The European General Data Protection Regulation (GDPR) is “not sufficiently enforced” against tech giants, said Friday the European Data Protection Supervisor (EDPS), Wojciech Wiewiorowski. At a conference in Brussels on “the future of data protection”, the official lamented that “too often, the GDPR imposes constraints on small entities but spares the big ones”. He also pointed out that “individuals wait for years to get justice, even in small and simple cases.” Mr. Wiewiorowski questioned an “unequal distribution of effort” between European countries to enforce the GDPR. The regulation, which came into force in May 2018, set up a “one-stop shop” system that defines as the “lead” authority the one in the country where the company’s main establishment is located. This puts the Irish regulator in the front line – digital giants such as Meta, Google or Twitter having established their European headquarters there -, and also Luxembourg, where Amazon is based.

The European supervisor wondered whether it was “optimal to expect results from one or two (national) authorities while the others are less involved”. He said he was “convinced (…) that at some point a pan-European model of data protection enforcement will be a necessary step”. “Such a model would not only alleviate the problem of uneven distribution of responsibilities, but also ensure real consistency of data protection law across the EU,” he said, suggesting that “key investigations” into the most important cross-border cases “could be conducted at a central level.

The largest fine for non-compliance with the GDPR so far is the €746 million fine imposed on Amazon in 2021 by the Luxembourg regulator. The second is the €225 million fine against WhatsApp by the Irish Data Protection Commission (CPC) in August 2021. Appeals have been filed against these decisions.