GDPR Enforcement Gaps: How Data Brokers and Systemic Failures Undermine Privacy Rights

The GDPR Promise vs. Reality: When Rights Meet Resistance

Since its enforcement on 25 May 2018, the General Data Protection Regulation (GDPR) has been hailed as a landmark in privacy rights, granting individuals robust control over their personal data. Articles 15 to 22 establish powerful data subject rights, including the right to access, rectification, erasure, and explanation of automated decision-making. However, a growing body of evidence reveals a troubling gap between these legal rights and their practical enforcement. Recent complaints and rulings highlight how some organizations—particularly data brokers and large tech platforms—create systemic barriers that undermine the GDPR's core principles. For compliance teams, understanding these enforcement weaknesses is not just an academic exercise; it's a critical component of risk management in an era where regulatory scrutiny is intensifying, albeit unevenly.

Case Studies: Systemic Failures in GDPR Enforcement

Several high-profile cases illustrate the multifaceted challenges in enforcing GDPR rights, revealing patterns of obstruction, procedural delays, and contradictory legal interpretations.

Data Brokers and the Authentication Double Standard

Privacy organization noyb has filed complaints against websites and data brokers for a glaring contradiction: these entities readily use tracking cookies to identify users for targeted advertising and profiling, yet refuse to accept the same cookies as authentication when users exercise their right to access personal data under Article 15 GDPR. The European Data Protection Board (EDPB) guidelines recommend allowing authentication via unique identifiers like cookies, aligning with data minimization principles. By demanding additional personal information or ignoring requests, these companies create obstructive hurdles that violate GDPR requirements. This practice highlights a commercial prioritization where data is leveraged for profit but access rights are treated as an inconvenience.

Swedbank and the "Trade Secret" Shield

In a complaint filed with the Swedish Data Protection Authority (IMY), noyb alleges that Swedbank violated GDPR transparency requirements by rejecting a customer's data access request regarding automated interest rate calculations. The bank claimed the calculation logic is a 'trade secret,' but EU law—specifically GDPR Article 15(1)(h) and the Mortgage Credit Directive—requires companies using automated decision-making to provide 'meaningful information about the logic involved.' Automated interest systems can significantly impact consumers financially, making transparency essential. This case underscores how organizations may misuse exceptions to withhold information critical to data subjects.

The Austrian Court's Contradictory Ruling

The Austrian Federal Administrative Court issued a decision that creates an 'unsolvable dilemma' for data subjects. The court ruled that mobile phone traffic and location data are particularly sensitive information requiring additional protection, yet simultaneously determined they are not personal data under GDPR. This allowed provider A1 to refuse an access request for location data collected during the COVID-19 pandemic, arguing the user couldn't prove exclusive use of the phone/SIM card. The court upheld impossible proof standards, rejecting even affidavits as insufficient. This ruling could set a dangerous precedent, allowing controllers to deny access to sensitive data by claiming uncertainty about exclusive usage, affecting users of smartwatches, dating apps, and health apps.

EDPB and the Facebook Case: Procedural Delays in Cross-Border Enforcement

The European Data Protection Board's response to concerns about the Irish Data Protection Commission's handling of the Facebook case—which could result in a fine up to €2.5 billion—reveals systemic enforcement challenges. The EDPB acknowledged issues such as differences in national administrative procedural laws and the time and resources required for cross-border cases. While confirming efforts to improve consistency and cooperation among supervisory authorities (DPAs), this case highlights how procedural complexities and resource constraints can delay meaningful enforcement, even in high-stakes investigations.

Why Data Protection Authorities Struggle: Resources, Pressure, and Procedure

The enforcement gaps illustrated above stem from several interconnected factors that hinder DPAs' effectiveness across the EU.

• Resource Constraints: Many DPAs are understaffed and underfunded relative to their mandates, leading to backlogs in complaint handling and investigations. The EDPB has acknowledged that cross-border cases require significant time and resources, slowing resolutions.
• Political and Economic Pressure: In jurisdictions hosting large tech firms, DPAs may face implicit or explicit pressure to avoid stringent enforcement that could impact local economies. The procedural delays in the Facebook case with the Irish DPC exemplify this dynamic.
• Procedural Fragmentation: Differences in national administrative laws create inconsistencies in how GDPR is applied and enforced across member states. This fragmentation complicates cross-border cooperation and leads to unequal protection for data subjects.
• Legal Ambiguities and Contradictions: Court rulings like the Austrian case introduce legal uncertainties that organizations can exploit. When courts set contradictory standards—such as declaring data sensitive but not personal—it undermines regulatory clarity and enforcement predictability.

