How GDPR fails | WIRED

The French data regulator has, in some respects, circumvented the international GDPR process by directly pursuing the use of cookies by companies. Despite common beliefs, annoying cookie pop-ups do not come from GDPR– they are governed by European online privacy law, and the French regulator has taken advantage of this. Marie-Laure Denis, the head of French regulator CNIL, hit Google, Amazon and Facebook with heavy fines for poor cookie practices. Perhaps more importantly, it has forced companies to change their behavior. Google is modifying its cookie banners across Europe following the French application.

“We’re starting to see really concrete changes in digital ecosystems and an evolution of practices, that’s really what we’re looking for. [for]“, explains Dennis. She explains that the CNIL will then look at the collection of data by mobile applications under the E-Privacy law, and cloud data transfers under the GDPR. The cookie enforcement effort wasn’t to avoid the lengthy GDPR process, but it was more efficient, Denis says. “We still believe in the GDPR enforcement mechanism, but we need to make it work better and faster.”

At the end year there was increasing calls switch how GDPR works. “Enforcement should be more centralized for big business,” Viviane Redding, the politician who proposed GDPR in 2012, said of the data law in May last year. The calls came as Europe passed its next two big pieces of digital regulation: the Digital Services Act and the Digital Markets Act. The laws, which focus on competition and internet safety, handle enforcement differently than GDPR; in some cases, the European Commission will investigate Big Tech companies. The move is a nod to the fact that GDPR enforcement may not have been as smooth as politicians would have liked.

There seems to be little appetite to reopen the GDPR itself; however, smaller tweaks could help improve the app. At a recent meeting of data regulators hosted by the European Data Protection Board, a body that exists to guide regulators, countries have agreed that some international cases will work to set timelines and deadlines and said they would try to “join forces” on some investigations. Norway’s Judin says the decision is positive but questions its effectiveness in practice.

Massé of Access Now says a small GDPR amendment could significantly solve some of today’s biggest enforcement problems. Legislation could ensure that data protection authorities handle complaints in the same way (including using the same forms), explicitly set out how the one-stop shop works and ensure that procedures in each country are the same, a said Massé. In short, it could clarify how GDPR enforcement should be handled by each country.

The view is also shared by data regulators, at least to some extent. Denis, from France, says regulators should share more information, more quickly about cross-border cases so they can build an informal consensus around a potential decision. “The Commission could also, for example, examine the resources given to data protection authorities,” explains Denis. “Because it is the obligation of a Member State to give sufficient resources to data protection authorities to carry out their functions.” The personnel and resources that regulators must investigate and enforce are dwarfed by those of Big Tech.

“Potentially, if there was the possibility of some sort of GDPR-specific instrument – ​​being a legal instrument – ​​that would clarify certain process and procedural issues, that could help,” says Dixon from Ireland. She adds that complications that could be ironed out include problems with access to records during investigations, whether people making complaints have access to the investigation process, and translation issues. “There’s a whole host of inconsistencies around this, which is causing delays and dissatisfaction on all sides,” Dixon says.

Without some changes — and strict enforcement — civil society groups warn that GDPR may not stop Big Tech companies’ worst practices and improve people’s sense of privacy. “The immediate thing to tackle is Big Tech companies,” Ryan says. “If we can’t deal with Big Tech, we’ll create a permanence to the fatalism people feel about privacy and data.” Four years later, Massé says she still has hope for GDPR enforcement. “It’s really not what we were hoping for. But it’s also not a place where I think we can start digging a grave for GDPR and forget about it. »

Comments are closed.