The GDPR two years on: “Time for the EU to go after privacy violations by big tech”

  • Two years after it was passed, the European Commission today published a report titled “Two years of the GDPR: Questions and answers”—and the feedback is mixed.

  • In a new position paper, DIGITAL SME calls for a stronger “European-mindedness” of national data protection authorities (DPAs) and suggests the establishment of a centralised European DPA

  • One of the intended consequences of the GDPR was to curb tech giants’ exploitation of personal data, but the “one-size-fits-all” nature of the regulation has created massive burdens for SMEs

Brussels, 10 June (DIGITAL SME). The General Data Protection Regulation (GDPR) is a blessing and a curse. On one hand, it established a new global standard for the protection of personal and private data and spurred innovation by European enterprises in this sector. On the other, it sowed massive uncertainty about compliance, especially among those of us who do not have a fully staffed legal department at our disposal—i.e. a large majority of individuals and businesses.

Stronger EU oversight in data protection instead of “one-size-fits-all”

In a new position paper, DIGITAL SME calls for a stronger “European-mindedness” of national data protection authorities (DPAs) and suggests the establishment of a centralised European DPA. “It is time to go after privacy violations by big tech! We need stronger EU oversight in data protection enforcement”, said DIGITAL SME President Dr Oliver Grün upon the publication of the position paper. “Europe cannot allow global tech giants to choose a national DPA of their preference and handle all their cases there”.

Ironically, curbing those tech giants’ exploitation of personal data for profit was one of the reasons why the GDPR was originally created. Today, it seems like these global platforms have no issue with the regulation, whereas its “one-size-fits-all” approach to privacy has cost smaller businesses and organisations considerable efforts—and potentially hindered innovation. On the other hand, it created a new market for some enterprises who seized the opportunity to innovate and offer GDPR-compliant IT solutions.

Reviewing two years of GDPR

Two years after its entry into force, the European Commission has today published the long-awaited “Report on the application of the General Data Protection Regulation”. In the report, the Commission included feedback by the “multistakeholder expert group to support the application of Regulation (EU) 2016/679 (E03537)”. SME members of the expert group lamented overwhelming implications of the regulation on their business processes: “Many SMEs mention they had to seek advice from external consultants to understand the rules and set up systems to comply with the GDPR […] and that they usually lack the necessary human and economic resources to implement the obligations in GDPR.”

The Commission’s report might lead to updates or amendments to the GDPR based on feedback by the multistakeholder expert group. DIGITAL SME calls on the European Commission to consider smaller business needs in a possible review of the regulation. The GDPR should incentivise—not hinder—innovation. Stronger national DPAs or a centralised European DPA could help bring the reality of the regulation closer to its original intentions: Guaranteeing European citizens’ privacy while promoting a safe foundation for the growth of its data economy.

Read the full position paper here