Five years and counting: GDPR faces a make-or-break moment over enforcement

As the General Data Protection Regulation (GDPR) turns five, so does the Europe-wide wait for its real-life enforcement. In a new report, Five years under the GDPR: An implementation progress report, Access Now explores how the GDPR could finally become a success if its enforcement process is improved. 

The GDPR is a cornerstone legislation to ensure the protection of fundamental rights online. Yet, after five years of application, millions of  people are still waiting for these rights to materialise due to slow and inconsistent enforcement. As a result, Big Tech business models remain centred around excessive data collection and exploitation. 

As the success of the GDPR hangs in the balance, the European Commission is finally stepping in to address some of the enforcement challenges. In June, the European Commission is expected to propose a new regulation that will clarify enforcement procedures and help coordination between Data Protection Authorities.

The EU’s upcoming regulation can make-or-break the GDPR. If done right, this can lead to fair and fast enforcement of the law — helping safeguard the rights of millions. To achieve this goal, the European institutions must put clear deadlines for the resolution of complaints. Our fundamental rights are at stake, it’s outrageous that we’ve had to wait for years for violations to be resolved. Estelle Massé, Europe Legislative Manager and Global Data Protection Lead

Access Now’s new report reflects back on the hurdles and delays faced by people across the European Union as they seek remedy for data protection violations. Access Now has been documenting these challenges in yearly reports over the past five years, calling for stronger enforcement so that companies misusing data face real consequences.

The success of the GDPR depends on whether we will be able to deliver data protection rights and remedies to people in practice. For it, it’s crucial that people be able to defend cases in front of Data Protection Authorities. The opacity and secrecy around case resolution has benefited Big Tech — as they could advance arguments and remain unchallenged — and swept everyday people to the sidelines. Estelle Massé, Europe Legislative Manager and Global Data Protection Lead

Access Now’s report puts forward recommendations to help ensure that the new measures will improve the experience of people as they file data protection complaints and protect their rights, including a detailed process and timeline that Data Protection Authorities should follow for the resolution of cross-borders complaints. Most GDPR complaints should be resolved within a maximum of 10 months. 

The GDPR is already a legislative success: now it needs to become an enforcement success story.