The GDPR may no longer be a paper tiger

Tiago Sérgio Cabral (Managing Editor). 

1. It is a known fact that the General Data Protection Regulation (GDPR) has suffered from an enforcement problem. The theoretical administrative fines of up to €20 000 000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, that appear impressive on paper largely failed to properly materialize in the first few years of application of the “new” data protection framework.

2. Fines under the GDPR finally overcame the €1 billion threshold in 2021, a sevenfold increase from 2021. In fact, fines under the GDPR have been steadily growing since 2018. Of course, one should not forget that a significant percentage of the total amount of fines levied in 2021 is comprised by the €746 million fine levied by Luxembourg Data Protection Supervisory Authority (DPA) against Amazon and the €225 million fine levied by the Irish DPA against Whatsapp. In addition, the total amount of the fines still pales in comparison with other areas, such as competition law.

3. Nonetheless, the abovementioned fines represent the first finished investigations against large tech companies, and it is expected that more are concluded in 2022, as DPAs slowly find their stride and work through their backlog. A particularly important decision will be the one resulting from the European Data Protection Board intervention, under the consistency mechanism, regarding the legal basis for Facebook’s processing of personal data. While the Irish DPA appears to favor a lighter touch approach, it is doubtful that it will find significant support with the other DPAs and a relatively high fine is quite likely.  

4. The one-stop-shop is still a problem, and DPAs appear to be willing to search for “alternatives” to escape it and enforce data protection rules. 2022 started with two fairly large fines by CNIL, €150 million against Google and €60 million against Facebook for non-compliance on the use of cookies. However, these follow a trend established by the French DPA, in which the authority prefers to levy fines based on the e-Privacy Directive (and national transposition law), where no one-stop-shop mechanism exists, bypassing the competence of the other supervisory authorities, namely Ireland. CNIL scored a significant victory for this strategy when the Conseil d’État confirmed its jurisdiction on the previous €100 million fine against Google for lack of cookie compliance.

5. The European Commission’s reluctance to act as the Guardian of the Treaties and intervene, through infringement proceedings, against Member States whose authorities are grossly failing (due to lack of resources or other reasons) on GDPR enforcement certainly does not contribute for the success of the legislation and is, by now, hard to justify. This is especially true regarding the Irish DPA with whom both the European Parliament’s and the other DPAs’ patience appears to be wearing fairly thin. Commissioner Didier Reynders arguments for the Commission inaction, presented in a response to a 6 December 2021 letter by a number of MEPs, appear to show a Commission that is more worried about upsetting a Member State through infringement proceedings than about actually ensuring a proper application of key legislation on fundamental rights. In particular, arguing that the end of 2021 is still too early to understand whether the one-stop-shop system is working, frankly, appears to be a sign of selective blindness. Implying that initiating infringement proceedings against Belgium due to issues with its supervisory authority independence is somehow more important to ensure citizens’ trust in the GDPR than acting against the Irish DPA who actually handles the majority of large data protection cases in the EU is akin to sophistry.

6. While the GDPR is starting to look less and less like a paper tiger, unless DPAs are given the means to actually enforce it (both financial and technical), and unless the Commission starts taking the mater of lack of GDPR enforcement as seriously as it should, it will also fail to reach its potential and objective. Not a paper tiger, but also not a proper tiger. Maybe a domestic cat.

Picture credits: JoshuaWoroniecki.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s