![](\"https:\/\/media.wired.com\/photos\/6287f56cc4dc7fd61e1003a7\/master\/pass\/security-gdpr.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Matt Burgess| Date: Mon, 23 May 2022 11:00:00 +0000<\/strong><\/p>\n Matt Burgess<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n One thousand four<\/span> hundred and fifty-nine days have passed since data rights nonprofit NOYB fired off its first complaints under Europe\u2019s flagship data regulation, GDPR. The complaints allege Google, WhatsApp, Facebook, and Instagram<\/a> forced people into giving up their data without obtaining proper consent, says Romain Robert, a program director at the nonprofit. The complaints landed on May 25, 2018, the day GDPR came into force and bolstered the privacy rights of 740 million Europeans. Four years later, NOYB is still waiting for final decisions to be made. And it\u2019s not the only one.<\/p>\n Since the General Data Protection Regulation<\/a> went into effect, data regulators tasked with enforcing the law have struggled to act quickly on complaints against Big Tech firms and the murky online advertising industry, with scores of cases still outstanding. While GDPR has immeasurably improved the privacy rights of millions inside and outside of Europe, it hasn\u2019t stamped out the worst problems: Data brokers are still stockpiling your information and selling it, and the online advertising industry remains littered with potential abuses.<\/p>\n Now, civil society groups have grown frustrated with GDPR\u2019s limitations, while some countries\u2019 regulators complain the system to handle international complaints is bloated and slows down enforcement. By comparison, the information economy moves at breakneck speed. \u201cTo say that GDPR is well enforced, I think it\u2019s a mistake. It's not enforced as quickly as we thought,\u201d Robert says. NOYB has just settled a legal case<\/a> against the delays in its consent complaints. \u201cThere\u2019s still what we call an enforcement gap and problems with cross-border enforcement and enforcement against the big players,\u201d adds David Martin Ruiz, a senior legal officer at the European Consumer Organization, which filed a complaint<\/a> about Google\u2019s location tracking four years ago.<\/p>\n Lawmakers in Brussels first proposed reforming Europe\u2019s data rules back in January 2012<\/a> and passed the final law in 2016, giving companies and organizations two years to fall in line. GDPR builds upon previous data regulations, super-charging your rights<\/a> and altering how businesses must handle your personal data<\/a>, information like your name or IP address. GDPR doesn\u2019t ban the use of data in certain cases, such as police use of intrusive facial recognition<\/a>; instead, seven principles<\/a> sit at its heart and guide how your data can be handled, stored, and used. These principles apply equally to charities and governments, pharmaceutical companies and Big Tech firms.<\/p>\n Crucially, GDPR weaponized these principles and handed each European country\u2019s data regulator the power to issue fines of up to 4 percent of a firm's global turnover and order companies to stop practices that violate GDPR's principles. (Ordering a company to stop processing people\u2019s data is arguably more impactful than issuing fines.) It was never likely that GDPR fines and enforcement were going to flow quickly from regulators<\/a>\u2014in competition law, for instance, cases can take decades\u2014but four years after GDPR started, the total number of major decisions against the world\u2019s most powerful data companies remains agonizingly low.<\/p>\n Under the dense<\/span> series of rules that make up GDPR, complaints against a company that operates in multiple EU countries are usually funneled to the country where its main European headquarters are based. This so-called one-stop-shop process<\/a> dictates that the country leads the investigation. The tiny nation of Luxembourg handles complaints against Amazon; the Netherlands deals with Netflix; Sweden has Spotify; and Ireland is responsible for Meta\u2019s Facebook, WhatsApp, and Instagram, plus all of Google\u2019s services, Airbnb, Yahoo, Twitter, Microsoft, Apple, and LinkedIn.<\/p>\n A glut of early and complex GDPR complaints has led to backlogs at regulators, including the Irish body, and international cooperation has been slowed down by paperwork. Since May 2018, the Irish regulator has completed 65 percent of cases involving cross-border decisions\u2014400 are outstanding<\/a>, according to the regulator's own stats. Other cases, launched by NOYB against Netflix (Netherlands), Spotify (Sweden), and PimEyes (Poland) have all also dragged on for years<\/a>.<\/p>\n Europe\u2019s data regulators claim GDPR enforcement is still maturing and that it is working well and improving over time. (Officials from France, Ireland, Germany, Norway, Luxembourg, Italy, the UK, and Europe\u2019s two independent bodies, the EDPS<\/a> and EDPB<\/a>, were all interviewed for this article.) The number of fines has ramped up as the legislation has aged, hitting a running total of \u20ac1.6 billion<\/a> (around $1.7 billion). The biggest? Luxembourg fined Amazon \u20ac746 million<\/a>, and Ireland fined WhatsApp \u20ac225 million<\/a> last year. (Both companies are appealing<\/a> the decisions<\/a>). At the same time, one lesser-known Belgian fine could change how the entire ad tech industry works<\/a>. However, officials concede that changes to the way GDPR is enforced could speed up the process and ensure swifter action.