The Global Data Rights Enforcement Gap
Data Protection and Artificial Intelligence Authorities Need Stronger Tools
In today's interconnected world, enforcing data protection decisions across borders is becoming increasingly critical — and increasingly difficult.
Take, for example, the case of Clearview AI. In March 2022, Italy's data protection authority (Garante) fined Clearview €20 million for breaching the EU's General Data Protection Regulation (GDPR) (as reported in English by TechCrunch here; the press release in Italian is here). Clearview AI, a U.S.-based company, had scraped billions of images from the internet to fuel its facial recognition database, processing personal data without consent and ignoring European privacy rights. Yet despite the sizeable penalty, the company has apparently ignored the fine1. The company’s CEO maintains that it is not subject to GDPR, and it remains unclear whether Italy's decision has had any practical effect on Clearview's operations. Enforcement across jurisdictions, particularly when the infringing company has no real presence in the country issuing the decision, is slow, complex, and often toothless.
The problem doesn't stop with GDPR enforcement. As discussed recently at the IAPP Global Privacy Summit 2025, regulators of artificial intelligence, from Canada, the United Kingdom, and the European Union, highlighted the growing challenge of cross-border regulation. All three jurisdictions have frameworks intended to protect individuals from abuses of AI and personal data. However, regulators agreed that while their legal tools are strong on paper, they often falter when companies operate internationally and enforcement must transcend national borders.
In practice, if a regulator in one country issues a penalty or corrective order against a foreign company, there is no guarantee that the company will comply unless it has assets or business operations in the enforcing jurisdiction. This reality undermines both the effectiveness of data protection and artificial intelligence laws as well as the trust of individuals who expect their human rights to be protected no matter where their data travels.
The Need for an International Enforcement Agreement
Without a coordinated international framework, enforcement efforts risk being patchy and symbolic. Regulators may issue hefty fines and orders, but without mechanisms for mutual recognition and enforcement across borders, companies can sometimes ignore them with impunity.
We urgently need an international agreement on enforcement mechanisms. This agreement should enable data protection authorities to cooperate effectively, recognise each other's decisions, and, where necessary, compel compliance across jurisdictions. It should also ensure that enforcement actions are fair, transparent, and respect the due process rights of all parties involved.
Such a framework would not only strengthen the protection of personal data globally but would also level the playing field for companies that invest seriously in compliance and responsible data practices. Without it, the risk is clear: data protection becomes a paper tiger, strong in theory but weak in practice.
It's time for the international community to close the enforcement gap before it widens even further.
Reported at https://iapp.org/news/a/gps-2025-how-three-ai-regulators-view-cross-border-regulation