subscribe Support our award-winning journalism. The Premium package (digital only) is R30 for the first month and thereafter you pay R129 p/m now ad-free for all subscribers.
Subscribe now
Picture: 123RF/LUKAS GOJDA
Picture: 123RF/LUKAS GOJDA

The EU’s “GDPR” privacy law suffers from ``"massive flaws’’ and endless infighting, according to one of the bloc’s top regulators.

The General Data Protection Regulation — put in motion with great fanfare three years ago — promised multibillion-euro fines for global companies and faster action to solve 21st century problems. But in reality, it’s sparked clashes between watchdogs and delays to probes, said Johannes Caspar, who’s about to step down as head of the Hamburg data protection commission after 12 years.

Tensions over GDPR have been welling up from the start. Overnight, the Irish Data Protection Commission was transformed into the leading EU supervisor for the Silicon Valley giants with regional hubs in the nation, such as Apple Inc and Facebook Inc. With 28 Irish probes into tech firms pending and no immediate decision in sight, the authority has faced a barrage of criticism accusing it of being too slow and too soft.

“The basic model of the procedure set up by GDPR has massive flaws and it just can’t work,” Caspar said. “You can’t accept this in the long term. The problem is what use are these laws to the people if they’re not being applied?”

The 59-year-old German, who returns to academia after June 28, has earned a reputation as one of the EU’s toughest regulators. He first made his mark in 2010 with his criticism of Google’s Street View rollout and more recently he slapped a local Hennes & Mauritz AB unit with a €35.3m ($42m) penalty for snooping on staff, a probe that was opened and shut in less than a year.

One of the faults in the GDPR system, he points out, is the way it gives regulators “lots of room for interpretation” of the rules. `“At the end of the day, our energies are spent on infighting.”

A key feature of the law is the so-called one-stopshop system that puts the authority in the country where a company has its EU base in charge of them. But this, too, has led to tensions. A dispute between Facebook and the Belgian watchdog over their powers to enforce an order against the social media giant ended up in the EU’s top court, which ruled this month that other watchdogs can still weigh in on some cases.


Another complication is that probes into possible violations with an EU-wide effect can’t be concluded by the lead authority alone. Colleagues from across the bloc need to sign off on decisions.

Helen Dixon, Ireland’s data protection commissioner, was trapped in this process when she wanted to finalise her first Big Tech probe, concerning Twitter Inc. She has called criticisms over delays by her agency “ludicrous.”

“The idea that 30 data protection authorities decide on cases through consensus and co-operation” means “we get lost in side issues,” Caspar said.

Leaving too much control in the hands of the lead authorities, such as deciding on when to open a probe and what the scope of the investigation should be without much room for input from others, creates tensions, he said.

“For me this is why such a system can’t work,” he said. “Authorities have to work fast and effectively to be able to give clearly deterring signs that certain behaviours are not OK. If that doesn’t happen, law and reality are at odds.”

Bloomberg News. More stories like this are available on

subscribe Support our award-winning journalism. The Premium package (digital only) is R30 for the first month and thereafter you pay R129 p/m now ad-free for all subscribers.
Subscribe now

Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.

Speech Bubbles

Please read our Comment Policy before commenting.