<\/p>\n Helen Dixon is at the heart of Europe\u2019s GDPR enforcement, with the Irish Data Protection Commission (DPC) responsible for an outsized number of Big Tech firms. The DPC has faced criticism<\/a> for struggling to keep up with the number of complaints under its purview, drawing ire<\/a> from fellow regulators and calls to reform the body<\/a>. \u201cIf everything comes at you at the same time, clearly there\u2019s going to be a lag in terms of prioritizing and dealing sequentially with the issues while standing up what is a very significant legal framework,\u201d Dixon says, defending her office\u2019s performance. Dixon says the DPC has had to handle GDPR\u2019s complexity from scratch, leading to many cases and new processes, and there aren\u2019t simple answers for many of them.<\/p>\n \u201cI would classify the DPC as being very effective in the first four years of application of the GDPR,\u201d Dixon says. \u201cThe fact that DPC has stood up a new legal framework that many described as 'the law of everything' in a couple of short years, and implemented what are very significant sanctions in the form of fines and corrective measures already in that time period\u201d shows its success, Dixon says. The organization has enforced measures against Twitter<\/a>, WhatsApp<\/a>, Facebook<\/a>, and Groupon<\/a>, among thousands of national cases, during this time.<\/p>\n \u201cThere should be an independent review of how to reform and strengthen the DPC,\u201d says Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties. \u201cWe cannot know from outside what the problems are.\u201d Ryan adds that blame can\u2019t just be leveled at the Irish regulator. \u201cThe European Commission has immense power. The GDPR is supposed to be an immense project. And the Commission has neglected the GDPR,\u201d he says. \u201cIt doesn't just propose the laws, it also has to see that they are applied.\u201d<\/p>\n So far, the European Commission has backed enforcement of GDPR in Ireland and across the continent<\/a>. \u201cThe Commission has consistently called on data protection authorities to continue stepping up their enforcement efforts,\u201d Didier Reynders, the European Commissioner for Justice, says in a statement. \u201cWe have launched six infringement procedures under the GDPR.\u201d These legal cases include action against Slovenia for failing to import GDPR into its national law<\/a> and questioning the independence of the Belgian data authority<\/a>.<\/p>\n However, following a complaint from Ryan in February, the EU Ombudsman, a watchdog for European institutions, opened an inquiry<\/a> into how the Commission has been monitoring data protection in Ireland. (The Ombudsman says the Commission has until May 25 to reply, after asking for its initial deadline to be extended. Reynders says the Commission does not comment on ongoing inquiries). If the Commission does look into Ireland, it could make recommendations, says Estelle Mass\u00e9, the global data protection lead at Access Now, a technology-focused civil rights organization. \u201cThere is an issue, and if you don't intervene in this way, I don\u2019t really see how the situation will resolve,\u201d Mass\u00e9 says. \u201cIt has to go through an infringement procedure.\u201d<\/p>\n Despite clear enforcement<\/span> problems, GDPR has had an incalculable effect on data practices broadly. EU countries have made decisions in thousands of local cases and issued guidance to organizations to say how they should use people\u2019s data. Spain\u2019s LaLiga soccer league was fined after its app spied on users<\/a>, retailer H&M was fined<\/a> in Germany after it saved details about employees\u2019 personal lives, the Netherlands\u2019 tax body was fined over its use of a \u2018blacklist<\/a>,\u2019 and these are just a handful of the successful cases.<\/p>\n Some of GDPR\u2019s impact is also hidden\u2014the law isn\u2019t just about fines and ordering companies to change\u2014and it has improved company behaviors. \u201cIf you compare the awareness about cybersecurity, about data protection, about privacy, as it looked like 10 years ago and it looks today, these are completely different worlds,\u201d says Wojciech Wiewi\u00f3rowski, the European Data Protection Supervisor, who oversees GDPR cases against European institutions, such as Europol<\/a>.<\/p>\n Companies have been put off using people\u2019s data in dubious ways, experts say<\/a>, when they wouldn\u2019t have thought twice about it pre-GDPR. One recent study<\/a> estimated that the number of Android apps on Google\u2019s Play store has dropped by a third since the introduction of GDPR, citing better privacy protections. \u201cMore and more businesses have allocated significant budgets to doing data protection compliance,\u201d says Hazel Grant, head of the privacy, security, and information group at London-headquartered law firm Fieldfisher. Grant says that when GDPR decisions are made\u2014such as Austria\u2019s decision to make the use of Google Analytics unlawful<\/a>\u2014companies are concerned about what it means for them. \u201cFour or five years ago, that enforcement wouldn't have happened,\u201d Grant says. \u201cAnd if it had happened, maybe a few data protection lawyers would have known about it\u2014it wouldn't have been out there with clients coming to us saying we need advice on this.