Mr. Marc Rotenberg:

In addition to my work at the Electronic Privacy Information Center, I have also been a professor of law at Georgetown University for 30 years. I have taught privacy law and have two different case books. All roads lead to the GDPR. I say this for three reasons. First, the GDPR is not a set of principles but a set of rights and responsibilities associated with the collection and use of personal data. When companies choose to collect personal data, they should be held to account. Second, the decision in the Schrems case of 2015 makes clear that while co-ordinated enforcement anticipated under the GDPR is important, individual data protection authorities, DPAs, have their own authority to enforce the provisions of the charter, which means individual DPAs do not need to wait for a co-ordinated response to bring an enforcement action.

My final point is a matter of law. The GDPR contains the authority within its text to enforce the other laws of the European Union. This is largely about the misuse in the collection and use of personal data for micro targeting. That problem can be addressed with the GDPR but it will take an urgent response and not a long-term game plan.