5 years of the GDPR: National authorities let down European legislator
On 25 May 2018, the General Data Protection Regulation (GDPR) came into force, promising to be the strongest set of data protection rules to enhance our privacy. While the contents of EU data protection rules stayed largely the same, the alleged big change was the GDPR's strict enforcement. 5 years later, national authorities and courts largely leave the European legislator in the lurch – despite a budget of more than €330 million in 2022.
On 25 May 2018, the GDPR came into force, promising to be the strongest set of data protection rules to enhance our privacy. While the contents of EU data protection rules stayed largely the same, the alleged big change was the GDPR’s strict enforcement.
5 years later, national authorities and courts largely leave the European legislator in the lurch – despite a budget of more than €330 million in 2022.
noyb provides the following resources on the 5 year anniversary:
- Detailed data on noyb’s 800+ GDPR cases, showing that more than 85% of all noyb cases are not decided – 470 complaints have been awaiting a decision for more than 1.5 years
- noyb‘s “GDPR Trap Map” with many of the national procedural issues to click through
- “Country profiles” with specific issues in Austria, Belgium, France, Germany, Greece (EN/ GR), Ireland, Italy, Luxembourg, Netherlands (EN/ NL), Poland and Spain
- Our website with a proposal for a GDPR Procedures Regulation that could overcome many of the GDPR enforcement issues
Meta € 1.2 billion fine is an example of enforcement not working. While a € 1.2 billion fine (that was strategically delayed until the week of the “five years of the GDPR”) may grab headlines, it is actually reflective of enforcement not working.
Not only did it take more than ten years for the DPC to reach a first decision (which will now be appealed), the case also required Max Schrems to engage in three sets of litigation against the Irish DPC to force it to do its job. This included the Court of Justice of the EU (CJEU) and the EDPB telling the Irish DPC three times to effectively handle the case. The cost of this litigation is estimated at more than € 10 million.
Every Member State has some procedural trick or issue to undermine the GDPR
The GDPR was passed in the European Parliament with a 96% majority, everyone but one Member State supported the law. However, the national legislators and national practice hit soon thereafter. Almost every Member State has some procedural trick or issue to undermine the GDPR.
This ranges from adding concepts like a “threshold” for privacy violations, to taking the view that “handling” a complaint may also mean to just trash it. Other examples include that the authorities in France or Sweden take the view that a complainant is not a party to their own procedure, while in Poland the authority requires that you travel to Warsaw to take cell phone pictures of your file. Noyb curated an overview in our “GDPR Trap Map” to show some of the traps that average citizens end up with.
“The GDPR had very strong political backing. Five years into the GDPR, we see a lot of resistance by authorities and courts to enforce the law. The legislator has spoken, but the national courts and authorities constantly find new ways not to listen. It often feels like there is more energy spent in undermining the GDPR than in complying with it. While companies know that Ireland is the ‘go to’ jurisdiction for non-enforcement, there is hardly a ’go to’ jurisdiction for citizens, as there are enforcement issues in basically all Member States.”
While an exceptional fine grabs international headlines, noyb’s much larger database of cases shows that Data Protection Authorities (DPAs) largely do not enforce the GDPR in due time. Of the more than 800 cases that noyb has filed in the past year, 85,9% are not decided and more than 58% are waiting for a decision for more than 18 months.The GDPR however requires companies to comply with requests within one month and national laws that often require decisions within 3-6 months.
“In many jurisdictions you get a decision after two years at best – that is if you ever get a decision. The practice is simply miles away from the intention of the legislator to have a free and easy way to complain. We waste most of our time chasing case managers, files and authorities.”