The EU’s privacy laws are among the strictest in the world, with fines of up to 4% of a company’s annual turnover. Large tech firms want to keep quiet about the EU’s lax enforcement of those rules.

Since the GDPR went into effect in 2018, the EU has delegated Big Tech regulation to the countries where the companies have their European headquarters.

That puts enormous pressure on countries like Ireland, which hosts several large internet firms like Meta Platforms Inc. that have been accused of violating privacy laws. Ireland has fined Meta around 1 billion euros ($1.1 billion) in the past five months, but the penalties took years to come about and, in the latest case, Ireland was forced by its European peers to significantly raise it.

Ireland’s slow case processing and business friendly GDPR interpretation have slowed EU enforcement.

Now that the EU’s executive arm, the European Commission, will require each nation to share a data-protection investigation overview six times a year, which may change. A country’s regulator will also have to give the Commission an overview of all its large-scale cross-border investigations under GDPR, including, critically, all key procedural steps taken with each case and all investigatory or other measures taken, along with dates from the European Ombudsman. It toughens privacy by holding regulators accountable for thoroughly investigating companies.

The Commission issues a report every two years on GDPR enforcement, but the executive branch has not deeply examined each nation’s privacy regulator. If national watchdogs fail to comply with the new information requirement, their governments could be sued at the European Court of Justice. Privacy regulators have never been so accountable.

This change is crucial for Ireland, the Netherlands, Luxembourg, and France. Ireland has the most tech firms, while Uber Technologies Inc. is in the Netherlands, Amazon.com Inc. in Luxembourg, and Criteo SA, a major online advertising firm, in France.

The Irish Council for Civil Liberties, a human rights group that has complained to the EU about Ireland’s privacy watchdog’s handling of Facebook, appears to have complained to the European Ombudsman.

“Previously you had cases lying dormant for years and privacy law not being applied,” says ICCL senior fellow Johnny Ryan. “This marks the start of serious European enforcement against Big Tech.”

The EU’s one-stop-shop mechanism—bureaucrat-speak for making a single country responsible for policing tech firms—has forced privacy advocates to file complaints against both companies and regulators for not being strict enough. Austrian privacy campaigner Max Schrems has threatened to sue Luxembourg’s privacy watchdog over the delay in investigating Amazon’s alleged data breaches.

The European Ombudsman, which investigates EU administrative complaints, confirmed that the European Commission had instructed it to scrutinize national watchdogs.

Ireland’s Data Protection Commission says its complex cases take a long time, but it has resolved hundreds of cross-border complaints in the last four years.

The European Court of Justice criticized the Irish watchdog for “persistent administrative inertia.” After initially siding with Meta on several aspects of Schrems’ complaint, Europe’s Data Protection Board forced the regulator to increase Meta’s fine for illegal data processing from 28 million euros to 390 million euros earlier this month.

With the Commission checking each regulator’s homework, watchdogs will be forced to work harder and avoid stalling: years-long delays between the lodging of a complaint and the opening of an inquiry, months between rounds of correspondence about a case, or complaints leading to no investigation will be visible to the EU mothership.

This development has one drawback: the Commission will keep national privacy regulators’ information “strictly confidential” and audit in private.

Even though the new scrutiny won’t be made public, it will nonetheless be carried out.

Available resources

ICCL – Reply to European Commissioner Reynders about failure to act on the GDPR