Aligning EU Member States’ Data Privacy Laws and Enforcement Under GDPR

1. March 2023

A long-awaited moment has begun to play out in the EU Commission with an initiative and “call for evidence” (i.e., an open feedback period for interested parties) on “Further specifying procedural rules relating to the enforcement of the General Data Protection Regulation”. Since the inception of the GDPR, member states have enforced and enacted the legislation (as some argue) inconsistently. This initiative is meant to harmonize, or at least streamline, cooperation between the various data protection authorities so that there is equal treatment (but mostly consequences) under the GDPR.

When a company is sanctioned under the GDPR, the enforcement proceedings occur in the member state where the entity’s headquarters is located. Due to the tax incentives in some countries, mainly Ireland and Luxembourg, where most of the world’s largest Big Tech companies are based, i.e., Google, Apple, Meta, and Amazon, companies with global reach and the information of billions of people. In turn, other member states have complained over the years of unequal GDPR enforcement by tax-friendly countries (or lack of enforcement). The other side of the coin is that Big Tech has become the largest lobbying group in Brussels, which may explain why only recently have fines been coming. Yes, Ireland has imposed nine-figure fines; however, some see that as a drop in the bucket. Furthermore, if a violation is committed in Germany by a company headquartered in Ireland, then it is out of the hands of the German DPA and government – this is really what it boils down to every government wants a say in the protection of their citizens and the ability to sanction violators of data privacy laws.

Nonetheless, this is a step in the “right” direction or at least a direction where every company is on equal footing. There is true coordination and cooperation between member states’ authorities regarding GDPR enforcement and, most importantly, securing the rights of individuals living in the EU. This will become extremely political and has a long road ahead, but you have to start somewhere, and I have no doubt in my mind that thousands of submissions will come out of this open call for opinions on the initiative.

I encourage you to read further on this topic and even submit your opinion at the following website. The summary of this by the EU Commission is that “This initiative will streamline cooperation between national data protection authorities when enforcing the General Data Protection Regulation (GDPR) in cross-border cases. To this end, it will harmonize some aspects of the administrative procedure the national data protection authorities apply in cross-border cases. This will support the smooth functioning of the GDPR cooperation and dispute resolution mechanisms.”

Let us hope so because not only have many companies and individuals spent time and money to comply with the rules so they should be on the same footing as companies that can afford to pay lobbyists to protect them. But each of us as individuals should be interested in our data privacy being taken seriously by the companies that profit the most and have some of the most personal data of any entity.

Caspar Miller
Head of Regulatory