Did GDPR work?

  • Published: 28 October 2022

The introduction of the GDPR legislation in Europe in 2018 changed the way that we talk about data and privacy. But many argue that the GDPR protections are theoretical, with bloated complaints systems and governments unable to take action. Even worse, some company directors have complained that they are cautious about breaching GDPR, given the severity of fines, and that, in turn has stifled innovation with data.

Did GDPR work

Delays processing complaints

Europe was no stranger to privacy protection laws when GDPR launched in May 2018. As early as 1995, Europe already had the EU Data Protection Directive (DPD). GDPR was an extension of existing rights, but its fair to say that the punitive threats that came with it caught everyones attention.

GDPR has proven hard to enforce. All complaints tend to be directed to the governing body of the country where the offending company has its European headquarters. Luxembourg, for example, has a tiny population of just over half a million, smaller than most town councils. This small nation state has to process all the privacy breach complaints that come in against Amazon across the whole of Europe. Ireland is slightly larger, with a population of 5 million, but the country hosts the headquarters for Meta (Facebook), WhatsApp, Instagram, Google, Airbnb, Yahoo, Twitter, Microsoft, Apple and LinkedIn. Backlogs in processing complaints have, understandably, been common.

Some steps forwards

This is not to say that GDPR has been ineffective. Many companies around the globe now carry out more responsible data privacy practices, through adopting European best practice standards. The fines have started fulfilling those earlier threats, too, reaching news-worthy heights. Luxembourg has slapped a 746 million Euro fine on Amazon. Elsewhere, WhatsApp are facing a bill for 225 million Euros. Both businesses are currently challenging these rulings.

More significantly, legal cases in Belgium may get to the heart of the GDPR principles. A ruling was passed earlier this year against Interactive Advertising Bureau Europe (IAB Europe). This data broker introduced cookie consent banners that were blatantly in breach of GDPR, creating a set of complicated guidelines that established a series of loopholes that were big enough to let data slip through to their harvesters without consent. IAB Europe are also contesting this ruling, but if its upheld, it will change the nature of online advertising in the region. EU nation states appear to be getting tougher in enforcing compliance, even if it has taken time to get on top of the laws.

Has GDPR been bad for business in the EU?

One of the strongest accusations against the GDPR was that compliance would stifle innovation, putting EU companies at a competitive disadvantage. The jury is still out on this one as it may simply be too early to reach conclusions. It is almost certain that companies limited their activities to ensure that they were compliant in the early days. But that says little about the long term impact.

In reality, GDPR compliance falls into two camps. The first, protections against theft, enforced through anti-hacking technologies, can only be a good thing. There is evidence beginning to emerge that stricter regulation leads to trust and that, in turn, is a requirement for public acceptance and growth.

The second, requirements when processing data, are not that complicated. Almost no processing is actually illegal as long as the process is clearly shared, and data agreements adhered to. It seems unlikely that this will stifle lawful use of data, but there are gaps in our understanding of the costs of compliance and any subsequent benefits.

GDPR is still an evolving legislative experiment, as nations work out how to enforce it, and time will show us more.