As Europe’s infamous General Data Privacy Regulation (GDPR) turns two, privacy advocates are expressing concerns that it hasn’t had the effects that were promised by the European Commission. With investigations progressing too slowly under the supervision of an underfunded Irish agency, some are beginning to question the flaws of this approach.
It’s been two years since the European Union’s General Data Privacy Regulation (GDPR) went into effect, with sweeping changes to how companies are able to handle customer data. It’s also inspired similar rules that were adopted in the US, such as California’s Consumer Privacy Act.
The idea behind the far-reaching regulation was that companies needed to be held responsible for violating the privacy of their users, failing to protect their personal data, or misusing it in any way. The big promise was that the Irish Data Protection Commission — the institution tasked with enforcing GDPR — would otherwise hand out fines of up to €20 million ($21.8 million) or four percent of a company’s revenue for the previous financial year, whichever was greater.
However, not everyone is happy with how things have been moving since. Industry watchers and privacy advocates like Max Schrems are worried that the pace of probes into big companies like Facebook and Google has been slow, with “highly inefficient and partly Kafkaesque” investigations that did little to move the needle.
In an open letter sent to the European Commission, Schrems mentioned unaddressed complaints about the way companies like Facebook and its subsidiaries WhatsApp and Instagram rely on a “consent bypass” to allow themselves free reign over users’ personal data.
Schrems is also disappointed that after thousands of complaints targeting companies big and small, the Irish privacy regulator took pride in making one or two small steps in what looks like a long legal battle, while hardly slapping any fines on companies that were found to be violating GDPR with their ad tech.
For instance, the largest fine for GDPR violations hit Google in France to the tune of $57 million. But even in the case of the search giant, the developers of the Brave browser found that it was using “hidden pages” to circumvent GDPR protections, more than a year after its complaint was dismissed by Google as baseless.