European Union to Propose New Rules to Streamline GDPR Enforcement

2021 GDPR violation penalties

The European Union has announced that new rules will be written by the summer to streamline cross-border cooperation and improve how compliance with the GDPR is enforced. It has been 7 years since the GDPR was adopted and 5 years since the GDPR took effect and compliance has been enforced. Since May 25, 2018, €2,754,762,462 in financial penalties have been imposed to address noncompliance with the GDPR, but privacy advocates and data protection commissions have been expressing their frustration about enforcement, especially against enforcement actions against big tech firms that continue to violate the GDPR.

A great deal of criticism has been directed at the Irish Data Protection Commission (DPC). Under the one-stop-shop mechanism of the GDPR, Ireland is the lead data protection agency in many investigations and enforcement actions against big tech firms. Tech firms such as Meta, Apple, Twitter, and Google all have their EU bases in Ireland which makes the DPC responsible for investigating complaints and enforcement. The DPC has been accused of failing to take action over complaints, extremely slow investigations, and being particularly lenient in its enforcement actions.

In 2021, Dr Johnny Ryan, senior fellow at the Irish Council for Civil Liberties (ICCL), told an Oireachtas Joint Committee on Justice that the DPC had failed to resolve 98% of complaints about GDPR violations, and said Ireland has become a bottleneck of GDPR investigation and enforcement. It took until December 2020 before the DPC fined the first big tech firm in a cross-border case, following almost two years of investigation. The fine was for Twitter over a data breach that exposed user information. Ireland has since imposed penalties in response to long-running investigations of Meta companies and has imposed multi-million-dollar fines and has been attempting to deal with the bottleneck. While it is easy to single Ireland out, Luxembourg has faced similar criticism over the lax enforcement of GDPR, specifically concerning Amazon, which has its EU headquarters in the country.

Other countries are naturally impacted by the GDPR violations of big tech firms, and the apparent lack of action and the slow investigative process has led some data protection authorities to try to bypass Ireland to hold big tech firms to account and get them to stop their GDPR-infringing practices, undermining the one-stop-shop mechanism of the GDPR.

The EU is now taking action and has promised to produce a clear set of rules in Q2 for dealing with cross-border complaints and investigations, which the EU says will harmonize some aspects of the administrative procedure to “support a smooth functioning of the GDPR cooperation and dispute resolution mechanisms.” The EU has also issued a call for evidence, and will be accepting feedback until Midnight (Brussels) on March 24, 2023, and will take the feedback into account when further developing and fine-tuning the rules under this new initiative.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: