The European Commission (EC) has ramped up the monitoring of how national data protection authorities enforce the bloc’s flagship privacy and security law, the General Data Protection Regulation (GDPR).
Following a request for information from the European Ombudsman, the EC said that it will “request all national supervisory data protection authorities to share with [it]” a report covering “large-scale cross-border investigations under the GDPR” on “bi-monthly” basis, or six times a year. The EC will then provide a report of the information it receives from state-level data protection authorities.
This directive is designed to address lingering criticism that data protection authorities across the EU have been slow to respond to data privacy violations by big tech within the bloc.
Many GDPR cases involving alleged violations and abuses by big tech have seen years of inaction from state-level authorities. These complaints cover data exports and breaches, advertising models, and location tracking, to name a few.
In December 2022, the European Ombudsman asked the EC to monitor GDPR cases under the Data Protection Commission in Ireland, where many big tech companies are headquartered. Now, the executive body has oversight over all large-scale cases across Europe.
Campaigners laud changes
Privacy watchdogs have said that tech giants have flouted GDPR rules on tracking and profiling for years. Many of these companies are headquartered in member states with “friendly” data protection authorities, such as Ireland.
The Irish Council of Civil Liberties (ICCL) has praised the EC’s decision. “The European Commission’s new commitment should transform Europe’s data and digital enforcement,” said Dr. Johnny Ryan, a senior fellow at the ICCL, in a statement. “Previously, big cases lay dormant for years. Now, we should see acceleration in investigation and enforcement[.]”