Five years after the GDPR, the EU seeks to strengthen its data protection against large technology companies.

The General Data Protection Regulation (GDPR) of the European Union has been in effect for five years, but European authorities consider this system ineffective in addressing personal data breaches by large technology companies. This article will examine the current challenges facing the EU in enforcing the GDPR against companies like Meta, Google, Apple, and Amazon, which have set up their European headquarters in Ireland and Luxembourg. The text will also discuss the EU’s efforts to strengthen the GDPR with a new EU regulation expected in the second quarter of 2023 and to implement EU regulation.

The challenges of GDPR for large technology companies: The GDPR requires organizations to obtain an individual’s consent to collect their data online, under penalty of heavy fines of up to 4% of their global annual revenue (or €20 million) for non-compliance. However, technology companies are supervised by the national regulator of the EU country where they have their headquarters, creating challenges for the consistent application of the GDPR throughout the EU. In addition, large technology companies have significant budgets to influence EU decisions.

Take the example of Meta (formerly Facebook), which has its European headquarters in Ireland. In 2018, the company was involved in the Cambridge Analytica scandal, where data from millions of Facebook users was collected without their knowledge. The Irish Data Protection Commission investigated this violation and imposed a fine of €450,000 on Facebook, the largest possible fine at the time. However, some privacy activists believe this fine was insufficient given the company’s profits. Since then, the European Commission has imposed other significant fines on technology companies, including a €2.4 billion fine on Google in 2017 for abuse of dominant position in search results.

EU efforts to strengthen the GDPR: Last October, European data protection authorities established a list of topics requiring harmonization of national legislation. This list addressed to the European Commission is part of the Vienna Declaration adopted by the EDPB on law enforcement cooperation. A new EU regulation is expected in the second quarter of 2023. It should establish clearer administrative procedure rules for national data protection authorities responsible for cross-border investigations and offenses, and promote better cooperation mechanisms within the European Union. However, the European Commission must face tense discussions with data privacy watchdogs, activists, and lobbyists from large digital companies. Technology companies have already expressed concerns about new regulations, claiming that they could impede innovation and competition. However, privacy activists believe that current rules are insufficient to protect user data. They call for stricter regulations to hold technology companies accountable for their data collection and usage practices.

With European elections scheduled for the spring of 2024, the EU executive has limited time to pass its new text. The European Parliament and the Council of Europe have a few months to negotiate their amendments. If the new regulation is adopted, it could have significant consequences for technology companies operating in Europe. It could also strengthen the EU’s position as a global leader in the protection of personal data.