GDPR’s First Two Years Have Been Marked by Lots of Complaints and Limited Resources

Adam Satariano, New York Times:

The law, known as the General Data Protection Regulation, or G.D.P.R., created new limits on how companies can collect and share data without user consent. It gave governments broad authority to impose fines of up to 4 percent of a company’s global revenue, or to force changes to its data-collection practices. The policy served as a model for new privacy rules in Brazil, Japan, India and elsewhere.

But since the law was enacted, in May 2018, Google has been the only giant tech company to be penalized — a fine of 50 million euros, worth roughly $54 million today, or about one-tenth of what Google generates in sales each day. No major fines or penalties have been announced against Facebook, Amazon or Twitter.

The inaction is creating tension within European governments, as some leaders call for speedier enforcement and broader changes. Privacy groups and smaller tech companies complain that companies like Facebook and Google are avoiding tough oversight. At the same time, the public’s experience with the G.D.P.R. has been a frustrating number of pop-up consent windows to click through when visiting a website.

It seems bizarre to treat the total number of punishments issued as a barometer for a law’s effectiveness. Surely a regulation’s primary purpose is to change behaviour, particularly as GDPR was passed two years before it went into effect. Indeed, it seems as though this law has made some headway: tech companies now offer ways for users to download personal data — something that was never possible before and is increasingly important — users can now revoke permissions, and companies of all types have been forced to reevaluate how much personal information they collect. The New York Times itself changed its ad policies in the E.U., and total penalties assessed have been in the range of hundreds of millions of Euros. The law is, to some extent, working — and those cookie consent forms are broadly illegal.

But it is frustrating to read how poorly resources have been allocated to GDPR investigators, particularly in Ireland, where big tech companies have historically situated their E.U. headquarters for tax avoidance reasons. For what it’s worth, I doubt any officials could have successfully revealed the rats’ nest of data harvesting technologies in two years, but it sure is not helped by insufficient funding and corporate obfuscation tactics.