May 25 marks the fifth anniversary of the General Data Protection Regulation (GDPR). The law was adopted in the EU in the aftermath of the Cambridge Analytica scandal. Cambridge Analytica shocked the world when the firm was accused of illegally using data from millions of users to manipulate voters in the United States election and the Brexit vote in 2016 and run 100 campaigns in more than 30 countries on 5 continents.
Many believe that the world has come a long way since the Cambridge Analytica scandal. The GDPR was meant to put an end to illegal data collection and the use of personal user data without consent. But has it?
Moonlock spoke to data privacy firms and experts for inside-the-industry views on the real impact of the GDPR. Our investigation also revealed that despite positive progress, the GDPR system is oversaturated, backlogged, and overwhelmed, and it struggles to enforce the law beyond EU borders. What follows is everything we uncovered.
Beyond cookie notifications, what did the GDPR change?
For most people worldwide, never-ending “Accept Cookies” notifications are the only visible impact the GDPR has had on how they navigate the online world. Under the GDPR, cookies that are not vital for the essential functions of a service can only be activated if explicit consent is given by the end user. This has led to an infinite stream of cookie notifications that cause consent fatigue, affecting web traffic and engagement. But many users accept cookies without much thought because they are constantly bombarded by these requests.
According to a recent scientific study, GDPR policies and mandatory cookies have led to an average reduction in web traffic of approximately 10%. Without cookies, websites have less information on users, and their efforts to engage with them are reduced, as traffic and user engagement are often linked to how effectively users are individually targeted.
But beyond web traffic and cookies, does the GDPR actually help to protect users’ personal data online? “Well, the answer is as clear as a foggy day in London — it’s a resounding yes, a hesitant no, and a shrug-worthy, ‘it depends,’” Jamal Ahmed from Kazient Privacy Experts told us.
“GDPR has certainly increased transparency in data collection and made companies more accountable for their actions,” Ahmed said. “But, much like a well-intentioned superhero, its enforcement has faced its fair share of kryptonite. A backlog of legal processes and limited resources have left the system saturated, allowing some data-siphoning villains to evade capture.”
Privacy experts on the achievements of the GDPR
Despite its many challenges, there is no doubt among experts that the GDPR has set precedents worldwide and signaled a clear path toward privacy standards. Ahmed describes the goal as, “A world where your digital breadcrumbs are more likely to be treated with the respect they deserve.”
A world where your digital breadcrumbs are more likely to be treated with the respect they deserve.
“With the introduction of the GDPR, the bar in the worldwide data protection landscape has been heightened, which eventually has led to better protection of privacy and data protection of individuals,” the team from TechGDPR told Moonlock.
That said, TechGDPR recognizes that the law itself, as well as its implementation and enforcement, is certainly not perfect. “However,” they said, “the signal has been strong, and privacy laws in many other places were enacted as well.”
From state and federal laws in the US to Thailand, South Korea, South Africa, Japan, India, Israel, China, Chile, Brazil, Canada, and many others, countries on every continent have adopted similar laws inspired by the GDPR and enacted their own data privacy laws.
“In the realm of data privacy, GDPR has been a bit of a trailblazer,” Ahmed said. “Like a pied piper of privacy, it has led the charge toward more robust protections around the globe. Thanks to GDPR, we’ve seen a rise in transparency, user control, and a general shift in attitude toward the value of personal data.“
Direct and indirect impacts on data privacy
Ojas Rege, General Manager of Privacy and Data Governance at OneTrust, also weighed in on the matter of the GDPR’s influence. “The GDPR was a key milestone in increasing consumer awareness of privacy and providing a forcing function for organizations to act.”
Rege explained that the GDPR has had direct as well as indirect impacts. “The direct impact is that it shifted the approach companies were taking to protect personal data and forced them to institute controls they did not have, or may not have been prioritizing, before the GDPR,” Rege said.
On the other hand, as an indirect impact, the GDPR increased consumer awareness and interest in privacy and transparency.
“Today, people are more knowledgeable, confident, and powerful in demanding to know how their personal data is used,” Rege added. “They expect companies to be held accountable for the irresponsible use of data.”
Tim Bell, Founder and Managing Director of DataRep, agreed on the positive impacts but highlighted shortcomings. “Yes (the GDPR has had impacts), although enforcement remains a challenge,” Bell said. “That’s because of the scale of data abuses which are being undertaken.”
