Schrems: ‘Data protection authorities must enforce GDPR more strictly’

European privacy regulators must enforce the General Data Protection Regulation (GDPR) more rigorously, as violating privacy laws has little to no consequences.

That’s what Max Schrems, privacy lawyer and Chair of the Austrian privacy organization Noyb, said in an interview on the occasion of the 20th anniversary of the European Data Protection Supervisor (EDPS), the European privacy regulator.

He talks about the launch of the GDPR in 2016, which truly went into effect in 2018. A lot of positive things happened in this period, but there’s a lot of room for improvement as well.

“In these eight years, what we see is that the European legislature has put forward this strong enforcement, serious fines, all that kind of stuff. But what’s still missing is the kind of developed enforcement culture in a lot of the authorities. Some of them actually do quite an interesting job. Others, to be honest, we see almost no activity whatsoever.”

“What’s really interesting is how we can get towards that culture of seeing that as a fundamental right and the right that actually needs enforcement. I think we’re still seeing a lot of this soft law approach,” he adds.

Schrems compares the current culture of data protection authorities (DPAs) to driving your car. If you park your car in the wrong spot or if you’re speeding, you’ll get a ticket right away. You won’t receive an explanation saying you should park your car elsewhere or you shouldn’t drive too fast.

“But if you’re a big tech company, or even an average company, there’s very little consequences if there’s a breach of the law. This non-enforcement culture we also see now plays out at legal conferences. We are now at a level where privacy lawyers say openly on stage, ‘If you don’t comply with the GDPR, nothing is going to happen.’ I think that is something where we have to change and shift the culture and shift gears to a certain extent,” the privacy lawyer says.

Schrems goes on to say that numerous DPAs don’t publish their decisions, meaning the public doesn’t have a good understanding of which company received a penalty and is violating European privacy laws.

Schrems recommends that we move towards so-called ‘evidence-based enforcement’, which means moving forward with tools that work reasonably well. Clear and strict enforcement is one tool to achieve what he calls ‘general deterrence’ when companies knowingly violate privacy laws.