On the Third Anniversary of the GDPR, Has Data Privacy Actually Improved?

When the General Data Protection Regulation (GDPR) was introduced across the EU on May 25, 2018, it was hailed as the dawn of a brave new era for online data protection. Now three years later, the regulation has been widely criticized for failing to live up to its expectations and to date has only dispensed a handful of fines.

Leading privacy advocates such as Max Schrems of the noyb non-profit data privacy organisation  have openly criticized the regulation stating thatthe GDPR has not achieved broad compliance […] The hefty fines and serious enforcement that the GDPR should have brought in 2018 did not materialize in practice […] 40 years after the right to data protection was established on a European level, we still see vast violations every day we use our computers and phones.”  Renowned privacy expert Johnny Ryan refers to adtech being allowed to carry out the “biggest ongoing data breach of all time” and the Irish DPC for letting it happen.

Yet despite the relative lack of GDPR compliance and inadequate enforcement, the regulation is considered by many as a resounding success for data privacy.

In a wider context, the tech environment has also undergone some seismic shifts since 2018. Companies are working with previously unfathomable scales of data and the data ecosystem is becoming increasingly complex. Global digitalization is also rising at an exponential rate and individuals’ lives are becoming more and more ‘datafied.’ Add to the mix the macro effect of widespread internet misinformation, COVID-19 and the end of third-party cookies, it’s more vital than ever for brands to show that they respect the fundamental rights of their consumers. For online businesses, this involves building a holistic and adaptive privacy program across the organization and being proactive in ensuring compliant data processing practices.

To dive deeper, let’s explore the actual impact GDPR has had and where the global privacy movement goes from here.

How has the GDPR fallen short?

Despite the lofty expectations, the GDPR has so far failed to live up to its promise of re-sculpting the online landscape. Here’s how:

1. Ineffective cookie banners: The ability to accept or refuse cookies has come under considerable scrutiny as has the consent model which was tackled by the CNIL in April 2021.

2. Big Tech cobweb: Although it’s possible for users to have an overall idea of the activities of the walled gardens, it’s unlikely they can comprehend their infinitely complex programmatic ad networks or the endless and intentionally confusing legal documentation surrounding data processing and consent.

3. Regulatory ambivalence: There has been minimal enforcement so far from the UK’s ICO regulator, while the Irish DPC has proven unable to deal with the 6000+ GDPR complaints per year.

4. Lack of DPA coordination and resources: Ineffective cross-country collaborations and lack of available resources have slowed down the breach investigations, exacerbating the challenges of the various European authorities working efficiently together.

5. Lack of training: There is still no certified GDPR training course. The International Association of Privacy Professionals is seen as the global gold standard, but it has not been approved by the regulator.

6. Lack of fines: Out of 160,000 data breach notifications, GDPR fines have mostly been handed out to large companies and only for critical data processing errors. This includes Google’s €50M fine for lack of transparency (0.000275% of their $182B turnover in 2020) as well as British Airways and Marriott (£20M and £18.4M, respectively) for poor security arrangements.

7. No interruption to the business of data: Ireland’s ‘one-stop-shop’ – namely where several major tech players including Apple, Facebook, Google, LinkedIn, TikTok and Twitter have their European headquarters – continues unabated and there have only been limited attempts by the Irish DPC to investigate their data processing activities. Many call into question their practices as they are equipped with expensive litigation lawyers (and ‘privacy engineers’) and not only benefit from the attractive business rates, but effectively operate in a GDPR-proof environment.

8. Privacy washing: Although the GDPR started the conversation on privacy, it led to companies merely leveraging their privacy credentials to create a commercial advantage and boost brand reputation.  

How has it been beneficial?

Although there’s clearly a ways to go, the GDPR has set the goal posts for the long-term future of data privacy on the Internet. Here’s what it’s achieved:

1. Legal centralization:  The GDPR introduced the concept of a single overarching data protection law. This notion is now being applied to regulations worldwide, including in the US with CCPA.

2. Full user control: The ability of users to view, delete and download their personal data was totally unimaginable before the GDPR.

3. Data-sharing information transparency: Businesses now have to display every company they are sharing user data with as well as how they will use it. The GDPR has thus exposed adtech data-sharing practices and gives researchers, journalists or privacy organizations the ability to highlight dubious players.

4. Legal consent: The GDPR introduced the necessity to provide legal consent for tracking as well as a general awareness of the invasive nature of third-party cookies.

5. Data breach warnings: Since 2018, there have been almost 160,000 data breach notifications across the EU. This is a huge increase on pre-GDPR figures, which demonstrates that breach reports are far more likely with strict rules in place.

6. Clear fining system: Over 120 fines have been issued so far on companies for inefficient security measures. Although far less than the maximum fine amount, they are clearly published by DPAs and act as an effective deterrent.

7. Individual class action: Privacy lobbyists such as Max Schrems have proven the effectiveness of individual players taking legal action and paved the way for the future.

8. Impact on the global privacy movement: The GDPR has brought the topic of data privacy to global attention and sparked a range of new international policies, notably in the US with the CCPA.

So, has the GDPR been a data privacy gamechanger?

Despite various drawbacks in its first three years, yes it has. The GDPR has displayed phenomenal ambition by aiming to regulate nothing less than the entirety of personal data processing in Europe. In this way, it stands out from all other global data privacy initiatives for the sheer width and breadth of its scope.

Three years into the regulation, the GDPR has boosted global awareness of data privacy and serves as the fundamental, worldwide text of business reference when it comes to the protection of personal information.

According to Ross McKean from global law firm DLA Piper which produces the internationally renowned Data Breach Survey: "The GDPR has driven the issue of data breach well and truly into the open. The rate of breach notification has increased by over 12% compared to last year's report and regulators have been busy road-testing their new powers to sanction and fine organizations."

With all that has been accomplished, both by the various national regulators and by businesses, to understand the GDPR and all that it requires, the regulation has made an unprecedented and lasting impact. It has become the global data privacy benchmark.

What does the future hold?

Given the global impact of the GDPR and data privacy movement so far, Internet user rights are poised to make significant progress going forward — especially if the long-anticipated e-privacy regulation comes into effect.

Since 2018, there have been a wave of privacy regulations introduced around the world, and IBM has stated that 75% of firms now identify data privacy as a long-term strategic priority. According to Gartner, by 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations.

As DPAs across the EU become more effective, enforcement of the GDPR will likely increase and become more sophisticated. While the first three years of enforcement comprised either data subject complaints or privacy breaches, DPAs such as the French CNIL are now starting to be more proactive by approaching companies directly to determine GDPR compliance. This can only grow in the future.

Another important legal milestone for data privacy since 2018 is the ability of individuals to file class actions for GDPR breaches. Notably spearheaded by Max Schrems, the impact of such lawsuits on the interpretation of the regulation will expand over the next decade.

The introduction of the CCPA in 2020 has shown that the GDPR is not the only approach to privacy and has spawned a wave of similar regulations across the US. It has also set up California as a potentially dominating force in the future of data privacy by demonstrating that “Privacy first must be the mindset for [Silicon Valley] organizations moving forward.

The next challenge will be to enable companies to create globally compliant data protection regimes to facilitate the international and legal flow of personal information. This will not only boost consumer trust in online publishing but benefit the entire future integrity and prosperity of the internet economy.