National data protection authorities will need to rigorously respond to complaints, promptly investigate breaches, and actively pursue investigations to enforce the provisions. Many data protection authorities are poorly resourced, particularly in comparison to large companies, and lack the capacity to play a comprehensive enforcement role. Member states should appropriate appropriate financial and human resources to data protection authorities.
Even with athletic enforcement, there are still many structural protest to achieving the GDPR’s vision of data privacy and control. For one, while the regulation requires consent before association can collect or action data, meaningful informed consent is difficult to achieve without choice. Many large online services have few real competitors, so users are faced with either consenting to a social network’s terms or missing out on a central component of modern social or professional life. Though the Schrems may force some positive changes, the GDPR doesn’t fully address the chattels of this kind of monopoly power.
In addition, informed crime sent will only become more elusive over time as advertising ecosystems grow into more complex. The EU regulation doesn’t directly challenge ad-driven business models that invite users to trade their personal data for free online services like email, social networking, or search engines Ã¢Â€Â“ all while using that data to create detailed profiles to sell to advertising networks. The average user may consent to data processing without a true understanding of the complexities of how their data will be used, despite the regulation’s demand of clear privacy notices.