EU Officials Finally Coming To Terms With The Fact That The GDPR Failed; But Now They Want To Make It Worse
Ever since it came into effect, we've been calling out how the EU's General Data Protection Regulation (GDPR) was an obviously problematic bit of legislation. In the four years since it's gone into effect, we've seen nothing to change that opinion. For users, it's been a total nuisance. Rather than take the big US internet companies down a notch, it's only harmed smaller (often EU-based) internet companies. Multiple studies have shown that it hasn't lived up to any of its promises, and has actually harmed innovation. And don't get me started on how the GDPR has done massive harm to free speech and journalism.
But, for the past four years, within EU policy circles, it has been entirely taboo to even suggest that maybe the EU made a mistake four years ago with the GDPR. Any time we've suggested it, we've received howls of indignation from data protection" folks in the EU, who insist that we're wrong about the GDPR.
However, sooner or later someone had to realize that the emperor had no clothes. And in a surprising move, the first EU official apparently willing to do so is Wojciech Wiewiorowski, the EU's Data Protection Supervisor.
So far, officials at the EU level have put up a dogged defense of what has become one of their best-known rulebooks, including by publicly pushing back against calls to punish Ireland for what activists say is a failure to bring Big Tech's data-hungry practices to heel.
Now, one of the European Union's key voices on data protection regulation is breaking the Brussels taboo of questioning the bloc's flagship law's performance so far.
I think there are parts of the GDPR that definitely have to be adjusted to the future reality," European Data Protection Supervisor Wojciech Wiewiorowski told POLITICO in an interview earlier this month.
Wiewiorowski, who leads the EU's in-house privacy regulator, is gathering data protection decision-makers in Brussels Thursday-Friday to open the debate about the GDPR's failings and lay the groundwork for an inevitable revaluation of the law when the new EU Commission takes office in 2024.
Of course, what's funny is that when that event actually happened, the complaints were not about how maybe the entire approach of the GDPR was wrong, but that the real problem is that the Irish Data Protection Commission wasn't willing to fine Google and Facebook enough.
European Data Protection Supervisor Wojciech Wiewiorowski on Friday said there isn't enough privacy enforcement against tech companies like Meta and Google, hinting at a bigger role for a pan-European" regulator.
In a speech marking the end of a two-day conference designed to scrutinize the EU's flagship privacy code, the General Data Protection Regulation or GDPR, Wiewiorowski said enforcers had so far failed to rein in data protection abuses by big companies.
I also see hopes that certain promises of the GDPR will be better delivered. I myself share views of those who believe we still do not see sufficient enforcement, in particular against Big Tech," he said.
This is really a no, it's the children who are wrong" moment of clarity. The GDPR was sold to the European technocrats as finally" a way to put Google and Facebook in their place. But, in practice, as multiple studies have shown, the two companies have been mostly just fine, and it's a bunch of their competitors that have been wiped out by the onerous compliance costs.
Rather than recognizing that maybe the whole concept behind the GDPR is the problem, they've decided the problem must be the enforcer in Ireland (where most of the US internet companies have their EU headquarters) so the answer must be to move the enforcement to the EU itself.
Basically, the EU expected the GDPR to be a regular tool for slapping fines on American internet companies, and now that this hasn't come to pass, the problem must be with the enforcer not doing its job, rather than the structure of the law itself. That means... it's likely only going to get worse, not better.