As Europes flagship privacy law celebrates its second birthday, a question still dogs regulators: Where is the big ticket enforcement?
Since May, 2018, European privacy watchdogs have levied just over €150 million in fines under the General Data Protection Regulation, or GDPR.
Collectively, regulators budgets to police and enforce the rules now stand at almost €300 million, an amount far lower than what many officials would like. Almost 300,000 complaints have been filed against everyone from Facebook and Google to mom-and-pop stores across the 27-country bloc.
But two years since the EUs flagship privacy regime came online, Silicon Valleys biggest names remain largely unscathed despite a volley of complaints. Ireland, which plays hosts to many of these tech giants, announced Friday it had finalized an investigation into Twitter, its first targeting a Silicon Valley firm.
The decision has been submitted to other EU regulators who must approve it. A final decision and possible fine are due next month.
The Netherlands is still investigating Netflix, while Luxembourgs privacy authority, which has jurisdiction over Amazon and Paypal among others, has yet to issue a single enforcement notice.
“Im completely critical of the enforcement structure of the GDPR,” Johannes Caspar, head of Hamburgs data protection agency, told POLITICO. “The whole system doesnt work.”
David vs Goliath
Part of the problem is clunky cooperation between EU officials.
Under the regions new privacy laws, the watchdog where a company is headquartered is responsible for investigating all possible infractions by that firm across the bloc. But some authorities, notably those in Germany, have criticized the system as ineffective and ultimately unfit to protect Europeans privacy rights. They have suggested the creation of a pan-European regulator to rein in Big Tech.
But such a wholesale change is beyond the scope of the European Commissions upcoming evaluation of the rules, which is expected on June 10. More likely is a call for greater use of existing cooperation mechanisms, including a monthly meeting among regulators in Brussels.
“One of the problems with the GDPR is that it has become the law of everything,” said Helen Dixon, the Irish privacy regulator, in an interview with POLITICO. “Its drawing data protection authorities into making an awful lot of decisions that impact societies and individuals that appear to go well beyond the data processing.”
The coronavirus crisis has piled extra pressure on regulators as governments have turned to data-gathering techniques from contact-tracing smartphone apps to thermal cameras for temperature checks to halt the viruss spread.
Regulators have offered vastly different responses to those activities.
One theme unites all regulators, however — a lack of resources.
Amazons global revenue exceeded €257 billion last year, but the Luxembourg authority overseeing its EU operations has a budget just shy of €5.5 million with 43 employees.
The Irish watchdogs annual budget of around €15 million is mostly pocket change compared to the billions earned annually by Facebook, Google and Microsoft. Almost every EU agency is understaffed and underfunded for the job they have been tasked with under the new rules.
Against that backdrop, its easy to see why watchdogs are cautious. Their legal firRead More – Source