How GDPR Is Failing

One thousand four hundred and fifty-nine days have passed since data rights nonprofit NOYB filed its first complaints under GDPR. The complaints allege that Google, WhatsApp, Facebook, and Instagram forced people into giving up their data without their consent, says Romain Robert, a program director at the nonprofit.

GDPR came into effect on May 25, 2018, strengthening the privacy rights of 740 million Europeans. NOYB still awaits final decisions after four years. It is not alone.

In the wake of the General Data Protection Regulation, data regulators have struggled to act on complaints against Big Tech firms and the murky online advertising industry.

In spite of GDPR's improvements in privacy, it hasn't fixed the worst issues: Data brokers are still stockpiling your information, and the online advertising industry is littered with potential abuses.

Now, civil society groups have grown frustrated with GDPR's limitations, while some regulators complain about the system to handle international complaints, which is bloated and slow to enforce. In contrast, the information economy moves at breakneck speed. "To say GDPR is well enforced is a mistake.

It is not enforced as rapidly as we thought. The NOYB settled a legal case regarding its consent complaints. We still face what we call enforcement gaps and problems with enforcement against the big players," adds David Martin Ruiz, a senior legal officer at the European Consumer Organization, which filed a complaint about Google's location tracking four years ago.

Legislators in Brussels proposed reforming Europe's data rules in 2012 and passed a final bill in 2016, giving companies and organizations two years to comply. The GDPR strengthens your rights and alters how businesses must handle your data, such as your name or IP address.

Generally, GDPR does not ban the use of data, such as the police's intrusive facial recognition; instead, seven principles govern how your data may be handled, stored, and used. It applies equally to charities and governments, pharmaceutical companies, and big tech firms.

Fundamentally, GDPR granted each European country's data regulator the power to fine companies up to 4 percent of their global turnover for violating its principles.

It was never likely that GDPR fines and enforcement would come quickly from regulators in competition law, for instance, cases can take decades -- but four years after GDPR began, major decisions against the world's most powerful data companies remain frustratingly few.

As a result of the GDPR's dense series of rules, complaints against a company that operates in more than one EU country are usually directed to its main European headquarters. The country leads the investigation in this so-called one-stop-shop procedure.

Urg handles complaints against Amazon; the Netherlands handles Netflix; Sweden handles Spotify; and Ireland handles Facebook, Instagram, Airbnb, Twitter, Yahoo, Microsoft, Apple, and Google.

For more stories like this

Explore our website