The EU’s GDPR Is 5 Years Old and Still Not Working Properly: How Can It Be Fixed?

The European Union’s flagship law on privacy, the General Data Protection Regulation (GDPR), is five years old. It has undoubtedly had a dramatic impact on the privacy world, as the many stories about it on PIA blog attest.

Despite this evident success, the GDPR has seen its fair share of criticism. For example, many people blame the GDPR for the privacy pop-ups that greet them when they visit new Web sites. The truth is that the pop-ups are unnecessary and only appear because sites are hoping to annoy you into accepting little or no privacy protection to get rid of the intrusive messages.

A more serious criticism is that, even after five years, GDPR didn’t impose enough fines on big tech, most of which continues to carry out online surveillance on a huge scale, mostly to feed their business models based on advertising. A concern was that EU data protection authorities (DPAs) were underfunded, and thus unable to undertake the necessary work to bring successful, large-scale cases.

Is the GDPR Just a Nuisance for Big Tech?

One person whose name has frequently appeared on this blog in the context of GDPR’s flaws is the privacy expert Max Schrems. His organization, noyb.eu, put together some useful new resources to mark the fifth anniversary of the GDPR. These include statistics about both noyb.eu’s work and the EU’s data protection agencies.

NOYB provides invaluable insights into where the real problems with the GDPR lie. For example, although noyb.eu has brought an astonishing 800 GDPR cases against companies, the vast majority of them are still pending:

• 249 have been pending for 6 to 12 months
• 492 for 18 to 24 months
• 133 for 2 to 3 years
• 33 have been pending for 3 years or more

It’s premature to claim that the GDPR has “failed” because hundreds of cases are still working their way through the system. But the fact that some still haven’t been resolved several years after they were filed reveals one obvious problem that needs addressing.

The noyb.eu resources about each EU country also shed some light on the issue of funding and staffing. For example, Germany had no less than 1,155 people working in its data protection agencies, with a total budget of 114 million euros in 2022. Italy, by contrast, had 131 people working in its “Garante per la protezione dei dati personali”, with a budget of 35.6 million euros in 2021.

Perhaps the most important of the country reports concerns Ireland, which occupies a special place in the GDPR world. That’s because for each GDPR case there is a “lead” authority, determined by where the company concerned is based. With this information, doesn’t take long to figure out why the GDPR is flawed

Ireland has a reputation for attracting and cozying up to the world’s top Internet companies, such as Google (including YouTube), Meta (including Facebook, Instagram, WhatsApp), Apple, TikTok, Twitter, and Microsoft (including Linkedin, Xbox). As a result, when there are allegations of data protection problems with any of these companies, the complaint has to be dealt with by the Irish Data Protection Commission (DPC), which has also figured many times on the PIA blog.

GDPR’s Flaws: Ireland Siding with Big Tech on Data Privacy

The noyb.eu document on Ireland is scathing in its review. It claims that the DPC received a total of 19,581 complaints since the GDPR entered into force, but only produced 37 formal decisions in the span of five years, of which just eight were based on a complaint, which means that “only 0.04% of all complaints led to a formal decision of the DPC” according to noyb.eu. It says that the DPC only conducts a “pure paper review” of complaints:

Just like many other DPAs, the DPC does not typically investigate matters, but solely relies on representations by companies. No witnesses are called in, no on premises investigations made – making sure that companies can easily get away with GDPR violations.

Noyb.eu also accuses the Irish DPC of “badly managed procedures”, writing:

It is not uncommon that the DPC produces a “draft report”, “final report”, “preliminary draft decisions” or a “draft decision” together with additional “schedules” and countless letters – just in the course of a single procedure. This approach can lead to files of more than 5.000 pages even for simple legal questions.

Other alleged problems with the DPC are contained in a new report from the Irish Council for Civil Liberties (ICCL), entitled “5 years: GDPR’s crisis point”. For example, the ICCL points out that the Irish DPC has used its discretion under Irish law to choose “amicable resolution” to conclude 83% of the cross-border complaints it receives. The ICCL also writes that:

75% of the Irish Data Protection Commission’s GDPR investigation decisions in EU cases were overruled by majority vote of its European peers at the European Data Protection Board, who demand tougher enforcement action. Only one other country, in one single case, has ever been overruled in this manner.

These statistics from noyb.eu and the ICCL suggest that there is a serious problem with the way the DPC is handling GDPR complaints.

When the GDPR was being drawn up, no account was taken of the fact that the vast majority of top Internet companies have their European headquarters in Ireland. The dangerous dependence of the Irish economy on the tax revenue from these digital platforms inevitably creates an atmosphere where strict enforcement by the DPC against them is difficult.

Maybe it’s time to move to a centralized, pan-EU approach to dealing with complaints if the GDPR is ever to realize its full potential for protecting privacy. In the meantime, noyb.eu has put together a draft procedural regulation designed to help DPAs cooperate better and to enforce EU law more rigorously.

Featured image by Petr Kratochvil.