It should have been the ultimate protection shield for EU citizens and their data from the tentacles of the big data giants, especially from the USA: On May 25, 2018, the EU General Data Protection Regulation (GDPR) came into force.
One goal of the GDPR was to uniformly regulate the rules for the processing of personal data by Google, Facebook, and similar platforms. Another motivation was to ensure the free movement of data within the European internal market.
Four years after its implementation, we can draw a mixed conclusion. Because the GDPR is most visible to EU citizens when you visit websites and have to click away cookie warnings in order to finally be able to see the desired content. Has the GDPR really made a difference, many ask?
“The past four years have shown that a law alone does not change business models that are based on the abuse of personal data and a culture within the privacy profession that is often focusing on covering up non-compliance. After a first moment of shock, large part of the data industry has learned to live with GDPR without actually changing practices. This is mainly done by simply ignoring users’ rights and getting away with it,” says Europe’s best-known data protection officer, Max Schrems from the NGO noyb. He became world famous with his lawsuits against Facebook and the US company’s handling of user data, but he also experienced how infinitely tedious such processes are.
GDPR: A basis for billions in fines and product changes
It should also be noted that heavy penalties were imposed on some companies on the basis of the GDPR, especially in the last year. The fines reached more than one billion euros in 2021. Two examples: In July, Amazon Europe Core S.à.rl was fined the highest amount of €746 million. Later, in September, the EU imposed WhatsApp Ireland Ltd. a fine of €225 million, the second-highest fine in GDPR history.
Changes have also become noticeable in the largest web products in the world. For example, Google has redesigned its widespread analysis tool Google Analytics and will enable users to reject all cookies with one click for two of its main products (Search and YouTube).
“Data protection authorities have lost the upper hand on the digital sphere”
Has the GDPR arrived in everyday life? Not really. A recent survey by the opinion research institute YouGov on behalf of the online services GMX and Web.de shows that half of the respondents are annoyed by the constant cookie queries. 14% even say they don’t care about the consent banners, “I just click anything”. Two-thirds of respondents have not yet exercised the data rights that the GDPR gives them.
Data protector Schrems does not see any improvements, but rather a downward spiral. “The GDPR has not (yet) managed to get out of a pre-existing condition: a downward spiral of more and more non-compliance and non-enforcement. Just like when parts of a city become a criminal “no go” zone that is abandoned by police, it seems that many data protection authorities have lost the upper hand on many areas of the digital sphere,” Max Schrems writes.
“Companies realize that competitors do not comply and that acting legally does not pay off. The wider non-compliance spreads, the harder it will get for authorities to gain back control with limited resources.” And further: “The time is pressing and it seems that we are approaching a situation in which the GDPR will be fully ignored – just like the previous EU Data Protection Directive of 1995.”