Five years and almost €4 billion worth of fines stemming from tougher privacy enforcement and the European Union is still asking if it is doing enough to protect personal data.
Social media giant Meta was the latest to face a big penalty when Ireland’s privacy watchdog fined it a record €1.2 billion euros for privacy violations under the European Union’s General Data Protection Regulation (GDPR).
The blockbuster levy hits at the heart of the technology sector’s ability to transfer data across the Atlantic and orders the company to stop moving Europeans’ data to the United States until Washington provides sufficient checks to keep such personal information safe.
The law, which came into force on May 25, 2018, has prompted businesses — from big tech giants to hotel chains, mobile phone companies and startups — to tighten privacy policies. Many have cleaned house on how they handled people’s personal data, aided by the prospect of being fined up to four percent of annual turnover.
Helen Dixon, the Irish Data Protection Commissioner, whose agency oversees many of Silicon Valley’s biggest names because these firms are headquartered in Ireland, said, “I think the DPC really has hit its stride now.”
Yet the decision also lays bare what almost everyone now admits: Europe’s efforts to set the West’s de facto privacy standard have major shortcomings, with watch dogs continuously fighting over who has the final say over how Meta, Google, TikTok and other tech firms access Europeans’ data.
In a statement following the decision, the Irish regulator said it disagreed with the fine and measure, but it had been forced by its European peers to impose them after Dublin’s initial decision was challenged by four other privacy regulators.
Enforcement hinges on regulators’ ability to impose such fines. And that’s where the privacy regime has sputtered.
Under Europe’s privacy regime, companies are supervised by national regulators where they have their EU legal headquarters. That means Ireland and Luxembourg — whose low tax rates have attracted many big tech firms’ European headquarters — hold the lion’s share of enforcement powers. Ireland, in particular, relies heavily on corporate tax revenue from a small number of tech giants.
Max Schrems, the Austrian privacy activist whose decade-old case against Facebook led to the record privacy fine, said, “the GDPR gave the authorities these vast powers for very serious enforcement but then in practice, we do not see that the powers are actually used by the authorities.”
If other European privacy watchdogs disagree with how these agencies enforce GDPR, there is a complex and opaque mechanism to reach a European consensus. After five years of infighting, some of the EU’s privacy authorities are now at open war with each other.
Sources: Politico
