A Fallacy Of Assumption that GDPR is well-enforced

Some of GDPR’s impact is also hidden—the law isn’t just about fines and ordering companies to change—and it has improved company behaviours.

FREMONT, CA: Since the data rights organization NOYB filed its first complaint under GDPR, 1,459 days have passed. According to Romain Robert, a programme director at the NGO, the complaints state that Google, WhatsApp, Facebook, and Instagram coerced consumers to give up their data without their consent. The complaints were filed on May 25, 2018, the day that the General Data Protection Regulation (GDPR) went into effect, protecting the privacy rights of 740 million Europeans. NOYB has been waiting for final decisions for the past four years. Since the General Data Protection Regulation took effect, data authorities tasked with enforcing the law have struggled to respond fast to complaints against Big Tech companies and the murky online advertising industry, with scores of cases still pending. While GDPR has significantly enhanced the privacy rights of millions of people both inside and outside of Europe, it hasn't solved all of the problems: data brokers are still hoarding and selling your data, and the online advertising sector is still rife with potential abuses.

Now, civil society organisations are dissatisfied with GDPR's limits, while authorities in certain countries say that the mechanism for handling foreign complaints is bloated and hinders enforcement. The information economy, on the other hand, moves at a rapid speed.  NOYB recently reached a legal settlement regarding the delays in its consent complaints. A senior legal officer at the European Consumer Organization complained about Google’s location tracking and that there still exists an enforcement gap. Brussels lawmakers originally suggested changing Europe's data standards in January 2012, and the final bill was ratified in 2016, granting businesses and organisations two years to comply. In addition to enhancing data protection rights, The GDPR changes how firms manage data, such as names and IP addresses, based on prior law. GDPR does not prohibit the use of data in specific circumstances, such as when police use intrusive facial recognition; instead, it is guided by seven principles that govern how data is handled, kept, and utilised. These ideas apply to both charities and governments, as well as pharmaceutical companies and large technology enterprises.

However, GDPR turned these principles into weapons, giving each European country's data regulator the authority to levy fines of up to four per cent of a company's global revenue and require businesses to stop engaging in practices that breach GDPR's principles.   Although it was never anticipated that GDPR fines and enforcement would come swiftly from regulators—cases in competition law, for example, can take decades—the total number of important verdicts against the world's most powerful data corporations remains excruciatingly low four years after GDPR went into an effect. Complaints against a corporation that operates in numerous EU nations are normally sent to the country where the company's major European headquarters are located, according to the GDPR's complex set of criteria. The country is in charge of the inquiry under this so-called one-stop-shop procedure. Luxembourg is in charge of Amazon complaints; the Netherlands is in charge of Netflix; Sweden is in charge of Spotify; and Ireland is in charge of Meta's Facebook, WhatsApp, and Instagram, as well as all of Google's services, Airbnb, Yahoo, Twitter, Microsoft, Apple, and LinkedIn.

GDPR enforcement, according to Europe's data regulators, is still maturing, but it is operating effectively and improving over time.  Over time, the number of fines has increased, reaching a total of €1.6 billion (about USD 1.7 billion). Last year, the Luxembourg government penalised Amazon €746 million, while Ireland fined WhatsApp €225 million. (Both corporations have appealed the rulings.) At the same time, a lesser-known Belgian law could revolutionise the ad tech business as a whole. Officials admit, however, that improvements to the GDPR's enforcement process might speed up the process and assure a faster response.