How GDPR Is Failing

The French data regulator has sidestepped the international process by directly pursuing companies that use cookies. The EU's separate E-Privacy law has allowed the French to take advantage of annoying cookie pop-ups. The head of French regulators has hit several companies with fines for bad cookie practices. It has forced companies to change their behavior. Following the enforcement of the French law, Google is changing its cookie banners across Europe.

Denis says that they are starting to see concrete changes to the digital ecosystems and evolution of practices. She explains that the E-Privacy law will be looked at by the CNIL. Denis says that the cookie enforcement effort was more efficient than the enforcement mechanism.

In the last year, there have been calls to change how the law works. The Digital Services Act and the Digital Markets Act were passed by Europe. The European Commission will investigate Big Tech companies if the laws focus on competition and internet safety. It's a nod to the fact that enforcement may have been a little too smooth.

Smaller changes could help improve enforcement. At a recent meeting of data regulators held by the European Data Protection Board, a body that exists to guide regulators, countries agreed that some international cases will work to fixed deadlines and timelines. The move is positive, but how effective it will be in practice is questionable.

Some of the biggest current enforcement problems could be addressed by a small amendment to the law. Legislation could make sure that data protection authorities handle complaints in the same way, that they clearly state how the one-stop-shop should work, and that procedures in individual countries are the same. It could clarify how the law should be handled in each country.

The view is shared by data regulators. Denis says regulators should share more information, more quickly, on cross-border cases so they can build up an informal consensus around a potential decision.

If there was a legal instrument specific to theGDPR that would specify certain process and procedural issues, that might assist, Ireland There are a lot of inconsistencies around that, which could be fixed.

Civil society groups warn that the best practices of Big Tech companies could not be stopped without some changes. It's not in a place where we can start digging a grave for theGDPR and forget about it.