-
National data insurance authorities will need to completely respond to complaints, promptly investigate breaches, and actively pursue investigations to enforce the provisions. Many data insurance authorities are poorly resourced, particularly in comparison to large companies, and lack the capacity to play a comprehensive enforcement role. Member states should allot appropriate financial and human resources to data protection authorities.
-
Even with able enforcement, there are still many structural objection to achieving the GDPR’s vision of data privacy and control. For one, while the regulation requires consent before association can collect or case data, meaningful informed consent is difficult to achieve without choice. Many considerable online services have few real competitors, so users are faced with either consenting to a social network’s terms or missing out on a central component of modern social or professional life. Though the Schrems may force some positive changes, the GDPR doesn’t fully address the chattels of this kind of monopoly power.
-
In addition, informed co sent will only become more elusive over time as advertising ecosystems become more complex. The EU regulation doesn’t directly challenge ad-driven business models that invite users to business their personal data for free online services like email, social networking, or search engines – all while using that data to conceive detailed profiles to sell to advertising networks. The ordinary user may consent to data processing without a true understanding of the complexities of how their data will be used, despite the regulation’s demand of clear privacy notices.