Europe’s Data Law Is Broken, Departing Privacy Chief Warns

The European Union’s “GDPR” privacy law suffers from ``massive flaws’’ and endless infighting, according to one of the bloc’s top regulators.

The General Data Protection Regulation -- put in motion with great fanfare three years ago -- promised multibillion-euro fines for global companies and faster action to solve 21st century problems. But in reality, it’s sparked clashes between watchdogs and delays to probes, said Johannes Caspar, who’s about to step down as head of the Hamburg data protection commission after 12 years.

Tensions over GDPR have been welling up from the start. Overnight, the Irish Data Protection Commission was transformed into the leading EU supervisor for the Silicon Valley giants with regional hubs in the nation, such as Apple Inc. and Facebook Inc. With 28 Irish probes into tech firms pending and no immediate decision in sight, the authority has faced a barrage of criticism accusing it of being too slow and too soft.

Europe’s Data Law Is Broken, Departing Privacy Chief Warns

“The basic model of the procedure set up by GDPR has massive flaws and it just can’t work,” Caspar said. “You can’t accept this in the long term. The problem is what use are these laws to the people if they’re not being applied?”

The 59-year-old German, who returns to academia after June 28, has earned a reputation as one of the EU’s toughest regulators. He first made his mark in 2010 with his criticism of Google’s Street View rollout and more recently he slapped a local Hennes & Mauritz AB unit with a 35.3 million-euro ($42 million) penalty for snooping on staff, a probe that was opened and shut in less than a year.

One of the faults in the GDPR system, he points out, is the way it gives regulators “lots of room for interpretation” of the rules. ``At the end of the day, our energies are spent on infighting.”

A key feature of the law is the so-called one-stop-shop system that puts the authority in the country where a company has its EU base in charge of them. But this, too, has led to tensions. A dispute between Facebook and the Belgian watchdog over their powers to enforce an order against the social media giant ended up in the EU’s top court, which ruled this month that other watchdogs can still weigh in on some cases.


Another complication is that probes into possible violations with an EU-wide effect can’t be concluded by the lead authority alone. Colleagues from across the bloc need to sign off on decisions.

Helen Dixon, Ireland’s data protection commissioner, was trapped in this process when she wanted to finalize her first Big Tech probe, concerning Twitter Inc. She has called criticisms over delays by her agency “ludicrous.”

“The idea that 30 data protection authorities decide on cases through consensus and cooperation” means “we get lost in side issues,” Caspar said.

Last month, he imposed a three-month banning order on Facebook to stop it collecting German users’ data from its WhatsApp unit.

“This is an important case for the future of EU data protection supervision,” Caspar said. The EU body of data protection regulators “could -- and this is what we’re asking -- extend the measures beyond the three months and impose the same measures across Europe.” 

Leaving too much control in the hands of the lead authorities, such as deciding on when to open a probe and what the scope of the investigation should be without much room for input from others, creates tensions, he said.

“For me this is why such a system can’t work,” he said. “Authorities have to work fast and effectively to be able to give clearly deterring signs that certain behaviors are not OK. If that doesn’t happen, law and reality are at odds.”

©2021 Bloomberg L.P.

BQ Install

Bloomberg Quint

Add BloombergQuint App to Home screen.