Enforcement proves the Achilles heel for GDPR

Only two years in, landmark EU regulation on data protection needs rebuilding to deliver on objectives

The General Data Protection Regulation (GDPR) marks its second birthday this week.  But while there is much to celebrate – in theory – the weaknesses revealed by the reality of its implementation indicate the European Union must rebuild this landmark legislation.

The GDPR came into force on May 25th, 2018, providing a range of powerful data safeguards and rights for individuals in a global landscape that had been devoid of meaningful protection. Before the GDPR, companies, organisations and even governments could too easily shrug off existing EU data-protection laws.

Then came the GDPR, carrying significant penalties and enforcement powers.

However, even though the GDPR’s punishment potential has begun to reshape the EU and international data-protection landscape (because the EU has such a significant consumer market, other jurisdictions have to rise to the GDPR’s bar), the regulation’s weak point is, paradoxically, enforcement.


Since 2018, many data-protection and privacy advocates have watched this core problem grow, with increasing alarm. The bodies charged with wielding the enforcement stick, Europe’s data-protection authorities (DPAs), have largely failed to do so, especially in the most egregious cases involving technology and social media multinationals.

The degree to which this is true emerged in the past week, including, ironically, in a major announcement last Friday from the DPA tasked with oversight of nearly all of the largest of those companies, the Irish Data Protection Commission (DPC).

Squeezing in just before the GDPR’s anniversary, the DPC issued updates on a number of active, tech giant-related investigations that in some cases, have been running for much of the time the GDPR has been in existence.

Data breach

In the grab bag of announcements, the DPC stated that it had notified Twitter of a decision regarding a November 2018 data breach. Preliminary investigation reports have also been sent to WhatsApp and Instagram, and the DPC said it had completed – at last – the formal investigation phase of a complaint against Facebook made by Austrian lawyer Max Schrems.

Schrems meanwhile used the GDPR anniversary to issue an open letter arguing that the Irish regulator is taking a very long time to make decisions against or punish any of the tech giants.

This has been an often-repeated Schrems beef ever since he took his first Facebook complaint years ago to a previous DPC, and ended up prompting a  landmark European Court of Justice data-protection ruling.

He noted, as he often does, that the Irish DPC also operates in a country whose government actively welcomes economically-critical foreign direct investment from the same huge tech giants under scrutiny. Schrems sees a causal link here for delays, one that was also suggested last year in a controversial article by online news site Politico. Needless to say, the DPC would dispute this.

Also this week, EU activist group Access Now issued a damning report making the case that the GDPR had produced few significant results because DPAs are woefully underfunded by individual EU states, hobbling investigative powers.

Only 231 fines and sanctions have been issued under the GDPR, the report notes. In particular, it highlights that neither Luxembourg nor Ireland (the two EU nations tasked with the GDPR oversight of nearly all EU-operating tech multinationals) had issued a single fine against such companies.

The Irish DPC has expressed frustration with the Government’s petty level of funding here. The State currently gives more support to greyhound racing than it does to the DPC, even though the DPC effectively is responsible for protecting the personal data of 700 million EU citizens – a figure somewhat larger than greyhound racing’s fan base.

The scale of financial inequity that results is made clear in a report bar graph contrasting Ireland's barely-visible DPC funding against the towering bars of 2019 revenue for Google, Microsoft and Facebook.

Here, in a nutshell, is the huge regulatory failure at the heart of the GDPR. For political and financial reasons, it is comically tragic and functionally pointless to pitch individual EU nations against these global companies.

Secretive corporations

Underfunded, understaffed, stand-alone national DPAs cannot counter the staggering wealth and legal resources of these secretive corporations. And this funding model will always appear weak and potentially compromised, when the very same governments are also income-dependent on the regulated companies.

Ireland – an entire country with a population smaller than Silicon Valley – will never have the wherewithal to effectively tackle the most globally powerful and wealthy companies ever created. In the United States, the only sometimes-effective way to take on the same companies so far has been at federal level, or through the co-ordinated actions of numerous state attorneys general.

More national DPA funding and ‘resources’ are not the answer. Instead, the GDPR urgently needs to change. All multinationals above a minimum size should instead be regulated at pan-EU level. Using EU funding, kit out an EU-level body to handle complaints, not small national regulators reliant on government largesse.

Such a solution would at once resolve resourcing problems and political friction, and free nationals DPAs to focus instead – and more appropriately – on their own national data-protection complaints.