To analyse. It was a European miracle, a feat of consensus. After months of bitter debate, the European Union (EU) adopted, in 2016, the General Data Protection Regulation (GDPR), a major text for the protection of Internet users. Five years later, this regulation is basically almost unanimous. The bosses of Apple, Facebook or Microsoft considered it balanced; California was inspired by it to pass its own law on personal data; and privacy advocates, who sometimes regret its lack of ambition, have used it to initiate dozens of proceedings, resulting in fines of hundreds of millions of euros, against WhatsApp (a subsidiary of Facebook) or from Amazon.
But behind these praises, it is in its application that the European regulation finds its limits. As a study by the Irish Council for Civil Liberties, an Irish human rights NGO, shows, regulators responsible for enforcing the GDPR face significant challenges. Often underfunded, they are also the target of a concentration effect, because the files fail in the hands of the regulator. ” native country “, the one that houses the European headquarters of the company concerned. Ireland thus concentrates the files concerning Facebook, Twitter or Google. And constitutes a bottleneck: less than 2% of cases have been the subject of a decision.
These blockages are not only a question of means. The subject is also political, especially in Ireland, where low taxation and a well-trained English-speaking workforce have attracted all the digital giants. The government is careful not to anger these providers of thousands of jobs.
Conceiving good rules is therefore not enough. A mechanism must also be created to guarantee their implementation. This challenge is at the heart of the European discussions underway on the two future major texts governing large digital companies, the Digital Services Act (DSA) and the Digital Markets Act (DMA). “Everyone has the GDPR in mind”, had also confided at the end of May the French secretary of state for digital, Cédric O, during a European Council.
For the DSA, the country of origin rule also applies. It will therefore be up to the Irish equivalent of the Superior Audiovisual Council to ensure that Facebook and YouTube (a subsidiary of Google) comply with the obligations of means and transparency on the moderation of content that the regulation sets. Aware of the limits of the GDPR, Brussels has provided that an authority in a destination country can request an investigation from its Irish counterpart and then, if it is dissatisfied, request the European Commission, which can ask Ireland to act. Everything comes with deadlines.
You have 54.15% of this article to read. The rest is for subscribers only.