But at Big Tech levels where data is plentiful, the scale of complying with GDPR is different. One recent internal Facebook document obtained by Motherboard hints that the company doesn’t really know what it does with your data—an assertion Facebook denied at the time. Equally, a WIRED and Reveal joint investigation at the end of 2021 found serious shortcomings in the ways Amazon handles customer data. (Amazon said it had an “exceptional” track record in protecting data.)
Microsoft declined a request to comment. Neither Google nor Facebook provided comment in time for publication.
“There is a lag, especially on Big Tech, enforcing the law on Big Tech—and Big Tech means cross-border cases, and that means the one-stop-shop and the cooperation among the data protection authorities,” says Ulrich Kelber, the head of the German federal data protection regulator. The one-stop-shop allows all of Europe’s regulators to have a say on the final decision of the lead regulator in that case, which can then be challenged. Ireland’s fine against WhatsApp grew from the original proposed penalty of as little as €30 million ($31.8 million) to €225 million ($238.5 million) after other regulators weighed in. Another Irish case against Instagram is currently being discussed, Dixon says, which will add months to its final outcome.
The one-stop-shop was created under GPDR, meaning the process has started with teething problems, but four years in, a lot still needs to be improved. Tobias Judin, the head of international at Norway’s data protection authority, says that each week several drafts of decisions are circulated among Europe’s data regulators. “In the vast majority of those cases, we actually agree,” Judin says. (German authorities object the most.) Decisions can face a lot of back and forth between regulators, wrapped up in bureaucracy. “We do question whether, in those cases that have a European-wide impact, it makes sense and whether it is feasible that these cases are solely dealt with by one data protection authority until we reach the decision stage,” Judin says.
Luxembourg’s data regulator hit Amazon with a record-breaking €746 million ($790.6 million) fine last year, its first case against the retailer. Amazon is contesting the fine in court—in a statement to WIRED, the company repeated its assertion that “there has been no data breach, and no customer data has been exposed to any third party”—but Luxembourg’s regulator says investigations will always be lengthy despite it bringing in new ways to investigate companies. “I think under one year or one-half year, I think it’s almost impossible to have it closed before such a delay,” says Alain Herrmann, one of Luxembourg’s four data protection commissioners. “There are huge [amounts of] information to deal with.” Herrmann says Luxembourg has a few other international cases ongoing, but national secrecy laws prevent it from talking about them. “It’s just the [one-stop-shop] system, the lack of resources, the lack of clear law and procedure, which makes their job even more difficult,” Robert says.