Data protection enforcement looks set to evolve further under the GDPR

Before 25 May 2018, a finding of non-compliance with data protection legislation was more of a reputational issue for businesses than a financial one, with modest limits placed on the fines data protection authorities could levy under the previous regime. Five years on, the total value of fines issued under the GDPR is now thought to exceed €4 billion, following the announcement of the record €1.2 billion fine issued against Meta Ireland by the Irish Data Protection Commission (DPC) earlier this week – a penalty that topped the €746 million fine imposed on Amazon by Luxembourg’s data protection authority in 2021.

Under the GDPR, though, it is not just the enforcement powers that have changed – the entire mechanism for cross-border enforcement of data protection law in the EU changed too.

Read more of our 'GDPR at five' series

• Business strategies adapt to the GDPR and its effect on technological change
• International impact of the GDPR felt five years on
• Risk of data protection mass claims persists for businesses in Europe
• UK carves own path on data-related innovation under the GDPR

Previously, businesses could be required to engage with data protection authorities (DPAs) in each EU country over a single issue having cross-border impact. It meant potentially having to respond to multiple investigations progressing at different speeds and with varied requests for information or documents, with often stark differences between the conclusions reached and decisions taken on enforcement action.

While national DPAs retain competency for investigating issues in their own jurisdiction, the consistency mechanism introduced under the GDPR has altered the way cross-border cases are handled. In such cases, one national DPA – that of the country in which a business has its ‘main establishment’ in the EU – takes the lead on cross-border enforcement action. For businesses, this has reduced complexity and administrative burdens, but the system is far from perfect.

Under the consistency mechanism, while the lead supervisory authority is responsible for leading cross-border investigations and coming to provisional findings, DPAs in other EU countries have a right to input. They can raise ‘relevant and reasoned’ objections to the lead authority’s draft findings. Where consensus cannot be reached on the findings or action to take in relation to them, cases are referred to the European Data Protection Board (EDPB) for a binding decision.

Since the introduction of the GDPR, there have been several high-profile cases that have been through the ‘Article 65’ process – for example, the EDPB has intervened in matters concerning Twitter, WhatsApp and now Facebook. At the centre of those cases was Ireland’s DPC, reflecting its role as the lead supervisory authority for the businesses in question. Data it has published reveals the full scale of its cross-border-related workload since the GDPR took effect.

In its latest annual report, the DPC said that, in the course of the prior 12 months, it had concluded 245 cases in which it considered data protection complaints of a cross-border nature. In a special report published in 2022, it said that, at that point, it had handled 969 cross-border cases since the GDPR had taken effect – 588 of which had stemmed from complaints raised in other EU member states. The increased demand for its resources has been matched with a doubling of the DPC’s budget in the five years of the GDPR – from €11.7m in 2018 to €23.2m in 2022.

As much as the data protection enforcement landscape has shifted since 25 May 2018, further change is anticipated in the months and years ahead.

There remain significant differences between the approach national DPAs in the EU take to GDPR enforcement, the priorities they pursue, and the way core provisions of the legislation are interpreted. Last year, the EDPB said that national DPAs had agreed measures aimed at addressing this.

According to the EDPB, national DPAs committed to sharing details on national enforcement strategies and to seek to agree annual enforcement priorities at EDPB level that can then feed into national programmes.

Joint investigations are also among the enhanced cooperation measures envisaged by the EDPB for enforcing major issues of data protection law that affect citizens across the continent.

This year, things took a further step forward when the European Commission set out its plans to “streamline” how cross-border cases are enforced under the GDPR amidst concerns that processes are too drawn out. Concerns over the bureaucracy of the GDPR consistency mechanism are not new – the UK and Ireland raised issued with it in 2015 while the legislation was still being drafted. Now the Commission hopes to “harmonise some aspects of the administrative procedure the national data protection authorities apply in cross-border cases”. Legislation to achieve this change is expected before the beginning of July.

How cross-border cases are enforced under the GDPR in future could also be shaped by the courts.

The Irish DPC has already lodged proceedings against the EDPB before the CJEU in a case that could provide guidance on the extent to which the EDPB can order national DPAs to undertake investigations under the GDPR, while it remains to be seen whether concerns Meta Ireland has raised over the Article 65 process will feature in the appeal it intends to raise against its recent fine over data transfers to the US.

Ultimately, businesses need certainty, simplicity, and speedy resolutions to regulatory processes. The Commission’s initiative appears well-intentioned to address these needs, but all eyes will be on the legislation it brings forward and on the court proceedings that could have a major bearing on the direction of data protection enforcement under the GDPR over the next five years.