These challenges are not unique to the EU. In the US, the absence of a comprehensive federal privacy law means enforcement relies on a patchwork of state laws (like California's CPRA) and FTC actions under Section 5 of the FTC Act, which also faces resource and jurisdictional limitations.

Practical Implications for Compliance Teams

For organizations operating in the EU or handling EU residents' data, these enforcement gaps create both risks and opportunities. Compliance teams must navigate a landscape where rights are strong on paper but enforcement is inconsistent.

• Increased Scrutiny on Access Requests: Despite enforcement weaknesses, data subject access requests (DSARs) remain a focal point for regulators and activists. Organizations that obstruct requests—like demanding excessive authentication or falsely claiming trade secrets—face complaint risks and potential fines upon investigation.
• Need for Proactive Transparency: Automated decision-making systems, such as those used in lending (like Swedbank's interest calculations) or hiring (classified as high-risk under the EU AI Act), require clear explanations. Compliance teams should document logic and provide meaningful information to data subjects, aligning with both GDPR and emerging AI governance frameworks like the EU AI Act and NIST AI RMF.
• Vendor Risk Management: Data brokers and third-party processors that mishandle DSARs can expose contracting organizations to liability. Due diligence should include assessing vendors' GDPR compliance practices, especially around access rights and authentication methods.
• Cross-Border Coordination Challenges: Multinational companies must prepare for varying enforcement priorities and speeds across EU member states, as seen in the Facebook case. Internal processes should be adaptable to local DPA expectations.

Tools like AIGovHub's data privacy monitoring features can help compliance teams track regulatory changes and assess vendor risks across jurisdictions, providing a centralized view of obligations.

Recommendations for Strengthening Internal Compliance Processes

To mitigate risks arising from GDPR enforcement gaps, organizations should adopt a proactive and transparent approach to data subject rights.

1. Streamline DSAR Authentication: Implement authentication methods that align with EDPB guidelines, such as accepting unique identifiers (e.g., cookies) already used for tracking. Avoid collecting unnecessary additional data, which violates data minimization principles.
2. Document Automated Decision-Making Logic: For systems involving automated processing—common in fintech, HR, and lending—maintain clear documentation of the logic, significance, and consequences. Prepare to provide this information in response to Article 15(1)(h) requests, balancing transparency with legitimate trade secret protections.
3. Conduct Regular Privacy Impact Assessments (DPIAs): DPIAs are required under GDPR for high-risk processing and can help identify and mitigate barriers to data subject rights. Integrate DPIAs with broader risk management frameworks, such as those for AI governance under the EU AI Act.
4. Enhance Vendor Due Diligence: Use standardized assessments to evaluate data brokers and third-party processors. Platforms like AIGovHub's vendor marketplace offer tools to compare compliance solutions and generate due diligence questionnaires, helping ensure partners uphold GDPR standards.
5. Monitor Enforcement Trends: Stay informed about DPA decisions and court rulings, such as the Austrian case, that may impact compliance strategies. Regulatory intelligence tools can provide alerts on developments affecting data privacy obligations.
6. Build Cross-Functional Compliance: Collaborate with legal, IT, and business units to ensure DSAR processes are integrated into system design. For example, AI governance teams should work with privacy officers to address overlapping requirements under GDPR and the EU AI Act.

Key Takeaways

• GDPR enforcement faces systemic gaps due to DPA resource constraints, procedural delays, and contradictory court rulings, as seen in cases involving data brokers, Swedbank, and Austrian mobile data.
• Organizations that obstruct data subject access requests—through authentication barriers or false trade secret claims—risk complaints and fines, despite uneven enforcement.
• Automated decision-making systems require transparent documentation to comply with GDPR Article 15(1)(h) and related directives like the Mortgage Credit Directive.
• Compliance teams should proactively streamline DSAR processes, conduct DPIAs, and strengthen vendor due diligence to mitigate risks from enforcement weaknesses.
• Monitoring tools and regulatory intelligence platforms can help organizations stay ahead of evolving privacy requirements and enforcement trends.

This content is for informational purposes only and does not constitute legal advice.