regulators without being clear about how such cooperation should be carried out or what consensus should look like.

“The GDPR has enforcement mechanisms within it, but no one uses them. For example, there is the power for DPAs to do in-person investigations, but so far no DPA has done one.”

Max Schrems, Founder, NOYB

Paul Nemitz, principal adviser in the European Commission’s Directorate-General for Justice and Consumers, also blamed DPAs for weak enforcement and criticized their claims they are under-resourced. He said it is up to DPAs to ensure they get adequate budgets from their national governments to do the required work under the GDPR to meet consumer expectations of being an effective regulator.

“DPAs should be brought before a court if they fail to act,” said Nemitz, who added, “There needs to be more organizations like Schrems’s NOYB in each EU member state to hold DPAs to account.”

The Irish Data Protection Commission (DPC), the EU’s lead supervisory authority for Meta, Twitter, Microsoft, and Apple, was particularly targeted.

Ursula Pachl, deputy director general at European consumer organization BEUC, criticized the decision by the Irish DPC to class investigations into Google and Facebook as “own volition” inquiries rather than cross-border complaints initiated by individuals, consumer groups, and privacy campaigners. She argued an “own volition” investigation would “inevitably” see a reduction in the scope of the inquiry, as well as any financial penalty.

Tobias Judin, head of international at the Norwegian DPA, said it is not appropriate for national governments to set the budgets of national DPAs when their scope under the GDPR is pan-European. He said regulators’ budgets “need to be set at EU level.”

Bojana Bellamy, president of law firm’s Hunton Andrews Kurth’s Centre for Information Policy Leadership, defended data regulators and instead blamed weaknesses regarding the GDPR’s scope and monitoring requirements.

“EU DPAs have been given a bad set of cards under the GDPR,” she said. “These authorities have other work to do with limited budgets than just monitor and regulate the GDPR.” Consequently, she said, “The EDPS has to take a bigger leadership role.”