GDPR Privacy: The Good, The Bad and The

Enforcement
cepa.org/article/fifty-shades-of-gdpr-privacy-the-good-the-bad-and-the-enforcement/

By Anda Bologa February 8, 2023

The GDPR was designed as the globe’s toughest privacy law. Companies that violate it
face giant fines, up to 4% of sales, and the law has become a powerful example of the
so-called Brussels effect, inspiring similar privacy-protecting laws in numerous
jurisdictions and highlighting widespread unease among consumers about companies
“watching” their behavior and targeting ads. 

And yet, the much-ballyhooed GDPR is neither as strong as its advocates claim, nor as
extreme as its detractors charge. Fines are few and far between. Big Tech has managed,
for the most part, to comply, while small tech companies struggle with high compliance
costs. The GDPR’s mixed record has convinced European regulators that they need to fix
the way their regulations are enforced.

When the GDPR came into effect in 2018, it required companies to gain consent from any
EU citizen from whom they collect data. Importantly, the law does not ban targeted
advertising, even though supporters promised an end to surveillance capitalism. It just
requires consumers to consent. Europeans are inundated with pop-up screens asking for
their consent almost every time they surf the web. Most of the time, they click yes. To
them, the GDPR is more annoying than effective. 

Enforcement is, at best, patchy and inconsistent. As with most EU legislation, national
governments are responsible for prosecuting violations. National data protection
authorities (DPAs) investigate complaints, determine breaches, and issue sanctions
(which can be contested in court).

In practice, the DPAs’ determination to levy fines is linked to their resources – which, in
most cases, are limited. According to a recent report published by the European Data
Protection Board, 77% of DPAs complain about a lack of budget and personnel. While
German DPAs employ around 1200 staff, Belgian, Croatian, and Romanian DPAs
average only 50. 

Not surprisingly, national regulators diverge on the number and severity of prosecutions. 
In 2022, GDPR fines totaled €832 million. Meta, the parent company of Facebook,
Instagram, and WhatsApp, accounted for 80%, with its largest fine reaching €405 million.
Other Silicon Valley giants top the list for repeated GDPR violations. This raises the
question of whether the deterrent effect of “the toughest privacy law in the world” is
working – or if GDPR fines have become a part of the cost of doing business for Big
Tech. 

1/3
In contrast, GDPR disproportionately impacts small and medium companies that need to
comply in the same way as their larger counterparts but have fewer resources. The high
costs hurt innovation and economic growth — one of the reasons why many European
tech start-ups choose to scale up outside of Europe. GDPR has injected “tremendous
regulatory uncertainty for businesses over arcane legal issues that are completely
divorced from the everyday concerns of Internet users,” criticizes Daniel Castro of the
ITIF think tank. 

Disagreements between European regulators add to the regulatory confusion.  Ireland’s

DPA approved Meta’s policies to gain consent from users. But German, French, and other
European DPAs disagreed and the European Data Protection Board forced the Irish
regulator to fine the company €390 million. Not surprisingly, Meta has protested and taken
the case to court. A final decision will not be reached for several years. 

Additional tensions stem from the restrictions imposed on personal data transfers to third
countries and international organizations. GDPR specifies that data may be transferred
outside of the EU if the European Commission judges that the receiving country provides
an adequate level of protection. The European Court of Justice insists that this adequacy
must include “democratic controls” over government access to personal data. This issue
represents the core of the Schrems saga, cases brought by an Austrian law student
successfully contesting the legitimacy of transatlantic data transfers. European court
judgments left companies on both sides of the Atlantic in regulatory limbo, with limited
options for legal data transfers. 

Although the EU and the U.S. recently forged a new transatlantic data deal that might
hold up before European courts, the tension underscores the hypocrisy of the European
regulatory environment. Data transfers to the U.S. are jeopardized – while transfers to
countries such as Russia and China are unaffected. 

The US must take its share of the blame. Although California and a few other states have
passed privacy legislation, Congress has failed to enact a national law. Without
comprehensive US privacy protections, Europe is left alone as the democratic
alternative.  Despite its shortcomings, GDPR has succeeded in launching a constructive
discourse on how to protect personal data. It has transformed data protection into a
human right. 

Reform is required to lock in these achievements. European policymakers have learned

from the GDPR that decentralized enforcement produces a mess; they have given
Brussels the lead powers to prosecute violations of the upcoming Digital Services and
Markets Acts, which attempt to increase competition in digital markets and reduce the
amount of illegal content on platforms. These Brussels Internet regulators now must
receive adequate resources. They must use these resources and power with wisdom,
finding a good balance between forcing Internet platforms to be responsible while
avoiding crushing innovation. 

2/3
A former CEPA Denton Fellow, Anda Bologa is now a PhD candidate at the Fordham
School of Law. 

Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on

tech policy. All opinions are those of the author and do not necessarily represent the
position or views of the institutions they represent or the Center for European Policy
Analysis.

CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy.

3/3