The GDPR was designed as the globe’s toughest privacy law. Companies that violate it face giant fines, up to 4% of sales, and the law has become a powerful example of the so-called Brussels effect, inspiring similar privacy-protecting laws in numerous jurisdictions and highlighting widespread unease among consumers about companies “watching” their behavior and targeting ads.
And yet, the much-ballyhooed GDPR is neither as strong as its advocates claim, nor as extreme as its detractors charge. Fines are few and far between. Big Tech has managed, for the most part, to comply, while small tech companies struggle with high compliance costs. The GDPR’s mixed record has convinced European regulators that they need to fix the way their regulations are enforced.
When the GDPR came into effect in 2018, it required companies to gain consent from any EU citizen from whom they collect data. Importantly, the law does not ban targeted advertising, even though supporters promised an end to surveillance capitalism. It just requires consumers to consent. Europeans are inundated with pop-up screens asking for their consent almost every time they surf the web. Most of the time, they click yes. To them, the GDPR is more annoying than effective.
Enforcement is, at best, patchy and inconsistent. As with most EU legislation, national governments are responsible for prosecuting violations. National data protection authorities (DPAs) investigate complaints, determine breaches, and issue sanctions (which can be contested in court).
In practice, the DPAs’ determination to levy fines is linked to their resources – which, in most cases, are limited. According to a recent report published by the European Data Protection Board, 77% of DPAs complain about a lack of budget and personnel. While German DPAs employ around 1200 staff, Belgian, Croatian, and Romanian DPAs average only 50.
Not surprisingly, national regulators diverge on the number and severity of prosecutions. In 2022, GDPR fines totaled €832 million. Meta, the parent company of Facebook, Instagram, and WhatsApp, accounted for 80%, with its largest fine reaching €405 million. Other Silicon Valley giants top the list for repeated GDPR violations. This raises the question of whether the deterrent effect of “the toughest privacy law in the world” is working – or if GDPR fines have become a part of the cost of doing business for Big Tech.
In contrast, GDPR disproportionately impacts small and medium companies that need to comply in the same way as their larger counterparts but have fewer resources. The high costs hurt innovation and economic growth — one of the reasons why many European tech start-ups choose to scale up outside of Europe. GDPR has injected “tremendous regulatory uncertainty for businesses over arcane legal issues that are completely divorced from the everyday concerns of Internet users,” criticizes Daniel Castro of the ITIF think tank.
Disagreements between European regulators add to the regulatory confusion. Ireland’s DPA approved Meta’s policies to gain consent from users. But German, French, and other European DPAs disagreed and the European Data Protection Board forced the Irish regulator to fine the company €390 million. Not surprisingly, Meta has protested and taken the case to court. A final decision will not be reached for several years.
Additional tensions stem from the restrictions imposed on personal data transfers to third countries and international organizations. GDPR specifies that data may be transferred outside of the EU if the European Commission judges that the receiving country provides an adequate level of protection. The European Court of Justice insists that this adequacy must include “democratic controls” over government access to personal data. This issue represents the core of the Schrems saga, cases brought by an Austrian law student successfully contesting the legitimacy of transatlantic data transfers. European court judgments left companies on both sides of the Atlantic in regulatory limbo, with limited options for legal data transfers.
Although the EU and the U.S. recently forged a new transatlantic data deal that might hold up before European courts, the tension underscores the hypocrisy of the European regulatory environment. Data transfers to the U.S. are jeopardized – while transfers to countries such as Russia and China are unaffected.
The US must take its share of the blame. Although California and a few other states have passed privacy legislation, Congress has failed to enact a national law. Without comprehensive US privacy protections, Europe is left alone as the democratic alternative. Despite its shortcomings, GDPR has succeeded in launching a constructive discourse on how to protect personal data. It has transformed data protection into a human right.
Reform is required to lock in these achievements. European policymakers have learned from the GDPR that decentralized enforcement produces a mess; they have given Brussels the lead powers to prosecute violations of the upcoming Digital Services and Markets Acts, which attempt to increase competition in digital markets and reduce the amount of illegal content on platforms. These Brussels Internet regulators now must receive adequate resources. They must use these resources and power with wisdom, finding a good balance between forcing Internet platforms to be responsible while avoiding crushing innovation.
A former CEPA Denton Fellow, Anda Bologa is now a PhD candidate at the Fordham School of Law.
Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions are those of the author and do not necessarily represent the position or views of the institutions they represent or the Center for European Policy Analysis.