Why not? The answer is that the EU delegates regulatory power to the relevant institutions – in this case data protection authorities – of its member states. And these local outfits are overwhelmed by the scale of the task and are lamentably under-resourced for it. Half of Europe’s DPAs have only five technical experts or fewer. And the Irish data protection authority, on whose patch most of the tech giants have their European HQs, has the heaviest enforcement workload in Europe and is clearly swamped.
So here’s where we are: an online system has been running wild for years, generating billions in profits for its participants. We have evidence of its illegitimacy and a powerful law on the statute book that in principle could bring it under control, but which we appear unable to enforce. And the only body that has, to date, been able to exert real control over the aforementioned racket is… a giant private company that itself is subject to serious concerns about its monopolistic behaviour. And the question for today: where is democracy in all this? You only have to ask to know the answer.