“It would be a benefit for the authorities to have more resources to enforce GDPR,” Bell added, “but the enforcement (and the efforts of many businesses to become compliant) put EU data subjects in a better position than they would have been without GDPR.”
Why data privacy abuse is still rampant
Unfortunately, social media, smartphones, and the widespread release of wearable smart devices are enabling bad actors to surveil people’s lives and acquire data. And some argue that if the GDPR is having any impact at all, it’s definitely not affecting the industry and data brokers, who often breach GDPR regulation standards.
Are big tech, government, and data brokers — the three main sectors linked to GDPR and data privacy abuse — coldly calculating the costs of breaching the GDPR against the value of continuing to do business as usual?
According to Transparency Market Research, the global data brokers market is booming. The market was valued at $240.3 billion in 2021 and is expected to almost double, peaking at an all-time high of $462.4 billion by the end of 2031.
“Indeed, it seems that some companies may be playing a game of digital Russian roulette, weighing the potential costs of breaching GDPR against the benefits of carrying on as usual,” Ahmed said. “It’s a high-stakes gamble and one that could come back to haunt them. Only time will tell if these cookie-slinging daredevils will face the consequences or continue to fly under the radar.”
Some companies may be playing a game of digital Russian roulette, weighing the potential costs of breaching GDPR against the benefits of carrying on as usual.
TechGDPR took a somewhat different perspective. “Sometimes this may indeed be true, but at TechGDPR, we experience more often that companies simply don’t understand how to implement cookies in a compliant manner more so than accepting the fine risk.”
In the US, where any company dealing with EU citizens or residents must abide by the GDPR, the new American Data Privacy and Protection Act is gaining bipartisan support. In fact, lawmakers have set the data broker industry operating in the shadows as a top priority.
“Every seemingly innocent click online could leave Americans vulnerable to having their private data sold to a hoard of marketers, researchers, and, potentially, bad actors,” said the US House Oversight And Investigations Subcommittee on April 19, 2023. These words opened the hearing, “Who is Selling Your Data: A Critical Examination of the Role of Data Brokers in the Digital Economy.”
Justin Sherman, Senior Fellow and Research Lead of the Data Brokerage Project of Duke University´s Sanford School of Public Policy, gave a written statement to the committee. Sherman said that the industry of data brokers — who collect, infer, aggrege, analyze, buy, sell, and share data on individuals — is virtually unregulated. Sherman added that the industry “is a threat to civil rights, consumer privacy, personal safety, and national security.”
“The entire data brokerage ecosystem — from companies whose entire business model is data brokerage to the thousands of other apps, advertisers, tech giants, and companies that collect, buy, sell, and share Americans’ personal data — profits from unregulated surveillance of every American, particularly the most vulnerable,” said Sherman.
The GDPR backlogs and painfully slow processes
In the EU, data brokers and big tech continue to harvest people’s data, selling or sharing it without their consent or knowledge. We know this because GDPR cases only continue to increase. In fact, the rate at which GDPR violations happen is so significant that they have been overwhelming the system for several years.
By 2020, the backlog and slow legal processes of the GDPR had become evident. GDPR complaints are not only highly complex legal proceedings but are usually aimed at big tech companies like Amazon, Microsoft, Google, Netflix, Spotify, Meta (including Facebook and WhatsApp), and other entities with practically unlimited legal and economic resources.
These factors, added to a growing number of complaints and inefficient international cooperation processes, created a massive backlog that regulators like the Data Protection Commission (DPC) — the Irish supervisory authority for the GDPR — must deal with.
In March 2022, the DPC recognized that it had only completed 65% of cases that involved cross-border decisions, 400 of which were outstanding. Not surprisingly, the DPC faces heavy criticism for its inability to keep up with enforcement.
The system saturation forced the European Commission to conduct a Europe-wide reform on how GDPR cases are monitored. Following an action driven by the Irish Council for Civil Liberties (ICCL), the European Commission announced it will now do regular monitoring (every two months) of the progress of all “large-scale” GDPR cases across the European region.
The new system will not only examine the progress of each case but certain details, such as measuring how long each procedural step takes and what the relevant data protection authorities are doing to progress the case.
