[Silhouette]

One good thing about the GDPR is that it was basically designed to allow the regulators to beat up businesses that do that. If you're too old or inflexible to live up to your obligations, congratulations, it's now a liability that could into substantial fines.

[Lio]

Has the EU actually shown any teeth to these outfits?

It's one thing to say something is illegal but if you don't enforce that these firms will be able to operate with impunity.

[Silhouette]

Has the EU actually shown any teeth to these outfits?

It's starting to.

https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2...

There are 7-8 figure fines already this year, and two 9 figure ones that the UK regulator has given notice on.

[gsnedders]

Note that in principle it's not up to the EU to enforce because the GPDR is a directive; it's up to the individual member states to enforce the directive as enshrined in their law.

[Silhouette]

GDPR isn't a directive, it's a regulation. It's literally what the R stands for.

The major difference between the two in terms of how the EU makes laws is that directives are the indirect one: individual member states are required to incorporate the provisions into their own legal systems to give them force of law. An EU regulation is the direct equivalent: it carries force of law across all member states immediately. In the case of the GDPR, the UK government has also stated that its provisions will continue here after Brexit and the related transition arrangements.

However, you're right that enforcement will normally be done by an individual member state, because it is typically the national data protection or privacy authority in each state that acts as regulator and has enforcement powers under the GDPR. In theory, there's supposed to be some coordination so one of those regulators will take the lead on any given investigation or enforcement action instead of 28 different organisations all diving in at once, but it doesn't seem to be clear yet how that aspect will work post-Brexit.

[gingerlime]

In theory, yes. In practice... I'm not so sure. These processes are slow and I imagine that the regulators are drowning in complaints and are hugely understaffed.

And there's no recourse besides filing a complaint. Even if I'm legally right, what damage was caused to me that I can seek compensation for? (assuming I go and try to take them to court directly).

[Silhouette]

Isn't the difficulty in proving actual damages in a personal claim one of the main arguments for making this a regulatory matter?

As mentioned in my other comment near here, the regulators have started issuing some reasonably substantial fines already.

[gingerlime]

Yes, absolutely. Yet the likelihood of Acxiom being fined anything other than some token amount in a case like mine is virtually zero.

[Silhouette]

It feels like that, but I wonder how long it will be before one of the regulators decides to make an example of one of the big data-hoarding companies. Their whole business model is morally and now also legally dubious, and it's so obviously against the spirit of the GDPR that it seems like a matter of time before someone decides to pick a fight. I doubt it will be a single case like yours that starts it, unless perhaps it provides a convenient excuse to start an investigation, but it will be a thousand or a million situations like yours that motivate it.