The rise of data protection laws is one of the century’s most profound legal changes: the 2016 European General Data Protection Regulation (GDPR) was hailed as ushering in a new era for digital privacy. It led companies and European countries to invest significant resources in designing regulatory compliance programs.  It also influenced many other online privacy laws adopted across the world—including, to some extent, the groundbreaking California Consumer Privacy Act of 2018 (CCPA).

Yet, despite their nominal force and widespread adoption, available data indicates that these laws suffer from an enforcement gap—a wide disparity between the stated protections on the books and the reality of how companies respond to them on the ground.  Privacy advocates are growing increasingly frustrated with firms’ lack of compliance and lax enforcement: many of the GDPR’s strongest supporters have warned that it risked becoming a “fantasy law”, something to which firms paid lip service to but failed to comply with; frustration with California’s CCPA is equally widespread.

These concerns are well-warranted. In a forthcoming academic article (which this contribution is based on), I comprehensively reviewed the available studies measuring the real-world impact of the GDPR and the CCPA. Impressively, none of the twenty-five independent empirical studies has found meaningful legal compliance. For example, a 2019 academic survey concluded that 92% of Europe’s most accessed websites tracked users before providing any notice and 85% maintained or increased tracking even after the users opted-out, both clear violations of the GDPR. Although there are fewer comprehensive analyses for the CCPA (it only came into force in January 2020), the law led to no changes to Facebook’s data collection and processing practices (a red flag by itself). A survey of the US’s 600 largest companies’ websites found that even among the richest, most sophisticated American corporations, a majority did not offer CCPA portals for users to access their information. A recent survey indicated that only 0.001% of California consumers made use of the rights granted by the Law.

This begs the question: what accounts for this gap and what can be done to improve the performance of these laws?  My analysis shows how the GDPR and CCPA contain severe flaws in the design of their enforcement mechanisms.  In particular, enforcement systems ignore how information asymmetries and market power undermine the role of markets, torts, and command-and-control regulations as effective avenues to ensure legal compliance.  Citizens/consumers and regulators cannot go after violations they cannot identify; and even when they do, they face an uphill battle against some of the world’s most sophisticated and well-resourced companies.

These flaws in the design of data protection laws are not unsurmountable.  To become effective, online privacy regulatory systems should be built around at least three key principles.

First, the system must multiply monitoring and enforcement resources. Sophisticated civil-society intermediaries such as privacy NGOs, independent think-tanks, investigative journalism outlets, and class-action plaintiffs play an outsized role in protecting consumers in opaque and complex markets. These organizations have the incentives and the capacity to understand the complexity of data collection and denounce violations.

An expansion of these sophisticated private intermediaries requires the availability of appropriate and independent funding. This is currently not the case. Most privacy NGOs and other similar organizations are supported by grants and donations, an unreliable and insufficient source of funding.  Effective online privacy regulation requires a consistent, independent source of funding for these intermediaries, enabling them to invest time and resources in hiring technical personnel, starting complex and potentially unfruitful investigations, and better equipping them to resist the temptation of being co-opted by large corporate donations

Second, antitrust and anti-corporate fraud policies have long relied on leniency and whistleblower programs to encourage insiders to reveal wrongdoing. Data protection laws should learn from their example and develop a solid whistleblower program.

Third, public enforcement systems must ensure that regulators are accountable to civil society. A combination of governmental interests, the market power of large digital platforms, and the complexity/opacity that characterizes many data markets increase the risks that regulators promote industry rather than consumer interests. Antitrust regimes can provide an example of how to design a regulatory framework that increases transparency without sacrificing enforcement capacity.

Brazilian antitrust laws establish that fines are allocated to a public fund aimed at protecting citizens’ diffuse interests—in 2019, the fund raised approximately USD 120 million.  This fund is managed by a council composed of seven career civil servants and three civil society representatives, appointed for a renewable mandate of two years. The fund annually publishes public calls for applications through which universities, NGOs and even other entities can request resources to support their activities. The California Privacy Rights Act of 2020 introduces a similar mechanism in the State, but the amount dedicated to grants (3% of the fund) is likely too small to make a meaningful difference.

An alternative can be a direct funding system, which could be an expansion of the already common US practice of directing awards in class action lawsuits to privacy NGOs. A problem with these settlements in data protection is the occasional distribution of awards to organizations that are not directly connected to online privacy. To address this, the law could encourage that awards are funneled to the public fund, which would then ensure that cy pres resources are distributed more broadly and fairly.

Solid whistleblower protections are also required.  As the current discussions around Facebook transparency demonstrate, whistleblowers (in particular employees) are key to the discovery of corporate fraud.   Antitrust regulators have long relied on leniency programs—through which companies denounce cartels in exchange for a more lenient prosecution—as a key mechanism to bring otherwise secret and illegal private deals to light.  Academic studies have shown how financial incentives associated with the revealing of the fraud also significantly improve the probability of employees exposing wrongdoing and diminish wrong denunciations.

At the moment, California has no dedicated data protection whistleblowing program, nor have important EU jurisdictions such as Ireland or Luxembourg. These general provisions also fall short of many recommendations made herein. For example, the EU Directive on the topic does not encourage financial rewards that are key for an effective program.

Democratic governments around the world have decided that these data protection regulatory regimes are here to stay. Societies must now ensure that these laws lead to meaningful improvements on the ground.

Filippo Lancieri is a Post-Doctoral Fellow at ETH Zürich Center for Law and Economics. This article is adapted from his forthcoming paper, Narrowing Data Protection’s Enforcement Gap, which is available here.