The woman who led the development of the wide-ranging law now says it badly needs rewriting.

Former EU justice chief Viviane Reding has called for a revision of Europe’s data protection regime, according to a report in POLITICO. Her calls for the legal overhaul come just three years after the General Data Protection Regulation (GDPR) came into force. Reding, a politician from Luxembourg, was one of the chief architects of the GDPR when it first appeared in 2012.

Now an opposition MP in the Grand Duchy, Reding told POLITICO that although the GDPR has become a de facto global privacy standard, its enforcement was uneven.

“For a regulator, it’s easier to control the local football club than a worldwide company. We should leave the local football club alone and focus on the real troublemakers,” Reding said, suggesting that regulators can more easily enforce against small local organizations than big multinational companies.

“The enforcement against systematic stealing of data for commercial or political purposes is somehow not so strong.”

A one size fits all approach for all EU states is just not working

Reding, who is a center-right politician, nonetheless suggested that reform to centralize enforcement of the GDPR could help rein in powerful tech companies. 

A patchwork of national and regional regulators currently enforce the code. But that arrangement is problematic because of a rule that obliges the regulator in the company’s “home country” to be the one in charge of applying the law. That means Luxembourg and Ireland’s data protection authorities are responsible for almost all Silicon Valley giants.

“I really plead for reform of the enforcement,” she told POLITICO. “Enforcement should be more centralized for big affairs.” Criticism of the mechanism focuses on the perceived lack of enforcement by Ireland and Luxembourg against the biggest digital players. So far, the two diminutive nations have only managed to execute one single fine against a tech platform between them. That fine was levied by Ireland on Twitter, and amounted to a modest €450,000 penalty.