LONDON — When Europe enacted the world’s toughest online privacy law nearly two years ago, it was heralded as a model to crack down on the invasive, data-hungry practices of the world’s largest technology companies.
Now, the law is struggling to fulfill its promise.
Europe’s rules have been a victim of a lack of enforcement, poor funding, limited staff resources and stalling tactics by the tech companies, according to budget and staffing figures and interviews with government officials. Even some of the law’s biggest supporters are frustrated with how it has worked.
In addition, the response to Covid-19 is raising new questions about the role of privacy safeguards, as digital tools for tracking health and location information, once viewed warily by the European authorities, are now crucial parts of containment strategies.
The law, known as the General Data Protection Regulation, or G.D.P.R., created new limits on how companies can collect and share data without user consent. It gave governments broad authority to impose fines of up to 4 percent of a company’s global revenue, or to force changes to its data-collection practices. The policy served as a model for new privacy rules in Brazil, Japan, India and elsewhere.
But since the law was enacted, in May 2018, Google has been the only giant tech company to be penalized — a fine of 50 million euros, worth roughly $54 million today, or about one-tenth of what Google generates in sales each day. No major fines or penalties have been announced against Facebook, Amazon or Twitter.
The inaction is creating tension within European governments, as some leaders call for speedier enforcement and broader changes. Privacy groups and smaller tech companies complain that companies like Facebook and Google are avoiding tough oversight. At the same time, the public’s experience with the G.D.P.R. has been a frustrating number of pop-up consent windows to click through when visiting a website.
Europe’s challenges risk undermining efforts elsewhere in the world to create tougher privacy rules, said Johnny Ryan, a leading campaigner for privacy regulation. He said American officials had told him that Europe’s problems with putting G.D.P.R. into effect were a reason not to create federal standards in the United States.
“If you don’t have strong, robust enforcement and investment, this law is a fantasy,” said Mr. Ryan, the chief policy officer at Brave, which makes an internet browser with privacy protections to limit data tracking and advertising. “We have failed to realize the potential of G.D.P.R. thus far.”
Supporters acknowledge that the law has had growing pains and that cases have taken longer as new procedures are put in place. But they say it is too early to draw sweeping conclusions. The law has increased awareness about privacy and forced many companies, including Facebook and Google, to adopt new policies to comply. California and New York have adopted similar privacy laws.
The biggest test of the G.D.P.R. thus far will come in the months ahead, supporters argue, when a batch of rulings involving big technology companies are expected. Twitter is expected to be one of the first to be penalized, in an Irish case related to data breaches. WhatsApp, the Facebook-owned messaging service, faces possible penalties for sharing data with other Facebook services.
“The G.D.P.R. is a long-term project,” said Eduardo Ustaran, who leads the privacy practice at Hogan Lovells International, a London law firm that represents many large companies. “The past couple of years barely give us a glimpse of whether this project will be successful.”
Facebook said in a statement that it was committed to the principles of the G.D.P.R., which have resulted in making “our policies clearer, our privacy settings easier to find, and introduced better tools for people to access, download and delete their information.”
Amazon said that as a result of the law, it had introduced a new privacy help page where customers can see more information about data the company collects. Google and Twitter declined to comment.
Many critics said that even if the companies were penalized, the actions had taken too long, leaving regulators at risk of fighting yesterday’s battles. The cases could drag for several more years as a result of court appeals. And with limited financial resources, critics argue, the authorities are inclined to be overly cautious and avoid more complex cases.
Adding to the challenges is the coronavirus pandemic, which has altered the debate about how to build mobile apps and other technologies. Techniques that were once seen as intrusive in Europe, like collecting location and health data, are part of government plans to contain the virus.
The G.D.P.R. provides “legal grounds to enable the employers and the competent public health authorities to process personal data in the context of epidemics, without the need to obtain the consent” of individuals, the European Data Protection Board, which helps coordinate enforcement of the law, said in a recent statement. The European Commission delayed until June the release of a full review of the G.D.P.R. as a result of the virus.
Frustrated by the lack of progress, Mr. Ryan spent several weeks examining budget and staffing data from 28 European countries. Mr. Ryan, who lives in Ireland and filed a complaint with regulators there against Google over its ad-targeting practices, found that all but three — Germany, Britain and Italy — had data protection agencies with annual budgets of less than €25 million.
In his report, to be published this week, Mr. Ryan found that most countries had only a handful of investigators with industrial expertise dedicated to reviewing technology industry cases. He is filing a complaint with the European Union asking it to penalize countries that do not give data protection agencies enough resources.
Regulators acknowledge the problem and have called for more money. In a February survey of privacy regulators in 30 European countries, 21 responded that “resources are not enough” to fulfill their responsibilities. Luxembourg, which is responsible for regulating Amazon, had a budget of roughly €5.7 million last year, worth about $6.2 million, or roughly Amazon’s sales over 10 minutes.
“We have a lack of enforcement,” said Ulrich Kelber, the chairman of Germany’s data protection authority, which has the highest budget in the European Union, at roughly €85 million when including regional agencies. “Most of the European governments don’t give enough resources to the data protection authorities.”
He called for a more centralized approach, in which countries pool resources and share responsibilities for investigating the biggest companies. Currently, each country is responsible for regulating companies that have their European headquarters within its borders.
At the center of the dispute is Ireland, which has outsize influence over the law’s enforcement because Apple, Facebook, Google, LinkedIn and Twitter are all based there. The country is responsible for leading more investigations, 127, than any other country in Europe, according to Brave. Yet in nearly two years, it has not issued a single G.D.P.R. penalty.
Ireland’s budget of €16.9 million ranks sixth among data protection agencies in Europe. Last year, Ireland’s data protection regulator sought a budget increase of €5.9 million. It got a third of that amount.
Helen Dixon, the chair of Ireland’s data protection agency, said she was frustrated by the budget restrictions but defended the work of her office. More than 140 people work in her office, compared with 27 in 2017. She graded Ireland’s performance an “A for effort” but a “C-plus/B-minus in terms of output.”
Ms. Dixon said rulings involving Twitter, Facebook and others were coming. But she said her office had been overwhelmed by complaints filed by advocates like Mr. Ryan that called for sweeping, resource-intensive investigations of entire industries like digital advertising. Under the law, regulators must respond to every complaint filed — more than 12,000 in Ireland since 2018.
Companies like Facebook asked a slew of procedural legal questions that must be responded to before cases can advance, Ms. Dixon said. Google stalled regulators by not immediately declaring where its European headquarters would be.
Ms. Dixon said many people wrongly assumed that the G.D.P.R. would result in a swift and wholesale shake-up of data-collection practices of the largest tech companies.
“There will be fines, there is no doubt about that,” she said, but the law “doesn’t allow for taking on an entire sector.”
Regulators have other leverage beyond investigations, Ms. Dixon said. Facebook delayed the release of its dating app, she explained, after the Irish authorities raised questions about its data collection.
“There are lots of different ways to go about creating a positive effect,” she said. “Not all of them cater around fines and the superficial commentary we sometimes see.”