As GDPR turns two, some are doubting the Irish Data Protection Commission's ability to...

[nanoguy]

In brief: As Europe's infamous General Data Privacy Regulation (GDPR) turns two, privacy advocates are expressing concerns that it hasn't had the effects that were promised by the European Commission. With investigations progressing too slowly under the supervision of an underfunded Irish agency, some are beginning to question the flaws of this approach.

It's been two years since the European Union's General Data Privacy Regulation (GDPR) went into effect, with sweeping changes to how companies are able to handle customer data. It's also inspired similar rules that were adopted in the US, such as California's Consumer Privacy Act.

The idea behind the far-reaching regulation was that companies needed to be held responsible for violating the privacy of their users, failing to protect their personal data, or misusing it in any way. The big promise was that the Irish Data Protection Commission -- the institution tasked with enforcing GDPR -- would otherwise hand out fines of up to €20 million ($21.8 million) or four percent of a company's revenue for the previous financial year, whichever was greater.

However, not everyone is happy with how things have been moving since. Industry watchers and privacy advocates like Max Schrems are worried that the pace of probes into big companies like Facebook and Google has been slow, with "highly inefficient and partly Kafkaesque" investigations that did little to move the needle.

In an open letter sent to the European Commission, Schrems mentioned unaddressed complaints about the way companies like Facebook and its subsidiaries WhatsApp and Instagram rely on a "consent bypass" to allow themselves free reign over users' personal data.

Schrems is also disappointed that after thousands of complaints targeting companies big and small, the Irish privacy regulator took pride in making one or two small steps in what looks like a long legal battle, while hardly slapping any fines on companies that were found to be violating GDPR with their ad tech.

For instance, the largest fine for GDPR violations hit Google in France to the tune of $57 million. But even in the case of the search giant, the developers of the Brave browser found that it was using "hidden pages" to circumvent GDPR protections, more than a year after its complaint was dismissed by Google as baseless.

Permalink to story.

https://www.techspot.com/news/85367-gdpr-turns-two-doubting-irish-data-protection-commission.html

 

[seeprime]

My take from this article is that the GDPR Irish Data Protection Commission isn't applying huge fines on American companies as fast as possible. This shouldn't be a surprise to anyone.

 

[Uncle Al]

If they want it to have weight they better turn up the heat and fast, fast, fast!!!

 

[candle_86]

Meh, I still find this law amusing, especially the provision of they can fine an American company with only American servers for gathering eu users data without consent. The whole thing is laughable. I know the bigger guys sent who I'm talking about but the gdpr law says if I host a web forum and euro ips sign up I'm not allowed to collect data without consent, not sure how they'd plan to enforce someone like that ignoring them and their requests.

 

[Hexic]

They created policy with very little funding and infrastructure to see the whole process through in real-world application?

Crazy, that’s never happened before.

 

[Capaill]

Nearly every website I open displays a pop-up asking me for my consent. The easiest option is to just click YES and get into the website. It's a pain to say No and have to go through all the tick boxes to turn different things off.

I think this is a major weakness of the whole GDPR. It should be default for it all to be turned off and give me the option to go in and turn the various options on - most people won't bother with that.

So basically, all GDPR has done is forced me to click an annoying button before opening the website. There is no change in the data that is being collected on me. It feels like this is not in the spirit of GDPR but it's what all the websites are doing and getting away with.