Professional Documents
Culture Documents
GDPR Privacy The Good The Bad and The Enforcement
GDPR Privacy The Good The Bad and The Enforcement
GDPR Privacy The Good The Bad and The Enforcement
Enforcement
cepa.org/article/fifty-shades-of-gdpr-privacy-the-good-the-bad-and-the-enforcement/
The GDPR was designed as the globe’s toughest privacy law. Companies that violate it
face giant fines, up to 4% of sales, and the law has become a powerful example of the
so-called Brussels effect, inspiring similar privacy-protecting laws in numerous
jurisdictions and highlighting widespread unease among consumers about companies
“watching” their behavior and targeting ads.
And yet, the much-ballyhooed GDPR is neither as strong as its advocates claim, nor as
extreme as its detractors charge. Fines are few and far between. Big Tech has managed,
for the most part, to comply, while small tech companies struggle with high compliance
costs. The GDPR’s mixed record has convinced European regulators that they need to fix
the way their regulations are enforced.
When the GDPR came into effect in 2018, it required companies to gain consent from any
EU citizen from whom they collect data. Importantly, the law does not ban targeted
advertising, even though supporters promised an end to surveillance capitalism. It just
requires consumers to consent. Europeans are inundated with pop-up screens asking for
their consent almost every time they surf the web. Most of the time, they click yes. To
them, the GDPR is more annoying than effective.
Enforcement is, at best, patchy and inconsistent. As with most EU legislation, national
governments are responsible for prosecuting violations. National data protection
authorities (DPAs) investigate complaints, determine breaches, and issue sanctions
(which can be contested in court).
In practice, the DPAs’ determination to levy fines is linked to their resources – which, in
most cases, are limited. According to a recent report published by the European Data
Protection Board, 77% of DPAs complain about a lack of budget and personnel. While
German DPAs employ around 1200 staff, Belgian, Croatian, and Romanian DPAs
average only 50.
Not surprisingly, national regulators diverge on the number and severity of prosecutions.
In 2022, GDPR fines totaled €832 million. Meta, the parent company of Facebook,
Instagram, and WhatsApp, accounted for 80%, with its largest fine reaching €405 million.
Other Silicon Valley giants top the list for repeated GDPR violations. This raises the
question of whether the deterrent effect of “the toughest privacy law in the world” is
working – or if GDPR fines have become a part of the cost of doing business for Big
Tech.
1/3
In contrast, GDPR disproportionately impacts small and medium companies that need to
comply in the same way as their larger counterparts but have fewer resources. The high
costs hurt innovation and economic growth — one of the reasons why many European
tech start-ups choose to scale up outside of Europe. GDPR has injected “tremendous
regulatory uncertainty for businesses over arcane legal issues that are completely
divorced from the everyday concerns of Internet users,” criticizes Daniel Castro of the
ITIF think tank.
Additional tensions stem from the restrictions imposed on personal data transfers to third
countries and international organizations. GDPR specifies that data may be transferred
outside of the EU if the European Commission judges that the receiving country provides
an adequate level of protection. The European Court of Justice insists that this adequacy
must include “democratic controls” over government access to personal data. This issue
represents the core of the Schrems saga, cases brought by an Austrian law student
successfully contesting the legitimacy of transatlantic data transfers. European court
judgments left companies on both sides of the Atlantic in regulatory limbo, with limited
options for legal data transfers.
Although the EU and the U.S. recently forged a new transatlantic data deal that might
hold up before European courts, the tension underscores the hypocrisy of the European
regulatory environment. Data transfers to the U.S. are jeopardized – while transfers to
countries such as Russia and China are unaffected.
The US must take its share of the blame. Although California and a few other states have
passed privacy legislation, Congress has failed to enact a national law. Without
comprehensive US privacy protections, Europe is left alone as the democratic
alternative. Despite its shortcomings, GDPR has succeeded in launching a constructive
discourse on how to protect personal data. It has transformed data protection into a
human right.
2/3
A former CEPA Denton Fellow, Anda Bologa is now a PhD candidate at the Fordham
School of Law.
3/3