The European Union's best-known law is about to turn five. On May 25th 2018 the EU introduced the General Data Protection Regulation (GDPR). Spurred by the revelations of Edward Snowden, an American whistleblower, the bloc’s lawmakers gave Europe’s rights-based approach to data sharp new teeth. Enforcers gained formidable powers, including the authority to raid companies like Google, Meta and Amazon, and to force them to change how they operate. This showpiece regulation was hailed as the new global standard for data protection and privacy.
Rarely has hype so contrasted with impact. As the GDPR marks its fifth birthday, Europe remains unable to police big tech’s use of people’s data, despite an enforcement budget of more than €330m ($355m). Most enforcement decisions confirmed at the EU level have been mere reprimands or “amicable settlements”. This is enforcement without tooth or claw.
Rather than tame big tech firms’ data free-for-alls, Europe’s weak enforcement has allowed them to steal a march on smaller competitors and betray users with data chicanery, while hiding behind legalese. Polling shows that people want tech giants to be regulated. But they also have a fatalism about data misuse and are fatigued by consent spam. This offers two important lessons.
The first is that Europe has a two-part enforcement crisis. The first part is national. The GDPR’s “country of origin” principle obliges the country in which a company has its European headquarters to police its data use across the entire EU. Four of the world’s five biggest digital platforms, by market capitalisation, are based in Ireland. But Ireland delivers few major decisions as lead EU enforcer.
Nor is there much effective co-operation between national enforcers. The animosity between Ireland’s Data Protection Commission and its counterparts elsewhere in the EU was highlighted in January, when the Irish body began legal action against all other EU supervisory authorities (collectively, the European Data Protection Board) at Europe’s highest court.
This week the Irish commission fined Meta €1.2bn for violating GDPR rules that require certain safeguards to be in place when data is transferred between Europe and America. The case made headlines around the world. But the truth is that even a penalty of this size is of little consequence to a company that made a net profit of more than $23bn last year.
The other part of Europe’s enforcement crisis sits within the European Commission. The EU’s justice commissioner, Didier Reynders, has the tools and legal duty to oversee the implementation of EU law in member states, and to sue them if they refuse to behave. But aside from a few cases about enforcer independence, this has not happened in the realm of big tech and data. To the contrary, Mr Reynders resists any suggestion that there is a problem with how tech giants are supervised by national enforcers, and by Ireland in particular.
Rather than insisting on the proper enforcement of GDPR, the commission is instead introducing new legislation on competition, online content and services, and artificial intelligence. Much of this would not be necessary had the GDPR’s myriad provisions been energetically enforced.
If the GDPR is any guide, these new laws will also be neglected. The commission must start taking member states to task. New EU laws such as the Artificial Intelligence Act must offer less latitude to feckless enforcers. The Digital Markets Act (DMA), another sweeping set of rules giving the bloc more powers over large tech firms, must be policed adversarially to rein in “gatekeeper” firms. On competition, Europe should follow the example of America’s reinvigorated trustbusters.
It is not clear that this will happen. Big tech has dusted off its GDPR playbook and applied it to these new laws. At a recent commission event a representative from Meta, Facebook’s owner, gave a lengthy oration about the difficulties of designing data-consent requests, which are required by the DMA. EU competition officials listened politely, perhaps unaware that Meta had used this same tactic to blunt the GDPR.
The second lesson from the EU’s enforcement failure concerns Europe’s global role. Data flows through the world’s digital markets as ichor courses through the veins of the gods. In the first year or so of the GDPR, Europe served as a de-facto global dictator of data flows. Almost all major economies, including China, drafted a GDPR clone or otherwise attempted to accommodate the EU’s law. (America was the big exception, although some states, including California, now have GDPR-like laws.)
But in 2019, a year after the GDPR was first applied, a new European Commission took office and squandered the global position its predecessor had established, by going soft on enforcement. Other countries have since cooled on the idea of mimicking or aligning with the EU. India dumped its draft GDPR clone last year. Britain is watering down its version. American legislators look upon Europe’s plague of consent spam with horror. This growing scepticism matters: Europe will lack credibility to set the global agenda in other areas if it allows its showpiece data law to fade.
The current commission’s term ends in October 2024. If the next commission neglects the current one’s new tech laws the same way that Mr Reynders has ignored his predecessor’s, Europe’s regulatory soft power will erode. This would be bad for human rights in Europe and beyond. The most important lesson of the first five years of the GDPR is this: if Europe really wants to be a regulatory superpower, it must stop laying down new sedimentary layers of digital law and start enforcing the laws it has.
Johnny Ryan is a senior fellow at the Irish Council for Civil Liberties and the Open Markets Institute.