GDPR Turns Two: Is It A Success Or A Failure?

The European Union’s much-discussed General Data Protection Regulation (GDPR) turns two later this month. What has its legacy been, and has it overall stood a successful implementation to enhance digital privacy, or has it enormously failed & made privacy worse for EU citizens? Well, a closer look at its influence suggests the latter!

The primary focus of the General Data Protection Regulation (GDPR) framework is all about protecting the rights of individuals to privacy, without compromising their data stored by any organization, state institutions, or utility companies. After deliberation of several years when GDPR came into force, the regulators gave organizations sufficient time (two years) to get compliant. However, the reality was already messier during & after the runway, such as late tax returns, term papers, and so on.

If you are new to the terminology, here are some of our previous articles that you can go through to know more about the “General Data Protection Regulation.”

Is GDPR At The Risk Of Failing?  Well, this stark question is posed by the privacy led browser- Brave. “Things are going extremely bad, the regulation is not being properly implemented, and European Commission needs to investigate the member countries for not equipping the Data Watchdogs with dedicated individuals, tools & other resources.” the recent Brave’s report claims.

With the release of White Paper & Filing of a complaint to the EU Commission, Brave has put down all the potential reasons for the flop of the General Data Protection Regulation. In a crux, “the sole reason why GDPR Is Falling, is because of the National Government’s fewer efforts and not because of Data Protection Authorities (DPAs). The liable institutions are not directing enough funds and resources towards these authorities, which is leading to a big fail in the enforcement of GDPR.” said, Johnny Ryan, Chief Policy & Industry Relations Officer, Brave.

Taking a closer look at their research, it appears the Government is failing to adhere to the policies.

reasons for GDPR Failure

Here are the key reasons for GDPR Failure, as identified in the report conducted by Brave.

1. According to Article 52(4) of GDPR, the National Governments are required to provide regulators with enough resources (both human & financial) to perform their tasks. (This is not happening right now, according to Brave’s research).

2. Robust, adversarial enforcement is quintessential. The regulation must be able to properly investigate ‘big tech’ & retort without the fear of exasperating appeals. However, national governments of European countries have not provided sufficient resources to do so.

3. EU Member State Governments have failed to develop the required tech enforcement capacity to fulfill what GDPR demands.

  • Just six national DPAs (Data Protection Authorities) have more than ten investigators, while seven authorities have only two tech specialists or less.
  • Increases to DPA budgets peaked for 24% in 2019 for the implementations for GDPR. However, now Governments have slowed this allocation process to only 15%
  • The UK’s ICO (Information Commissioner’s Office is the most significant & most expensive DPA, while they only have 3% tech specialists in their staff.
  • The Irish Data Protection Commission is Facebook & Google’s lead authority GDPR regulator in Europe. However, the stats indicate the number of complaints to be only increased in comparison to the budget it has been allotted.
reasons for GDPR Failure -1
Image Source:
  • Estonia’s Government allocated the third-small budget to €750,331 for the enforcement of GDPR.
  • Portugal significantly reduced the budget of its Data Protection Authorities by €203,000. (You can refer to the chart below to see How DPAs Budgets are working in other countries?)
DPA Budget
Image Source:

4. Across Europe, there are only 305 technology specialists working dedicatedly for the DPAs. Half of Europe’s data protection authorities just have an annual budget of less than€5 million.

5. According to the stats, in June 2018, companies self-reported more than 1,700 data breaches & it significantly increased to 36,000 2019, which is huge from the previous annual reporting rate.

6. According to a survey released by law firm DLA Piper, across Europe, nearly 60,000 breaches were reported, just within eight months of GDPR implementation.

7. Worst Data breach cases, which made headlines, were when Ghostery sent out an email informing its community about the changes in their privacy policy. The email appears to be in context with GDPR. However, instead of sending the email to each user, Ghostery sent the messages in bulk & forgets to BCC other recipients. Hence, thousands of mail ids that were meant to be protected got exposed. The result? Violating user privacy policy!

8. A few percentages of tech investigators were found to be dedicatedly involved in the exploration of private sector GDPR issues. Specialists have claimed that the decline in GDPR must be attributed to the EU Governments and not to the data protection authorities.

GDPR Compliance

9. Organizations that fall under privacy legislation should maintain a record of the footprint of personal data they hold on consumers & employees. But only 33% of companies subject to the GDPR and 25% subject to the CCPA (California Consumer Privacy Act) do not track data sharing at all.

10. Germany is the only country doing relatively well when it comes to the enforcement of GDPR. It employs over 29% of all of Europe’s DPA tech specialists. With €58.9 million invested annually, in DPA’s, Germany is leading the way, after the UK with €61.

Over 29% of the EU’s tech specialists are working for Germany’s regional & federal DPAs. Remaining EU Countries are far behind in their contribution towards appointing the tech experts.

11. Data Protection law faces severe hurdles in the digital age & the emergence of Big Data has been the paramount factor. In the era, where the public is enjoying various merits that Internet technology is offering. Simultaneously, they are also dealing with prospective breaches resulting in the loss of the private & confidential data.

For instance, China lacks to follow specific rules & regulations when it comes to user information management. Additionally, they don’t even have an excellent supervision system in the era of Big Data.

12. A lot has been already saying, about how technology is helping in combating the effects of COVID-19. However, France, which is one of the hardest-hit countries, due to the pandemic, is doing exactly which would open the doors for hackers & compromise user’s private data.

The application developed to track the spread of Coronavirus using Bluetooth contact tracing was designed while keeping user data protected, which is safeguarded by Apple’s security feature. However, instead of adapting the application and ensuring privacy, based on Bloomberg report, French authorities have requested Apple to turn off the security features in France. According to French Digital Minster, Cedric O, “We’re asking Apple to lift the technical hurdle to allow us to develop a sovereign European health solution that will be tied with our health system”. Yeah, right!

13. DPAs in Europe issued fines worth €400 million to companies, for violating the rules and regulations. But apparently, none originated in the Republic of Ireland, despite the fact; it had been a hub to several of the world’s biggest tech companies.

14. The biggest fines to date under GDPR have been levied in the UK. It intended to fine British Airways for £183M  & Hotel chain Marriott for £99M data protection infringements.

How Can the Government Save GDPR?

Well, according to the Brave Report, it’s not very late to implement the regulation and take full control over it.

  • The National Government should focus on investing more in specialists’ tech investigators & pay competitive salaries to attract the best talent.
How Can the Government Save GDPR
Image Source:
  • The Government should offer sufficient financial help to DPAs to pursue adversarial enforcement & defend their decisions against legal appeals by Big Tech.
  • The EU Data Protection Board should establish a dedicated Tech Investigative Unit to support DPAs.
  • European Commission should also focus on launching an infringement procedure against member countries that fail to abide by Article 52(4) of the GDPR.
Article 52 of the GDPR
Image Source:

GDPR has been merely public posturing, rather than privacy protection. The regulation is just offering individuals empty promises that their Governments have yet to deliver. In the meantime, other countries could analyze all the potential successes & failures that lie with GDPR. They should start considering how they can adapt most of their effective parameters & avoid problematic ones.

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe Now & Never Miss The Latest Tech Updates!

Enter your e-mail address and click the Subscribe button to receive great content and coupon codes for amazing discounts.

Don't Miss Out. Complete the subscription Now.