The GDPR at five: Great expectations, middling results and an uncertain outlook

For some in the tech policy arena, May 25, 2018, sticks in the memory like a loved one’s birthday. And it was a birthday, but of the General Data Protection Regulation — perhaps the EU’s most contentious and high-profile law to date.

Data protection has been regulated at the EU level since 1995, but the GDPR heralded big-ticket fines, imposed new obligations on how individuals’ personal data should be collected and processed, and gave watchdogs new powers to bear down on companies when they failed to meet those requirements.

Many saw it as a long-needed opportunity to take the fight to Big Tech companies, such as Meta Platforms (or Facebook as it was then) and Google.

Its place in the popular imagination was cemented by the Cambridge Analytica scandal, when data from 87 million Facebook users was improperly leaked to third-party apps, news of which broke only two months before the GDPR came into force.

For its supporters, the law is a shining example of the “Brussels effect,” in which EU rules set a high bar that is then emulated by countries around the world. On the other side of the fence, critics tarred it as typical EU humbug, squashing innovation in favor of complicated rules and burdening small businesses with heavy regulations.

The reality is somewhere in between. Companies do find it hard to understand all the rules, some of which are unclear or subjective, and so behave more cautiously, but it has not discernibly crimped the tech sector, which continued to grow bullishly until a recent slump caused by wider geopolitical factors.

At the same time, it has served to rein in Big Tech on how they seek users' consent for cookies and has punished companies for data breaches. Nevertheless, critics say efforts to penalize privacy lapses have been hampered by the GDPR’s system of cross-border enforcement and a regulatory bottleneck in Ireland, where most US tech giants have their EU headquarters.

Big Tech

Unlike new EU tech-focused laws such as the Digital Services Act and the Digital Markets Act, the GDPR applies in more or less the same way to every company. And even though it wasn't explicitly targeted at Big Tech, many framed it as such.

Privacy campaigners soon complained to data regulators about the sector — mostly about Facebook and Google, but also Amazon, the companies that prop up the digital advertising sector, and more recently TikTok.

For those looking to target Big Tech, there have been some success stories. Google was quickly fined 50 million euros. Meta Platforms has been forced to change its legal basis to process data for targeted advertising; TikTok had to do a U-turn on the same issue. IAB Europe, a group at the center of the adtech world, faced strict enforcement (the case is under appeal in Belgian and EU courts), and Amazon was told to pay three-quarters of a billion euros. Most recently, Meta was this month told to pay 1.2 billion euros and to stop transferring data to the US.

Detractors are quick to point out that even fines in the hundreds of millions of euros — perhaps even Meta's record 1.2 billion euros — are a drop in the ocean for globe-spanning Big Tech titans. They want structural change and a root-and-branch change to how adtech works. Those changes are far from being realized.

One-stop shop

Most of the complaints about GDPR enforcement are focused on one regulator, the Irish Data Protection Commission. Under the GDPR's “one-stop shop” rules, the major burden of enforcement has fallen on the shoulders of Helen Dixon, the watchdog's head.

Dixon has faced a significant amount of criticism since the GDPR came into force. These have mostly been about the length of time it takes to get a decision, the opacity of the process, and an allegedly weak enforcement track record.

The European Data Protection Board, which steps in to adjudicate cross-border cases when regulators can’t agree, has overruled the Irish watchdog on multiple occasions. Critics say this is evidence that Dixon’s authority is consistently getting decisions wrong.

Its outlier position is particularly jarring when it comes to the question of which legal basis Meta can use for targeted advertising, but Dixon and her team insist that interpretation naturally differs and is not a cause for concern.

The criticism does not appear to have fazed Dixon, who runs ultramarathons in her spare time. Occasionally willing to speak out in defense of her agency’s record, she has mostly stuck to the line that enforcing a complicated law against some of the world’s biggest companies is time-consuming and difficult, and that she’d prefer to spend her time doing that than squabbling.

The next five years

It is hard to say what the state of the GDPR will be in another five years’ time. The European Commission is consulting on procedural reforms meant to grease the cogs of cross-border enforcement, and Brussels is awash with talk of full-blown reform of the law when the next commission administration is established in 2025.

Even if the text of the law stays much the same, case law at the EU’s top court is constantly developing, including on crucial interpretations, such as the meaning of "legitimate interests" for processing data and the threshold for harm from GDPR violations.

Research by the International Association of Privacy Professionals counted and drew together a total of 32 EU Court of Justice rulings on the GDPR since it came into force, with 16 more expected this year.

Given these uncertainties, the safest prediction — and not a hard one to make — is that the GDPR will remain deeply controversial in policy circles while also continuing to be a monolithic compliance issue for company lawyers.

GDPR BY THE NUMBERS

GDPR enforcement remains a subject of deep relevance to businesses, and increasingly so as their exposure to digital markets grows.

The number of fines has steadily increased year-on-year since it came into force in May 2018. That year there were just 13 fines, but in subsequent years 172, 455, 544, 697, and 176 so far in 2023. The cumulative value of those fines has also grown each year, from 2018's total of 557,380 euros to 60 million euros, 172 million euros, 1.08 billion euros, 1.26 billion euros, and 1.23 billion euros so far this year.

The figures are skewed hugely by a few large fines in the tech sector, most notably 746 million euros against Amazon in 2021, and now Meta's 1.2 billion-euro fine this year — the first billion-euro fine to be imposed. Meta has been by far the most-fined company, with previous chart-busting fines including ones of 405 million euros, 390 million euros and 265 million euros.

Before Meta's record fine, 2023 had been shaping up as quiet, with the total value of fines in the first quarter almost seven times less than the same period last year and four times less than in 2021, according to the MLex GDPR enforcement tracker, hosted by LexisNexis.

Cumulatively, there have now been a total of 2,057 GDPR fines, totaling 3.8 billion euros. The Spanish data protection authority is by far the most active regulator, issuing 748 fines — although mostly at a low level: they add up to just 56 million euros.