GDPR feared to be ‘toothless’ against big tech

(Belgium) Is the GDPR toothless against the big tech giants? Regulators in the EU are starting to split on whether the framework law is in practice effective against the likes of Facebook and Google. Politico reports as follows:

More than 18 months after the European Union began implementing the world’s toughest privacy law, the bloc’s ability to rein in Big Tech is increasingly in doubt amid growing frustration over a lack of enforcement actions and weak cooperation on investigations.

Passed in May 2018, the General Data Protection Regulation (GDPR) was largely viewed as a model for the United States and other nations struggling to find effective limits on data collection by technology companies. And there was little doubt that, given the breadth of the law and the many suspected violations by global tech firms, there would soon be heavy fines or, at least, sanctions that would force Big Tech to change its operating methods.

But that promise has not been fulfilled. Aside from a €50 million fine that France’s privacy regulator imposed on Google in January, there have been no fines or remedies levied at a U.S. giant since the GDPR came into effect. And the two nations most directly responsible for policing the tech sector — Ireland and Luxembourg, where the largest tech firms have their European headquarters — have yet to wrap up a single investigation of any magnitude concerning a U.S. firm.

Now the Irish regulator which oversees Google, Facebook, Microsoft and Twitter, among other giants, says that its first decision will not be delivered until early next year, adding to previous delays.

Ireland and Luxembourg have faced special scrutiny because so many U.S. tech companies have set up shop in those tiny nations, which have actively courted them thanks to a mix of low corporate tax rates and business-friendly regulation. Those close relationships have created a strong degree of economic dependency, particularly in the Irish case, which raises questions as to whether these countries are best suited to regulating Big Tech.

Now, regulators in other countries are speaking out about their doubts. Hamburg’s data protection authority says that the current “one-stop-shop” system, in which many major investigations are carried out by authorities in Dublin or Luxembourg, creates serious bottlenecks and an “unsatisfactory” situation for millions of web users.

(Privacy press clipping sourced via Politico)
Jurisdiction: Belgium

Key takeaways:


  • Critics are increasingly coming out of the woodwork on the GDPR, particularly in regard to recent delays on big ticket investigations, the “one stop shop system” (which puts one national regulator in charge of a specific case) and a lack of general cooperation between national agencies. As Politico reports, a spokeperson for Hamburg’s data regulator identifies a “huge problem” with enforcement and describes the delays as “unacceptable”.

  • These arguments are interesting because they come not just from lawyers and privacy advocates, but also regulators like the Hamburg data commissioner’s office. Helen Dixon’s Irish DPA, for example, has come under particular criticism for the time taken to announce and issue decisions for the tech companies under Ireland’s jurisdiction. Many would like to see fines concluded and announced more promptly.

  • It is probably best to take these concerns with a grain of salt. The substantive penalty provisions of the GDPR are robust and the law itself has only come into force relatively recently. Regulators will have a natural interest in ensuring that any decision they take is upheld in later review or appeal action, and Ms Dixon has stated as much. While there may be something to be said for, in the case of smaller jurisdictions, the uncomfortable tension between the local economic benefits of big tech and the responsibilities of data privacy enforcement (Ireland and Luxembourg are referenced by Politico) – it is too early to be definitive on such issues. With Google, Facebook, Microsoft and Twitter on its docket, the Irish DPA is plainly very busy. Alarmist comments from other EU regulators, out of turn, may not be particularly helpful.

Leave a Reply

Your email address will not be published. Required fields are marked *