Skip to main content

GDPR Enforcement: Is the Pandora’s Box of Infighting Between Lobbies and Regulators been Opened?

GDPR Enforcement: Is the Pandora’s Box of Infighting Between Lobbies and Regulators been Opened?


GDPR Enforcement: Is the Pandora’s Box of Infighting Between Lobbies and Regulators been Opened?

May 16 2023

The European Commission is set to propose a new law aimed at bolstering how EU countries enforce GDPR, opening a Pandora’s box of infighting between lobbies and regulators.

The GDPR has become a powerful example of the so-called Brussels effect, inspiring similar privacy-protecting laws in numerous jurisdictions and highlighting widespread unease among consumers about companies “watching” their behaviour and targeting ads.

DPAs and the “one-stop shop” rule

Adopted in 2016, the GDPR was a watershed moment in global tech regulation, forcing companies to abide by new standards, such as asking for consent to collect people’s data online against threats of hefty fines. These infringements could result in a fine of up to €20 million or 4% of the company’s worldwide annual revenue from the preceding financial year, whichever amount is higher.

In practice, the determination of national data protection authorities to issue fines is tied to their resources, which in most cases, are limited. The Irish Data Protection Authority plays a crucial role under the so-called “one-stop shop” rule. This one-stop shop for organizations established in the European Union and carrying out cross-border processing of personal data allows your organization to deal with a single lead supervisory authority for most of your processing activities.

This rule hugely implicates Ireland because technology companies like Meta, Google, and Apple have established their European headquarters there. Under the GDPR, technology companies are supervised by the national regulator of the EU country where they are headquartered. The Irish Data Protection Commissioner is crucial in enforcing the EU’s General Data Protection Regulation. In recent months, the Irish authority has imposed significant multi-million-euro fines for GDPR violations by Meta, the parent company of Instagram and Facebook.

Finally, large tech companies have been mostly successful in complying, while smaller tech companies face high compliance costs. The mixed record of the GDPR has convinced European regulators that they need to rethink how their regulations are applied. 

New law to solve enforcement flaws of the GDPR

Last year, European data protection authorities pledged to strengthen their cooperation in handling cases of strategic importance. In October, the European Data Protection Committee sent the Commission a “wish list” of procedural law changes to improve the application of the regulation. These include setting deadlines for the different procedural steps in handling a case and harmonizing the rights of the various parties involved in investigations throughout the EU.

A new EU regulation wants to establish clear procedural rules for national data protection authorities dealing with cross-border investigations and breaches. According to the European Commission, the law will “harmonize certain aspects of administrative procedure” in cross-border cases and “support the smooth functioning of the GDPR’s cooperation and dispute resolution mechanisms.”

The Commission wants to keep future regulations focused and limited, partly because it is preparing for tense discussions with data privacy watchdogs, activists, and lobbyists for large technology companies. 

Key elements of the initiative include:

  • Clarifying procedural deadlines for cooperation between supervisory authorities in cross-border cases;
  • Providing tools for supervisors to promote cooperation early in the investigation process;
  • Clarifying the position of complainants in the investigation process, including the possibility for complainants to make their views known;
  • Streamlining the manner in which the parties under investigation are heard during the process; and
  • Clarifying how information is shared between the investigating supervisor and other supervisory authorities at different stages of the procedure.
Useful Link

MyData-TRUST: Your GDPR Compliance Partner

MyData-TRUST was created over five years ago to assist organizations in the healthcare sector with their compliance with the various international regulations on personal data protection, particularly the General Data Protection Regulation (GDPR).

MyData-TRUST helps organizations define strategies and procedures to properly manage their data (data governance) through various adaptable services, including Gap analysis, legal support, DPO and DPR subscriptions, or training options.

Victoria Derumier

Data Protection Coordinator

Anastassia Negrouk

Anastassia Negrouk

Chief Operating Officer

Lets Get in Touch

Contact us