I believe in privacy, and I believe in the need for privacy laws to guarantee privacy. I’ve been calling for serious global privacy laws for two decades:
http://news.bbc.co.uk/2/hi/technology/6994776.stm
Europe has been the continent with the world’s most serious and strict privacy law, but only on paper. It’s been almost a decade since Europe’s landmark privacy law, the GDPR, was passed. It’s fair now to assess its impact. The European Commission is taking a look at certain revisions, mostly irrelevant and mostly in the direction of loosening some of its paperwork provisions. Meanwhile, leading privacy advocates are already warning against weakening the GDPR: https://www.theguardian.com/commentisfree/2025/nov/12/eu-gdpr-data-law-us-tech-giants-digital
I have a lot of experience working with these laws, and I have a clear opinion: the GDPR has failed. It has not met any of its key goals. If you have any doubt, ask yourself the simple question: do I have more or less privacy today than a decade ago? There are many reasons for this failure, but number one is the One Stop Shop Flop.
The European lawmakers passed a strict privacy law, on paper, with massive potential fines (up to 4% of worldwide turnover) for non-compliance, on paper. But then, in a massive blunder, the European lawmakers created a one-stop shop notion, meaning that non-European companies, like Chinese and US Big Tech, could pick any EU country to regulate them. Guess what, they picked Ireland, their longstanding tax haven, as their regulatory haven too. Before this law, all 28 European countries could enforce privacy laws against Big Tech. After this law, only Ireland. Hallelujah for American and Chinese Big Tech…
But let’s keep things simple. A law with no enforcement will not be respected. A law that is “enforced” by a small regulator, based in a small country, with a small staff, in a country that makes its money by being a tax haven to American and Chinese big tech…was tasked with enforcing this law on behalf of 450 million citizens of the EU?... I’m hardly the only person to criticize this farce: https://noyb.eu/en/former-meta-lobbyist-named-dpc-commissioner-meta-now-officially-regulates-itself
I love to take early morning walks in a park near my home. Every morning I see the same spectacle: a few adorable dogs chase the local squirrels. The dogs bark and wag their tails, the squirrels scamper and scurry, and the humans chuckle. It’s fun for all, because everyone knows…the dogs will never catch a squirrel. And indeed, no one in the “lead” privacy regulator for Europe, in Ireland, has ever caught a Big Tech squirrel, and never will. The Irish regulator has never imposed the fines that the European lawmakers envisaged.
Meanwhile, the European Commission proposes to fix this iconic privacy law…not by asking why this key law has failed, but by suggesting its paperwork documentation obligations could be streamlined. Meanwhile, the one stop shop flop continues, and the Big Tech squirrels are not worried about any privacy law enforcement. The losers, of course, are the 450 million Europeans who were promised a strict privacy law.
The lesson for the future, in particular for AI, is clear. You can pass laws (as Europe already has done in its AI Act), but a law with no enforcement won’t be respected. Ask the squirrels.