\u201d<\/p>\n But at Big Tech levels where data is plentiful, the scale of complying with GDPR is different. One recent internal Facebook document obtained by Motherboard hints that the company doesn't really know what it does with your data<\/a>\u2014an assertion Facebook denied at the time. Equally, a WIRED and Reveal<\/em> joint investigation at the end of 2021<\/a> found serious shortcomings in the ways Amazon handles customer data. (Amazon said it had an \u201cexceptional\u201d track record in protecting data.)<\/p>\n Microsoft declined a request to comment. Neither Google nor Facebook provided comment in time for publication.<\/p>\n \u201cThere is a lag, especially on Big Tech, enforcing the law on Big Tech\u2014and Big Tech means cross-border cases, and that means the one-stop-shop and the cooperation among the data protection authorities,\u201d says Ulrich Kelber, the head of the German federal data protection regulator. The one-stop-shop allows all of Europe\u2019s regulators to have a say on the final decision of the lead regulator in that case, which can then be challenged. Ireland\u2019s fine against WhatsApp grew from the original proposed penalty of as little as \u20ac30 million<\/a> to \u20ac225 million after other regulators weighed in. Another Irish case against Instagram is currently being discussed, Dixon says, which will add months to its final outcome.<\/p>\n The one-stop-shop was created under GPDR, meaning the process has started with teething problems, but four years in, a lot still needs to be improved. Tobias Judin, the head of international at Norway\u2019s data protection authority, says that each week several drafts of decisions are circulated among Europe\u2019s data regulators. \u201cIn the vast majority of those cases, we actually agree,\u201d Judin says. (German authorities object the most<\/a>.) Decisions can face a lot of back and forth between regulators, wrapped up in bureaucracy. \u201cWe do question whether, in those cases that have a European-wide impact, it makes sense and whether it is feasible that these cases are solely dealt with by one data protection authority until we reach the decision stage,\u201d Judin says.<\/p>\n Luxembourg\u2019s data regulator hit Amazon with a record-breaking \u20ac746 million fine last year, its first case against the retailer. Amazon is contesting the fine in court\u2014in a statement to WIRED, the company repeated its assertion that \u201cthere has been no data breach, and no customer data has been exposed to any third party\u201d\u2014but Luxembourg\u2019s regulator says investigations will always be lengthy despite it bringing in new ways to investigate companies. \u201cI think under one year or one-half year, I think it\u2019s almost impossible to have it closed before such a delay,\u201d says Alain Herrmann, one of Luxembourg\u2019s four data protection commissioners. \u201cThere are huge [amounts of] information to deal with.\u201d Herrmann says Luxembourg has a few other international cases ongoing, but national secrecy laws prevent it from talking about them. \u201cIt\u2019s just the [one-stop-shop] system, the lack of resources, the lack of clear law and procedure, which makes their job even more difficult,\u201d Robert says.<\/p>\n The French data regulator has, in some ways, sidestepped the international GDPR process by directly pursuing companies\u2019 use of cookies. Despite common beliefs, annoying cookie pop-ups<\/a> don\u2019t come from GDPR<\/a>\u2014they\u2019re governed by the EU\u2019s separate E-Privacy law, and the French regulator has taken advantage of this. Marie-Laure Denis, the head of French regulator CNIL, has hit Google, Amazon, and Facebook with hefty<\/a> fines<\/a> for bad cookie practices. Perhaps more importantly, it has forced companies to change their behavior. Google is altering its cookie banners across the whole of Europe<\/a> following the French enforcement.<\/p>\n \u201cWe are starting to see really concrete changes to the digital ecosystems and evolution of practices, which is really what we are looking [for],\u201d Denis says. She explains that CNIL will next look at data collection by mobile apps under the E-Privacy law, and cloud data transfers under GDPR. The cookie enforcement effort wasn\u2019t to avoid GDPR\u2019s protracted process, but it was more efficient, Denis says. \u201cWe still believe in the GDPR enforcement mechanism, but we need to make it work better\u2014and quicker.\u201d<\/p>\n In the last<\/span> year, there have been growing calls<\/a> to change<\/a> how GDPR works. \u201cEnforcement should be more centralized for big affairs,\u201d Viviane Redding, the politician who proposed GDPR back in 2012, said of the data law in May last year<\/a>. The calls have come as Europe passed its next two big pieces of digital regulation: the Digital Services Act<\/a> and the Digital Markets Act<\/a>. The laws, which focus on competition and internet safety, handle enforcement differently from GDPR; in some instances, the European Commission will investigate Big Tech companies. The move is a nod to the fact that GDPR enforcement may not have been as smooth as politicians would have liked.<\/p>\n