The General Data Protection Regulation (GDPR) will blow out its fourth candle. Although the pace of sanctions is accelerating and corporate behavior is improving, this tool does not appear to have reached its full potential.
The GDPR is the great pride of the European Commission under the leadership of Jean-Claude Junker. Entering into force on May 25, 2018 after four years of tough negotiations between the 28 member countries, this ambitious regulation aims to considerably strengthen the rights of European cybercitizens. For this, the text has set a legislative framework and a number of rules with which all companies that hold personal data must comply in the EU. Beyond consumer protection, Europe intended to use its full weight to fight against the hegemony of Gafam on the Internet.
1.6 billion euros in fines
These rules have inspired many countries and regions around the world. This is the case of California, with the California Consumer Privacy Act (CCPA) passed in June 2018. A law with intentions similar to those of the European GDPR, namely to provide a legal framework that further protects the personal data of citizens and consumers. . Other countries are working, or have already done so, on new data protection laws, such as Japan or China.
However, the GDPR is not the perfect tool, and some even plead for adjustments to make it more effective. The American media Wired has published a long analysis, which we invite you to read.
If the complaints quickly accumulated, it took time for the sanctions to fall. The number of fines increased as the legislation aged, reaching a cumulative total of €1.6 billion. But a year ago, the amount of these cumulative fines was “only” about 300 million euros. We had to wait for two record sanctions concerning early cases to cross the billion euro mark.
Luxembourg fined Amazon €746 million, while Ireland fined WhatsApp €225 million last year. Some complaints are still being processed, requiring lengthy investigations, such as that of My Privacy is None of Your Business (NYOB), which is already 4 years old. No wonder when it comes to entities as powerful as Facebook, Apple or Google.
Centralization and delays
With the GDPR was created what is called a “one-stop shop”, i.e. complaints against a particular company are handled in one country. Luxembourg, for example, handles complaints against Amazon, the Netherlands handles Netflix, while Ireland is responsible for the various entities linked to Meta and Google.
Thus, each week, several draft decisions are circulated among European data regulators. Back and forth that slows down the decision-making process, while the various authorities are most of the time in agreement. Especially since in the case of Ireland, the workload induced by these huge entities has led to delays and additional paperwork. The drama of bureaucracy, in short.
Finally, there are a few countries that are reluctant to enforce the regulation, which is another subject to be addressed to improve the scope of the GDPR. Europe, for example, has launched an infringement procedure against Slovenia for not having imported the GDPR into its national law, while the Belgian data authority is accused of not being sufficiently independent. Others, like France, circumvent the GDPR by directly pursuing the use of cookies by companies.
However, the impact of the GDPR would not be measured entirely in terms of fines: the text would have improved the behavior of companies vis-à-vis users, for fear – precisely – of sanctions.