5 Years of the GDPR: National Authorities let down European Legislator

23 May 2023
5 years GDPR

5 Years of the GDPR: National Authorities let down European Legislator. 85% of noyb cases not decided.

On 25 May 2018, the GDPR came into force. While the contents of EU data protection rules stayed largely the same, the alleged big change was the GDPR's strict enforcement. 5 years later, national authorities and courts largely leave the European legislator in the lurch – despite a budget of more than €330 million in 2022.

noyb provides the following resources on the 5 year anniversary:

Meta € 1.2 billion fine is an example of enforcement not working. While a € 1.2 billion fine (that was strategically delayed until the week of the “five years of the GDPR”) may grab headlines, it is actually reflective of enforcement not working. Not only did it take more than ten years for the DPC to reach a first decision (which will now be appealed), the case also required Max Schrems to engage in three sets of litigation against the Irish DPC to force it to do its job. This included the Court of Justice of the EU (CJEU) and the EDPB telling the Irish DPC three times to effectively handle the case. The cost of this litigation is estimated at more than € 10 million.

Clash of EU legislation with national practice. The GDPR was passed in the European Parliament with a 96% majority, everyone but one Member State supported the law. However, the national legislators and national practice hit soon thereafter. Almost every Member State has some procedural trick or issue to undermine the GDPR. This ranges from adding concepts like a “threshold” for privacy violations, to taking the view that “handling” a complaint may also mean to just trash it. Other examples include that the authorities in France or Sweden take the view that a complainant is not a party to their own procedure, while in Poland the authority requires that you travel to Warsaw to take cell phone pictures of your file. We have curated an overview in our “GDPR Trap Map” to show some of the traps that average citizens end up with.

Max Schrems, chair of noyb.eu: “The GDPR had very strong political backing. Five years into the GDPR, we see a lot of resistance by authorities and courts to enforce the law. The legislator has spoken, but the national courts and authorities constantly find new ways not to listen. It often feels like there is more energy spent in undermining the GDPR than in complying with it. While companies know that Ireland is the ‘go to’ jurisdiction for non-enforcement, there is hardly a ’go to’ jurisdiction for citizens, as there are enforcement issues in basically all Member States.”

Systematic delays. While an exceptional fine grabs international headlines, noyb’s much larger database of cases shows that Data Protection Authorities (DPAs) largely do not enforce the GDPR in due time. Of the more than 800 cases that noyb has filed in the past year, 85,9% are not decided and more than 58% are waiting for a decision for more than 18 months.The GDPR however requires companies to comply with requests within one month and national laws that often require decisions within 3-6 months.

Max Schrems: “In many jurisdictions you get a decision after two years at best – that is if you ever get a decision. The practice is simply miles away from the intention of the legislator to have a free and easy way to complain. We waste most of our time chasing case managers, files and authorities.”

Lack of proper procedures and legal decisions. In addition to long delays, cases that were closed were largely settled or withdrawn by the parties (roughly 6% in noyb’s case) or there was some other outcome (3.4%), like the company leaving the EU market. In only 3.9% of all cases, there was a legal determination by the DPA.

Max Schrems: “Many authorities try everything to avoid a decision. They often just ‘close’ cases without a decision or negotiate with the companies, begging them to be so nice as to comply with the law. There is hardly a straight forward penalty for a straight forward violation of the law.”

Companies learned to ignore the GDPR. While the industry had initially thrown a tantrum about the GDPR and its high fines, the past years have shown that this deterring effect has quickly washed off. The reality shows that the legislator was unable to simply legislate an enforcement culture. The GDPR has often become a mere paper tiger.

Max Schrems: “Reality has shown that the EU was unable to legislate an ‘enforcement culture’. The more aggressive companies have quickly understood that consequences largely only exist on paper and continued with their business models. Behind closed doors, companies are very open about the fact that they don’t fear the authorities at all. It is mainly the already reasonable companies that invested in compliance.”

Call for harmonization and enforcement. As we mark the 5th anniversary of the GDPR, we urgently need the authorities to switch gears and move towards a serious enforcement culture. This could also be aided by the European Commission’s idea to pass an EU procedural regulation. However, such a legislative fix would need to be comprehensive to overcome the many issues in current procedures. Many member states can also improve their procedures. We listed the most common problems in specific countries: Austria, Belgium, France, Germany, Greece (EN/ GR), Ireland, Italy, Luxembourg, Netherlands (EN/ NL), Poland and Spain.

Max Schrems: “After five years, the time for guidance and grace periods is clearly over. If there is no general deterrence, the authorities likely lose control over the situation again. The European Commission proposed a new regulation to fix procedural issues. Clear procedural rules are a good idea, but need to be comprehensive to actually fix the problem.

Civil action required & Collective Redress. In 2023 alone, nearly €2 billion in fines were imposed on Meta as a result of noyb's diligent efforts and legal actions, making civil action more relevant than ever. With the imminent introduction of the EU Collective Redress Directive, users will have the opportunity to group their litigation efforts through joint 'class action' lawsuits. This approach not only circumvents the reliance on DPAs, but also possesses the potential for a more impactful deterrent effect than GDPR fines that are largely theoretical.