Now that we are approaching the second year anniversary of the General Data Protection Regulation (GDPR), some observers criticise the lack of enforcement of these rules. The GDPR has foreseen heavy fines for wrongdoers and apart from the French authority (the CNIL) which has ordered a fine of EUR 50 million against Google, the amount of most fines remains low and they do not hit the global tech companies as was expected in May 2018 when the GDPR started to apply.
This is the current perception but is that true?
In reality, enforcement requires thorough investigations and must take place in full compliance with the right of defence. This means that significant resources must be deployed in a legal environment to which regulators are still adapting. Major cases are likely to be more time-consuming than smaller ones. This should explain why most cases published so far are relatively small and local. Even the major cases announced by the UK ICO are not settled yet (against BA and Marriott).
Given the above, it is not excluded that we will not see major decisions with higher fines for a while. This is even more likely with the current Covid-19 crisis which is slowing down procedures generally.
The absence of major decisions should however not be mistaken for inaction. Some of the regulators are working on more prominent cases. It is important that they get it right from the outset. They must take the necessary time to analyse the factual situations and make an appropriate application of the rules.
It is therefore too early to judge and consider the GDPR is not properly enforced.