Is GDPR Simply a Myth? Lack of Enforcement Raises Privacy Expert Concerns

Lack of Enforcement of GDPR Worries Privacy Experts

It has been almost two years since the European Union (“EU”) passed the General Data Protection Regulation (“GDPR”), an all-encompassing legislation that many lauded as the apex of privacy protection law.  But now, years later, many criticize the lack of punishment and enforcement of GDPR’s sweeping regulations. 

Coronavirus and GDPR

While the GDPR has quietly fallen to the wayside in the past few months, its failures to enforce came to the forefront recently as efforts to slow the spread of the cornonavirus raised questions about user privacy once again.  As the coronavirus pandemic unfurled across the globe, many noticed that the invasive measures taken by medical and government officials were not flagged under the GDPR as they should have been, which prompted many to question whether there truly is enforcement of GDPR.  While the EU has refused to acknowledge any problems with the GDPR in its current state, experts in the field point to a lack of funding, limited staff, and an overall unwillingness to enforce the law as just a few of the problems that currently exist with the GDPR. 

Privacy Advocates Say Promises of Hefty Fines for Enforcement of GDPR Broken

Back when the GDPR was first passed, the EU promised that it would set strict limits and restrictions on the amount of sensitive data that companies could collect from users with or without consent.  Fines that could total up to four percent of an entire company’s global revenue were applauded as privacy proponents felt that only significant fines could dissuade technology giants from continuing their current practices.  And as the GDPR seemed unwavering in its mission to protect consumers, it was not long before other countries followed suit by passing legislation in their countries that closely mirrored provisions of the GDPR or the GDPR as a whole.

But now, two years later, enforcement of GDPR has seen only one technology giant fined and the fine was considered insignificant by most.  To date, Google has been the only major technology company fined under the GDPR, and the fine came out to equal approximately $54 million, which is only about one-tenth of what Google generates in sales a day.  Facebook, arguably one of the most visible offenders when it comes to consumer privacy, has yet to be fined under the GDPR.

As such, the only noticeable change since the GDPR has gone into effect is the amount of click-through pop-ups that the general public has had to deal with, shifting the onus of complying with the GDPR on consumers instead of the technology companies that the GDPR was intended to target in the first place.

Moreover, smaller technology companies have complained that the burden of having to comply with GDPR regulations has had a chilling effect on both innovation or even operation as many smaller companies lack the budget to constantly monitor or comply with the GDPR; while major technology companies, arguably the worst offenders, can seemingly flout the provisions of the GDPR without fear of reprisal.

Critics Wait for New Wave of Enforcement of GDPR

Defenders of the GDPR in its current state say that enforcement is indeed coming, but it just merely takes time for the GDPR staff to build cases against offenders.  In the next few months, this claim will be tested as Twitter is expected to be cited for failure to protect consumer data that resulted in severe data breaches in Ireland.  Similarly, WhatsApp, a messaging application now owned by Facebook, has also been cited for potential penalties after it was revealed that it had been sharing its data with other Facebook services.  

As such, GDPR officials say that it is too early to criticize the GDPR, especially as it has, at least, brought privacy protection to the attention of users worldwide, arguing that the amount of press and education that came from the passage of the GDPR is a feat in itself.  In response, critics say that the huge delay between penalizing and enforcement of GDPR signals to technology companies that they can avoid or drag on court battles indefinitely.  With almost unlimited financial resources, technology giants can easily stretch the GDPR’s limited staff and funding past their breaking point.  As such, critics believe that enforcement of GDPR will be saved for only the most egregious cases and that complex disputes with most companies will be avoided entirely.  And even more worrisome, privacy experts warn that if the GDPR fails, similar versions of the law across the globe will be difficult to enforce as technology companies will have no incentive to comply.

Key Takeaways on the State of Enforcement of GDPR

The lack of penalties and punishment for enforcement of GDPR has led many to believe that:

  • the GDPR authorities receive little support, are underfunded, understaffed, and unmotivated;

  • technology giants will increasingly begin to ignore provisions of the GDPR;

  • smaller technology companies will disappear as compliance with the GDPR has a chilling effect on the marketplace; and

  • other countries will consequently be unable to enforce their own versions of the GDPR.

For more insights on data privacy, see our Technology & Data Overview and Technology Industry Legal Solutions pages.


You may also be interested in: