Europe's landmark online privacy law, the General Data Protection Regulation (GDPR), was hailed as progressive legislation that would finally penalize tech companies for collecting data from users in ways that are confusing and unintuitive. But The New York Times published a story today concluding that regulators in the European Union have been given mere pennies with which to enforce GDPR, and as such, the law hasn't really had its expected impact since passing in 2018.
The most damning evidence is that the only fine levied as a consequence of GDPR has been a $57 million fine against Google brought down in 2019. The company was sued under the law by French data regulators, who said Google wasn't being clear enough with consumers about how it collects data from its various services to use in personalized advertisements. As the article notes, the $57 million penalty is less than one-tenth of what Google generates in revenue each day. So, hardly punitive then.
Bringing a water pistol to a machine gun fight — A big flaw in the law comes down to funding. Enforcement of GDPR isn't centralized but rather each country in the EU has jurisdiction over the specific companies headquartered within its borders. They also each have their own enforcement budgets. Ireland in particular is home to most of American tech's European outposts, with Apple, Facebook, Google, LinkedIn, and Twitter all based there because of its favorable tax system.
Despite its outsized influence, Ireland's budget for researching violations and bringing enforcement action ranks sixth in Europe at only €16.9 million (about $18 million). Google's lobbying spend alone in 2019 was $11.8 million. Facebook spent $16.7 million.
Fines aren't necessarily the only sign a law is working. Facebook and others argue they've improved their privacy practices since GDPR passed, such as by making it easier for users to adjust their privacy settings. Still, a law like GDPR is supposed to be punitive enough that it scares tech companies to move slower, and the most visible change has been a slew of new pop-up dialogs that everybody accepts without reading.
Rings of red tape — It doesn't help that GDRP is being bogged down by bureaucratic requirements. Regulators must respond to every single complaint filed by EU citizens. Ireland alone has received more than 12,000 complaints since 2018 that its 140 employees have to contend with. Countries must also respond to legal questions by tech companies before cases can advance, which is an easy way for companies to stall the process.
By the time countries are able to investigate possible violations and bring lawsuits, these companies will already have had enough time to make much, much more money. How many new privacy violations have occurred that EU regulators aren't yet aware of because they don't have the money to look into it? That's why a dearth of fines is worrying. Big Tech doesn't exactly have a great reputation with data...
Not the best precedent — Because many in the U.S. have looked to the GDPR as a possible model for future data protection legislation stateside, this isn't a good start. Most people don't intuitively understand all the complex and intricate ways their data is being used when they pop open an app like, say, Google Maps which, unless users opt-out, can create a detailed timeline of everywhere they go.
That type of confusing collection, where people don't truly understand it's actually happening, is something GDPR is supposed to prevent. Some believe that the products are so good consumers will willingly accept the trade-off if they're aware that they're making it. The problem — and the reason why people have become distrustful of tech — is because they're not very aware of what exactly they're giving up.
Giants like Google and Facebook don't like going through the work of explaining these things because it slows them down and creates "friction" where they're focused on growth at all costs. Also, it risks making people less inclined to use their services, or more inclined to demand certain protections they otherwise might not. Which, of course, is precisely why GDPR-like legislation matters so much.