Friday

12th Aug 2022

EU's landmark GDPR failing to live up to full potential

  • The commission noted data-protection authorities based in Ireland and Luxembourg - European HQss to Google, Facebook, Twitter and Amazon - need a substantial boost in resources (Photo: Descrier)

A two-year review of the EU data protection regulation (GDPR) published by the European Commission on Wednesday (24 June) revealed that its application and enforcement both remain problematic.

"The GDPR is the perfect example of how the European Union, based on a fundamental rights' approach, empowers its citizens and gives businesses opportunities to make the most of the digital revolution," said the EU commissioner for values and transparency, Věra Jourová.

Read and decide

Join EUobserver today

Become an expert on Europe

Get instant access to all articles — and 20 years of archives. 14-day free trial.

... or subscribe as a group

"But we all must continue the work to make GDPR live up to its full potential," she added.

Since its adoption in 2018, GDPR has largely been considered one of the major successes of the EU for being in the vanguard of online protection of fundamental rights in the bloc and globally.

However, the law has been misused to silence journalists and civil society organisations.

It has also proved to be complicated, as well as time- and cost-consuming for small and medium enterprises, and there is legal uncertainty linked to some of the new technologies.

Additionally, the commission's report also identified fragmentation in national legislation, and a lack of cooperation between different data protection authorities, which have created challenges for cross-border investigations.

Such multi-state investigations require that a lead authority drives the investigation in cooperation with other authorities - this system is based on the so-called "one-stop-shop" mechanism which is supposed to serve both people and companies.

However, the legal services of the European Council have previously criticised the "one-stop-shop" system, back in 2013, for undermining citizens' human rights.

Moreover, only five EU countries - the Czech Republic, Denmark, Hungary, the UK, and Luxembourg (which has yet to resolve any major case) - are considered to have enough resources for such cooperative tasks.

Earlier this year, the Hamburg data protection authority described the system as "cumbersome, time-consuming and ineffective".

Google, Facebook, Twitter and Amazon HQs?

The commission's two-year review also indicates that the authorities based in Ireland and Luxembourg, European headquarters to Google, Facebook, Twitter and Amazon, need a substantial boost in resources.

"Given that the largest big tech multinationals are established in Ireland and Luxembourg, the data protection authorities of these countries act as lead authorities in many important cross-border cases and may need larger resources than their population would otherwise suggest," reads the report.

However, according to a separate report published by NGO Access Now, "the fact that Ireland is currently leading a large number of GDPR complaints is not only an administrative issue but also potentially a political one" since tech giants have arguably gained an unprecedented level of influence in policy debates in Ireland - including data protection enforcement.

The Irish watchdog opened cases against Facebook, the Facebook-owned Instagram and WhatsApp apps, as well as Twitter and Apple - among others.

Meanwhile, a report of the regulatory activities under GDPR of the Irish watchdog indicates that "the workload will continue to increase and the coronavirus crisis is likely to have implications for future funding".

GDPR has increased awareness about the protection of personal data, both within and outside of the EU - about 69 percent of people in the bloc have heard about GDPR, according to a recent survey from the EU Agency of Fundamental Rights.

However, businesses stressed the need for legal certainty on how to implement new technologies in a way that is compatible with the GDPR so that they can continue to invest in innovation.

Members of the EU's expert group on GDPR consider that the exact impact of the GDPR on future innovation is hard to estimate - since this also depends on how EU data protection rules apply to new technologies, such as facial recognition technologies, blockchain or AI.

"The two-year review shines an unflattering light on many of these shortcomings, yet the commission seems determined to double down by layering on even more rules," said Eline Chivot, a policy analyst from Center for Data Innovation, referring to the upcoming regulatory framework for AI and an extension of the right to data portability.

"Make no mistake: that would come at the cost of EU's economic competitiveness in the years ahead," she added.

"Policymakers should fix the GDPR's many shortcomings before creating even more rules. Otherwise, the EU will tie the hands of companies that could help its economy compete in the global economy," she also said.

Podcast

Data and Dystopia

Despite concerns about civil liberties and activities of companies like Clearview AI and Palantir, EU authorities are shaping a new industrial policy around artificial intelligence.

EU data protection rules abused to censor media

This week the EU's data protection rules (known as the GDPR) are two-years old. While the controversial GDPR was intended to offer greater privacy rights, it has also been abused by some authorities to muzzle a free press.

Interview

2013: Snowden was 'wake-up call' for GDPR

The contentious negotiations on the EU's data protection rules (GDPR), very much influenced by intense lobbying from the US, radically changed after whistleblower Edward Snowden revealed in 2013 that US intelligence services were collecting worldwide user-data.

Opinion

The Digital Services Act — a case-study in keeping public in dark

Companies and lobby groups like Spotify, Google and International Federation of the Phonographic Industry (IFPI) were able to lobby member states using live knowledge of the trilogue discussions on content-ranking systems, advertising and liability for search engines.

Stakeholder

The CPDP conference wants multidisciplinary digital future

During the Computers, Privacy and Data Protection (CPDP) conference, many high-level discussions will touch upon the dynamics of decision-making in the design of new technologies, including the importance of inclusion, diversity, and ethics perspectives within these processes.

News in Brief

  1. Sweden overtakes France as EU's top power exporter
  2. Italy's far-right star in European charm offensive
  3. Another migrant tragedy claims 50 lives in Greek waters
  4. Russia hits area near town with 120 rockets, says Ukraine
  5. UN expects more ships to get Ukrainian grain out
  6. Greece to end bailout-era oversight
  7. Denmark to train Ukrainian soldiers in urban warfare
  8. Russian helicopter flies into Estonia's airspace

Stakeholders' Highlights

  1. EFBWW – EFBH – FETBBConstruction workers can check wages and working conditions in 36 countries
  2. Nordic Council of MinistersNordic and Canadian ministers join forces to combat harmful content online
  3. European Centre for Press and Media FreedomEuropean Anti-SLAPP Conference 2022
  4. Nordic Council of MinistersNordic ministers write to EU about new food labelling
  5. Nordic Council of MinistersEmerging journalists from the Nordics and Canada report the facts of the climate crisis
  6. Council of the EUEU: new rules on corporate sustainability reporting

Latest News

  1. Russian coal embargo kicks in, as EU energy bills surge
  2. Only Western unity can stop Iran hostage-diplomacy
  3. Kosovo PM warns of renewed conflict with Serbia
  4. EU Commission shrugs off Polish threats on rule-of-law
  5. EU urged to stop issuing tourist visas to Russians
  6. Russia puts EU in nuclear-energy paradox
  7. Almost two-thirds of Europe in danger of drought
  8. West needs to counter Russia in Africa, but how?

Join EUobserver

Support quality EU news

Join us