|
|
For the EU, this is a significant moment. Effective GDPR enforcement stands, together with the implementation of the Digital Services Act (DSA) and Digital Markets Act (DMA), as critical tests of the EU’s capacity to rein in Big Tech’s most abusive and socially damaging practices. Therefore, in responding to Meta’s latest challenge, the EU must focus on three things:
GDPR, why high hopes and so few results?
When GDPR was passed in 2016, it was expected to rein in Big Tech’s ‘surveillance capitalist’ model after a host of scandals and guarantee data privacy in Europe. Now, just shy of the fifth anniversary of its implementation, it is clear that GDPR has unfortunately not delivered on its promise.
A significant problem has been a lack of enforcement. To reduce administrative burden, the regulation established a 'one-stop-shop mechanism' entrusting enforcement to national Data Protection Authorities (DPAs). However, what was initially meant to ensure swift enforcement quickly became a significant obstacle to effective privacy protection.
Most tech conglomerates such as Meta, Alphabet, Microsoft, and X (formerly known as Twitter) have European headquarters in Ireland for tax reasons. Therefore, the Irish Data Protection Commission has had the frontline job of ensuring that the GDPR rules are being complied with.
This has not always been a successful undertaking for the Dublin regulator. In the case of Facebook and Instagram, it has - despite several complaints – ostensibly held the position that Meta’s subsidiaries are essentially acting within EU law, a view forcefully challenged by other national regulators. Eventually, this led to a damning overruling of the Irish DPA by the European Data Protection Board (EDPB) earlier this year....
more at EPC