The European Union is a legislative superpower with a weak enforcement track record. The latest demonstration of this reality is one of the EU’s flagship laws: the General Data Protection Regulation (GDPR). Four years after the law became applicable, the EU now needs to save the GDPR. So today, we ask the European Commission to introduce a new legislative act to complement the GDPR and clarify its enforcement. Here is why.
In our new report: Four year under the GDPR: how to fix its enforcement, we look at the problems with the application of the law across the EU and offer our recommendations for a solution.
Alarm bells over the unequal and slow enforcement of the GDPR have been ringing for a few years now. The concerns once shared only by academics and civil society partners have now reached the institutions. In May 2022, the European Data Protection Supervisor gathered thousands of experts — from regulators, to NGOs and consumer groups, to private sector representatives — and the European Commission to discuss a way forward for the enforcement of the GDPR.
Our takeaway: after four years and thousands of people filing complaints with their data protection authorities, people in the EU are still waiting to see their data protection rights materialise. It appears the road to data protection is paved with delays, uncertainty, and unequal access to remedy across the EU. A new study that we commissioned by The Data Protection Law Scholars Network, The right to lodge a data protection complaint: OK, but then what? An empirical study of current practices under the GDPR, shows that, in practice, data subjects across the EU do not have an equal right to lodge a complaint. This is a serious impediment to the GDPR’s efficacy for vindicating our rights.
Does this mean that it is time for a full legislative reform of the GDPR? To some, this option might seem tempting. The very existence of a “Brussels bubble” depends on the legislative train never stopping. But if the real issue with the GDPR is lack of enforcement, will changes to its content make things any better? It is unlikely. In fact, it may lead to a watering down of hard-fought protections for people’ rights. A recast of the GDPR should be off the table, at least in the near future.
No recast of the GDPR. But then what?
How do we deliver on the benefits and promises of the GDPR? That question is at the center of this year’s report. We first look into some of the causes of the enforcement problems, then offer recommendations to fix them.
We all have a role to play in making the GDPR a success, individually and collectively. That includes NGOs, Data Protection Authorities, and the European Data Protection Board. We still don’t have a full picture of the success and issues of the GDPR enforcement model, which is why additional research is needed. From the challenges we already know regarding the application of EU law and fragmentation of enforcement, we particularly need the European Commission to step in and course-correct. This is why we are calling on the European Commission to introduce a complementary legislative measure to clarify how to enforce the GDPR — and thereby save the law.