Since introducing the groundbreaking General Data Protection Regulation in 2016, the EU has enacted several pieces of legislation to bolster privacy rights. However, the enforcement of these rules have led to conflicts between the EU and its member states; the EU is trying to streamline this with new legislation. The article looks into how EU's legislation is entailing a more centralized enforcement from Brussels.
The EU is striving to centralize its data regime by introducing a comprehensive framework that ensures more supranational oversight. Since introducing the groundbreaking General Data Protection Regulation in 2016 (GDPR), EU regulators have enacted policies bolstering privacy rights and economic competition. Historically, however, enforcement has been conducted on a national level unilaterally. This has allowed foreign tech companies to benefit from uneven enforcement practices. Within the last two years, however, the EU has taken measures to change this and has become a more active participant in ensuring privacy rights compliance. In May, the EU’s European Data Protection Board (EDPB) compelled Irish regulators to issue a historic fine on Meta, in July the EU Commission proposed new universal standards of GDPR enforcement, and in September a fresh data policy will go into effect. These measures indicate a more centralized approach from Brussels regarding policy enforcement.
Although the EU established a supervisory body, the EDPB, to ensure compliance, member states hold primary responsibility at the national level for data regulation. Ireland has emerged as a major example of the tension between the two. In recent years the Irish Data Protection Committee (DPC) has been criticized for being relatively lax on GDPR enforcement. Ireland’s tolerance has been problematic for other EU member states, who complain that US tech companies, most of which are incorporated in Ireland, violate their citizens' GDPR protections. Other member states view the situation as unfair, as Ireland benefits tremendously from foreign tech sector investment in ways other European states do not. In 2018, the DPC launched an inquiry against Meta at the behest of its European counterparts. Following a multi-year investigation, the DPC issued a light fine against Meta and claimed they were mostly in compliance with GDPR. Following protests from ten other member states, the EDPB stepped in to compel the DPC to impose stricter penalties on Meta. Consequently, the DPC issued a €380 million fine in January 2023 followed by a whopping €1.2 billion in May. Additionally, Meta must suspend data transfers to the US within the next 5 months.
Serious consequences for violating EU data policy are not new and other member states have been more vigorous in their application. In 2021, the Luxembourg National Commission for Data Protection imposed a €746 million fine on Amazon. The tolerance American companies enjoyed is ending as the EU trends toward a more centralized and equitable enforcement structure.
In July of 2023, the EU proposed new legislation on how GDPR standards can be enforced. As it stands now, the regulators share their findings with other member states upon the conclusion of their investigations. This new policy would make investigations into companies more collaborative from the onset. In practice, this means investigations would be done with international consultation, expediting the compliance process. This policy was proposed in direct response to the controversy surrounding Irish regulators and Meta; the DPC investigation concluded 4 years after initial complaints were levied.
Beyond increased enforcement of GDPR, Europe’s data strategy is evolving to promote increased transparency for its citizens. In September 2023, the Data Governance Act (DGA) will enter into force. While the DGA functions as a method to regulate commercial data transfers between businesses within the EU, it also doubles down on privacy rights afforded to EU citizens. The DGA falls in line with the larger European strategy for data – a set of standards adopted by the European Commission to promote transparency, competition, and accountability. The DGA is complemented by the proposed EU Data Act, which would enable users to specify with whom they share data, removing the proprietary access to user data big tech companies have enjoyed over the last decade. In theory, the new policies will create a transparent infrastructure for data-generating institutions to offer resources to other companies while setting firm rules for how data can be processed, transferred, and stored.
European regulators are seeing data more as a shared resource that enterprises could utilize, while also addressing ethical concerns. Recent economic policies are important when contextualizing how privacy fits into a larger EU data framework. The DGA and Data Act are in line with a greater move to centralize the data market, introducing more direct oversight through establishing standardized data practices.
As a result of this increasing centralization of oversight in Brussels, many American-based tech companies have turned to the Biden administration to act on their behalf. Data policy has long been one of the most complex issues EU and US policymakers grapple with, as the fundamental legal standards differ between Europe and the US. Over the last few years, there have been various attempts to establish a deal.
In October of 2022, the Biden administration signed an executive order which created a judicial procedure for European users to “seek redress if they believe their personal data was collected through U.S signals intelligence in a manner that violated applicable U.S. Law.” Most recently, in July 2023 the Biden administration and EU Commission finalized a new deal on data transfers. The framework claims to bolster privacy rights within the US, stating that intelligence agencies will only conduct surveillance on a “proportional” level. This plan still needs to be implemented, with privacy groups in the EU announcing the intention to challenge it.
As far as the EU is concerned, the United States' data protection framework needs to provide EU citizens with specific guarantees of privacy protection. US companies must come to terms with enhanced enforcement of an ever-evolving EU data regime, changing how they can handle data. For most European states, this increasingly centralized approach, spearheaded by Brussels, will be seen as positive – a way to ensure their citizens’ rights are protected. The EU has made it clear that data policy is a Union-wide issue as opposed to a national one. By bringing policy under a centralized EU system, the EU will aim not only to streamline policy decision-making, but also promote EU economic productivity.
The Global Europe Program is focused on Europe’s capabilities, and how it engages on critical global issues. We investigate European approaches to critical global issues. We examine Europe’s relations with Russia and Eurasia, China and the Indo-Pacific, the Middle East and Africa. Our initiatives include “Ukraine in Europe”—an examination of what it will take to make Ukraine’s European future a reality. But we also examine the role of NATO, the European Union and the OSCE, Europe’s energy security, transatlantic trade disputes, and challenges to democracy. The Global Europe Program’s staff, scholars-in-residence, and Global Fellows participate in seminars, policy study groups, and international conferences to provide analytical recommendations to policy makers and the media. Read more
