[Hamuko]

>A mere 3 years! This is, in fairness, quite proactive by EC standards.

Isn't that just because EU rules have quite long transition periods to give companies time to comply with the new rules? GDPR had a two-year transition period before enforcement, and even then there was tons of complaints towards the end of the two-year period on how there just wasn't enough time to comply.

[SiempreViernes]

Well, there are many things that make the EC have a reputation of being slow.

One thing is just the transition periods you mention, then there is the delays caused by the need to have legislation at the EU levels turned into actual national legislation to be implemented.

Then there is the whole trialogue thing where, after first approving a draft law, the EP and the EC have to hold further negotiations on a common text while supervised by the Council, which tended to happen behind closed doors so the experience is that the contentious law that was just approved is quietly sucked into a black hole and then you might hear of it being passed only many many months later.

Finally, we also have instances like with the Chapter 7 investigations against Orban where the commission knows the council is likely to block any conclusions so there's no point in rapidly pushing ahead.

[rsynnott]

Even after that transition period, _serious_ enforcement didn’t start for years. Prior to 2021, the largest fine under the GDPR had been 50 million (in 2021-2023 the Irish regulator lurched into actual and fined Facebook a couple billion).

I suspect the “local regulators do enforcement” model won’t feature heavily in future EU law; it doesn’t work very well.