LONDON — When Europe enacted the world’s toughest online privacy law nearly two years ago, it was heralded as a model to crack down on the invasive, data-hungry practices of the world’s largest technology companies.
Now, the law is struggling to fulfill its promise.
Europe’s rules have been a victim of a lack of enforcement, poor funding, limited staff resources and stalling tactics by the tech companies, according to budget and staffing figures and interviews with government officials. Even some of the law’s biggest supporters are frustrated with how it has worked.
In addition, the response to Covid-19 is raising new questions about the role of privacy safeguards, as digital tools for tracking health and location information, once viewed warily by the European authorities, are now crucial parts of containment strategies.
The inaction is creating tension within European governments, as some leaders call for speedier enforcement and broader changes. Privacy groups and smaller tech companies complain that companies like Facebook and Google are avoiding tough oversight. At the same time, the public’s experience with the G.D.P.R. has been a frustrating number of pop-up consent windows to click through when visiting a website.
Europe’s challenges risk undermining efforts elsewhere in the world to create tougher privacy rules, said Johnny Ryan, a leading campaigner for privacy regulation. He said American officials had told him that Europe’s problems with putting G.D.P.R. into effect were a reason not to create federal standards in the United States.
“If you don’t have strong, robust enforcement and investment, this law is a fantasy,” said Mr. Ryan, the chief policy officer at Brave, which makes an internet browser with privacy protections to limit data tracking and advertising. “We have failed to realize the potential of G.D.P.R. thus far.”
Supporters acknowledge that the law has had growing pains and that cases have taken longer as new procedures are put in place. But they say it is too early to draw sweeping conclusions. The law has increased awareness about privacy and forced many companies, including Facebook and Google, to adopt new policies to comply. California has adopted a similar privacy law.
The biggest test of the G.D.P.R. thus far will come in the months ahead, supporters argue, when a batch of rulings involving big technology companies are expected. Twitter is expected to be one of the first to be penalized, in an Irish case related to data breaches. WhatsApp, the Facebook-owned messaging service, faces possible penalties for sharing data with other Facebook services.
“The G.D.P.R. is a long-term project,” said Eduardo Ustaran, who leads the privacy practice at Hogan Lovells International, a London law firm that represents many large companies. “The past couple of years barely give us a glimpse of whether this project will be successful.”
Facebook said in a statement that it was committed to the principles of the G.D.P.R., which have resulted in making “our policies clearer, our privacy settings easier to find, and introduced better tools for people to access, download and delete their information.”
Many critics said that even if the companies were penalized, the actions had taken too long, leaving regulators at risk of fighting yesterday’s battles. The cases could drag for several more years as a result of court appeals. And with limited financial resources, critics argue, the authorities are inclined to be overly cautious and avoid more complex cases.
Adding to the challenges is the coronavirus pandemic, which has altered the debate about how to build mobile apps and other technologies. Techniques that were once seen as intrusive in Europe, like collecting location and health data, are part of government plans to contain the virus.
The G.D.P.R. provides “legal grounds to enable the employers and the competent public health authorities to process personal data in the context of epidemics, without the need to obtain the consent” of individuals, the European Data Protection Board, which helps coordinate enforcement of the law, said in a recent statement. The European Commission delayed until June the release of a full review of the G.D.P.R. as a result of the virus.
Frustrated by the lack of progress, Mr. Ryan spent several weeks examining budget and staffing data from 28 European countries. Mr. Ryan, who lives in Ireland and filed a complaint with regulators there against Google over its ad-targeting practices, found that all but three — Germany, Britain and Italy — had data protection agencies with annual budgets of less than €25 million.
In his report, to be published this week, Mr. Ryan found that most countries had only a handful of investigators with industrial expertise dedicated to reviewing technology industry cases. He is filing a complaint with the European Union asking it to penalize countries that do not give data protection agencies enough resources.
“We have a lack of enforcement,” said Ulrich Kelber, the chairman of Germany’s data protection authority, which has the highest budget in the European Union, at roughly €85 million when including regional agencies. “Most of the European governments don’t give enough resources to the data protection authorities.”
He called for a more centralized approach, in which countries pool resources and share responsibilities for investigating the biggest companies. Currently, each country is responsible for regulating companies that have their European headquarters within its borders.
Ireland’s budget of €16.9 million ranks sixth among data protection agencies in Europe. Last year, Ireland’s data protection regulator sought a budget increase of €5.9 million. It got a third of that amount.
Companies like Facebook asked a slew of procedural legal questions that must be responded to before cases can advance, Ms. Dixon said. Google stalled regulators by not immediately declaring where its European headquarters would be.
Ms. Dixon said many people wrongly assumed that the G.D.P.R. would result in a swift and wholesale shake-up of data-collection practices of the largest tech companies.
“There will be fines, there is no doubt about that,” she said, but the law “doesn’t allow for taking on an entire sector.”
Regulators have other leverage beyond investigations, Ms. Dixon said. Facebook delayed the release of its dating app, she explained, after the Irish authorities raised questions about its data collection.
“There are lots of different ways to go about creating a positive effect,” she said. “Not all of them cater around fines and the superficial commentary we sometimes see.”
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .