So far, Europe’s wide-reaching data privacy rules have seemingly failed to curb Big Tech firms’ use and abuse of citizens’ personal data.

Despite headline penalties against Amazon, WhatsApp, and Google, there is lingering criticism that the world’s largest social media and internet firms are getting away with noncompliance because of a mix of poor enforcement under the General Data Protection Regulation (GDPR) and because focusing primarily on data privacy ignores other areas—namely, unfair competition—where these companies trample over the law and abuse users’ data for financial gain.

Criticism has steadily mounted among legal experts and even some data protection authorities (DPAs) that the GDPR, which took effect in May 2018, has not yet proven itself to be the legislative tool to hold Big Tech firms to account and get them to change the way they operate.

Ulrich Kelber, Germany’s Federal Commissioner for Data Protection and Freedom of Information, has said the GDPR is not fully effective against Big Tech firms’ malpractice because it only focuses on one area of concern: privacy. He believes DPAs need to work with other enforcement agencies, namely competition regulators, because Big Tech’s use of data “goes beyond just privacy.”

Jowanna Conboye, technology partner at international law firm Spencer West, said, “The issues with Big Tech and how they operate in relation to users spans the wider legal landscape, and effective regulation cannot and should not be left solely to data protection authorities.” She added while the GDPR was designed for personal data, “much of the way its content is designed to work is already outdated.”

The EU’s proposed Digital Markets Act is trying to address these concerns by linking inappropriate data use to unfair competition.

Alternative measures

The slow progress of the Irish Data Protection Commission, the lead supervisory authority for many tech giants, to finalize its decisions on over two dozen cross-border complaints against the likes of Facebook, Google, Twitter, and LinkedIn has led to serious concerns about whether the GDPR needs to be tweaked, reformed, or even overhauled.

Věra Jourová, vice-president of the European Commission, recently said enforcement must improve. While DPAs need to be “rock solid” when making their decisions because there is no precedent, she believes they need to speed up their processes, especially around Big Tech. In November, she warned if DPAs can’t make the one-stop shop work, the Commission and the European Data Protection Board are likely to step in and take a “bigger,” more active role.

The slow turnaround of cross-border cases has prompted some data regulators to pursue their own investigations, often through other legislation.

“The GDPR was intended to center data subject rights and lift the overall standards of data protection of the personal information of European citizens by providing a baseline of expectations. … National rules relating to data, competition, and other areas of law provide options for flexibility.”

Isabel Ost, Director, KPMG Law

Last month, Italy’s competition authority fined Apple and Google €10 million (U.S. $11.3 million) each because they “aggressively” forced users into accepting their terms of service without providing them with clear enough information on the commercial uses of their data—a violation of the country’s consumer code.

The same Italian regulator has also fined Facebook twice since 2018, including earlier this year, for failing to inform users about how their data would be used commercially.

In December 2020, France’s privacy regulator, CNIL, fined Google €100 million (then-U.S. $121 million) and Amazon €35 million (then-U.S. $42 million) under French data protection legislation that preceded the GDPR for placing advertising cookies on users’ computers without consent. Both companies had done so before the GDPR came into force and continued the practice until September 2020, when such conduct could have been penalized under the GDPR.

Experts have argued the French data regulator deliberately sidestepped the GDPR so it could fine both companies purely on behalf of French citizens and avoid a lengthy Irish-led investigation that might have produced a final decision unsatisfactory to the CNIL.

Isabel Ost, director at KPMG Law in the United Kingdom, said the use of alternative legislation does not undermine the GDPR.

“The GDPR was intended to center data subject rights and lift the overall standards of data protection of the personal information of European citizens by providing a baseline of expectations, with EU member states having the option to exceed that baseline,” Ost said. “National rules relating to data, competition, and other areas of law provide options for flexibility.”

Julie Rubash, chief privacy counsel at privacy software vendor Sourcepoint, offered several reasons why a case might be prosecuted under national data legislation rather than the GDPR.

First, certain actions might violate local laws without violating the GDPR. For example, local laws implementing the ePrivacy Directive place certain restrictions on use of cookies and local storage that are not addressed in the GDPR. A company that is setting non-strictly necessary cookies without consent, therefore, might be more appropriately or more easily prosecuted under local laws.

Second, a country might wish to prosecute activity that started prior to the GDPR. “Prosecution under local laws, such as the French Data Protection Act, may allow countries to prosecute a longer period of historical activity to justify greater penalties,” said Rubash.

Third, she said, “a country may turn to local laws when they don’t have the authority to prosecute a given company under GDPR.” Although the Court of Justice of the European Union has allowed for supervisory authorities to enforce the GDPR against companies headquartered outside their country in certain circumstances, it requires following certain procedures (such as cooperation with other supervisory authorities) that might be less efficient than prosecution under local laws.

Put simply, if EU countries are struggling to enforce data privacy using the GDPR, then they are bound to look for alternatives under historic or national data legislation, competition rules, or laws relating to specific industries, said Jane Sarginson, a barrister at law firm St Philips Barristers.

“All are valid and available, so why not use them?” she said.