At its inception in May 2018, the European Union’s General Data Protection Regulation (GDPR) triggered a transformation of the information privacy compliance landscape. The comprehensive legislation mandates that private organizations obtain consent before collecting personal data and delete collected data upon request, among numerous other requirements. The GDPR has wide-reaching implications for companies doing business in most European countries and has served as a data privacy model for other regions, including Brazil, Japan, and even the state of California. However, according to its many critics, the GDPR is failing to achieve many of its objectives.
Undoubtedly, the threat of heavy fines has made companies think twice about how they handle consumer data. In 2021, a billion euros in fines were issued under the GDPR, including a whopping €746 million fine levied against Amazon and a €225 million one against WhatsApp. But, overall, few decisions have been made against major data companies – and these penalties are under appeal. Furthermore, important cases against powerful organizations, including repeat offenders, have languished for years.
Much of the blame for slow and inconsistent enforcement of GDPR rules has been directed at its “one-stop shop” mechanism. Under this mechanism, responsibility for regulating a given company falls to authorities in the country where that company’s headquarters is located. However, counterpart enforcement authorities in other EU states impacted by the company’s data practices can also weigh in on decisions.
This approach was designed to promote cross-border cooperation and consistency in GDPR enforcement, but, in practice, has produced long delays. Enforcement authorities’ resources are stretched responding to assistance requests from other states and forging consensus among EU members with divergent enforcement traditions.
These problems are exacerbated by the concentration of data companies’ headquarters in a couple of countries, specifically Ireland and Luxembourg. Formal complaints were lodged against Ireland’s Data Protection Commission in 2021, citing its failure to effectively enforce the GDPR against major tech companies, such as Google and Meta, within its jurisdiction.
Uneven results during the GDPR’s first four years have prompted calls for reform, but some contend that enforcement will improve with time and any overhauls would expose the entire law to lobbying pressure. But, whether through revamp or refinement, there’s consensus that implementation of the GDPR needs to improve. Recommendations include standardizing how complaints are handled across countries, including using the same forms; enhancing information sharing in cross-border cases to build consensus on decisions; ensuring national data protection authorities have sufficient resources and potentially replacing the one-stop shop with a centralized enforcement mechanism.
Time will tell whether the GDPR can surmount its initial shortcomings and meet its potential as a global model for data protection and privacy.
Complying with complex privacy regulations, such as the GDPR, is no easy feat. At MBL Technologies, we leverage our deep expertise in state, federal and international privacy mandates to help organizations establish, support and mature their data privacy programs. Contact us to learn more!