As Europe’s flagship privacy law celebrates its second birthday, a question still dogs regulators: Where is the big-ticket enforcement?
Since May, 2018, European privacy watchdogs have levied just over €150 million in fines under the General Data Protection Regulation, or GDPR.
Collectively, regulators’ budgets to police and enforce the rules now stand at almost €300 million, an amount far lower than what many officials would like. Almost 300,000 complaints have been filed against everyone from Facebook and Google to mom-and-pop stores across the 27-country bloc.
But two years since the EU’s flagship privacy regime came online, Silicon Valley’s biggest names remain largely unscathed despite a volley of complaints. Ireland, which plays hosts to many of these tech giants, announced Friday it had finalized an investigation into Twitter, its first targeting a Silicon Valley firm.
The decision has been submitted to other EU regulators who must approve it. A final decision and possible fine are due next month.
The Netherlands is still investigating Netflix, while Luxembourg’s privacy authority, which has jurisdiction over Amazon and Paypal among others, has yet to issue a single enforcement notice.
“I’m completely critical of the enforcement structure of the GDPR,” Johannes Caspar, head of Hamburg’s data protection agency, told POLITICO. “The whole system doesn’t work.”
David vs. Goliath
Part of the problem is clunky cooperation between EU officials.
Under the region’s new privacy laws, the watchdog where a company is headquartered is responsible for investigating all possible infractions by that firm across the bloc. But some authorities, notably those in Germany, have criticized the system as ineffective and ultimately unfit to protect Europeans’ privacy rights. They have suggested the creation of a pan-European regulator to rein in Big Tech.
But such a wholesale change is beyond the scope of the European Commission’s upcoming evaluation of the rules, which is expected on June 10. More likely is a call for greater use of existing cooperation mechanisms, including a monthly meeting among regulators in Brussels.
“One of the problems with the GDPR is that it has become the law of everything,” said Helen Dixon, the Irish privacy regulator, in an interview with POLITICO. “It’s drawing data protection authorities into making an awful lot of decisions that impact societies and individuals that appear to go well beyond the data processing.”
The coronavirus crisis has piled extra pressure on regulators as governments have turned to data gathering techniques, from contact-tracing smartphone apps to thermal cameras for temperature checks, to halt the virus’ spread.
Regulators have offered vastly different responses to those activities.
One theme unites all regulators, however — a lack of resources.
Amazon’s global revenue exceeded €257 billion last year, but the Luxembourg authority overseeing its EU operations has a budget just shy of €5.5 million, with 43 employees.
The Irish watchdog’s annual budget of around €15 million is mostly pocket change compared with the billions earned annually by Facebook, Google and Microsoft. Almost every EU agency is understaffed and underfunded for the job they have been tasked with under the new rules.
Against that backdrop, it’s easy to see why watchdogs are cautious. Their legal firepower is no match for the deep bench of lawyers that international companies can throw at lengthy appeals.
Such costly missteps are already part of the legal landscape. Record multimillion-pound fines announced last summer by the U.K.’s data protection authority have yet to materialize, and look almost certain to be much lower than initially proposed. Courts have overturned privacy penalties in Poland, Belgium and Bulgaria, fueling worries within agencies of potential future missteps.
“One of the biggest mistakes that we can do is to go fast with some things and to lose it in judicial review,” said European Data Protection Supervisor Wojciech Wiewiórowski when he took office back in December. “If we fail judicial review, not because of the merit of the case, but because of some formality that was done wrongly on the road for the lack of the process and the proceedings, it would be disaster.”