Civil society call and recommendations for concrete solutions to GDPR enforcement shortcomings

We call on the European Data Protection Board (EDPB), the European Commission, and all national data protection authorities (DPAs) to urgently address the structural and procedural enforcement issues that prevent the General Data Protection Regulation (GDPR) from fully reaching its potential.

With the GDPR, the European Union (EU) has successfully increased data protection standards, bolstered awareness and created a ripple effect beyond the EU. Thanks to the efforts of policy-makers and civil society, the GDPR is reshaping the way companies and governments handle people’s information and is giving individuals more control over the use of their own personal data. The GDPR holds a genuine potential to put an end to data-exploitative business models and to shift the balance of power in favour of
data subjects, responsible companies and governments.

Almost four years after the entry into force of the GDPR, the undersigned organisations celebrate the collective achievements of the law and take stock of the persisting shortcomings in its enforcement. While new record high fines were handed out in 2021 and an increasing number of decisions have been issued, we observe several barriers to the effective exercise of people’s rights, including their access to remedy and a lack of harmonisation in the enforcement mechanism.