“The GDPR has been both a blessing and a curse,” Ahmed told us. “It’s undoubtedly a step in the right direction, but there’s still a long way to go. Like a determined tortoise in a race against the hare, GDPR is plodding along toward a future where personal data is truly protected. Let’s hope it reaches the finish line sooner rather than later!”
Bell from DataRep also stressed the problems that the GDPR has had when enforcing cases that require international cooperation, sharing with us a study on the enforcement of GDPR obligations against entities established outside the EU.
While the number of GDPR fines and their astronomical figures may seem impressive, in reality, they fail to constitute more than 4% of the global revenue of operations of big tech companies. In most cases, the proceedings are nothing but a slap on the wrist for big tech.
According to GDPR Enforcement Tracker, as of April 2023, there have been a total of 1,602 fines, adding up to about €2.7 billion in total ($2.98 billion). Despite what many might think, most penalties are not related to maliciously mishandled data but simply to data processing noncompliance.
Does the GDPR affect small and medium companies more than big tech?
It is easy to imagine how a company like Amazon or Meta can survive, spin the reputational damages associated with a high-profile legal GDPR action, and pay multimillionaire fines without issue. But can small and medium companies do the same? Is the GDPR fair and unbiased?
The TechGDPR team weighed in on this. They believe that authorities are proactive in building cases against large companies because these companies have wide-ranging privacy impacts on millions of users.
“Smaller companies are not at greater risk since the fines are typically relative to the business size and revenue,” TechGDPR said. “We have the impression that fines and reputation damages are often heavier for big tech companies than SMEs.”
Ahmed described the issue of small companies vs. large companies regarding GDPR as “the David and Goliath of the digital world.”
“While it’s true that larger tech companies can weather the storm of fines and reputation damage, smaller and medium-sized companies may struggle to stay afloat,” Ahmed explained.
But Ahmed also recognized that the GDPR’s impact isn’t entirely one-sided. “The regulation has raised the bar for data privacy across the board, forcing all businesses — big and small — to reckon with the importance of safeguarding user data and build trust.”
Ahmed believes the GDPR is acting as a great equalizer, reminding the world that the responsibility to protect personal data knows no size limit.
Rege from OneTrust highlighted the boundaries that the GDPR sets for companies wanting to become data-driven. “Every company wants to be data-driven, leveraging data to make informed decisions and drive new, competitive insights,” Rege said. “But the most important data set they have — personal information — is also the riskiest because cyber criminals covet it, and misuse negatively affects the lives of individuals.”
Rege concluded that with the GDPR, all companies realized that business disruption, financial penalties, reputational damage, and loss of trust would increasingly become the consequences of getting privacy wrong.
What can citizens do when laws fail to protect their privacy rights?
Past and recent events reveal that it’s not just big tech and data brokers who breach people’s privacy rights. Government breaches are abundant, and given the civic responsibilities they have, these breaches are extremely serious. In 2022 alone, Amazon admitted to giving Ring videos to police 11 times without owners’ consent or a court-issued warrant.
Unfortunately, the Amazon Ring cases are not isolated incidents. Since 2001 and the introduction of the Patriot Act, US citizens have been affected by widespread unconstitutional and unethical surveillance. This practice is broadly replicated in other countries under National Security or criminal investigation excuses.
From the military buying data to health authorities like the CDC buying millions of users’ data to track COVID lockdown mandates, government privacy breaches are rampant.
So what can users do if the GDPR and similar laws can not keep up with the pace and power of the top players in the digital world? What alternatives do people have?
“With enforcement challenges and gaps in the armor, the GDPR isn’t quite the data privacy champion we hoped for,” Ahmed said. “But fear not, for when the law fails, alternatives do exist.”
“Users can engage the help of privacy advocacy groups or rally their peers on social media to demand change,” Ahmed added. “After all, sometimes it takes a village to protect our digital selves.”
“There’s also the option to engage in class actions, as we saw with British Airways,” Ahmed said.
Class action suits and individual lawsuits against companies for breaching data privacy rights are trending toward an all-time high. Some of these, as Bloomberg reports, are inspired by actions linked to big tech product abuse.
The Norton Rose Fulbright 2023 Annual Litigation Trends Survey revealed that one-third of respondents reported experiencing litigation in the areas of cybersecurity, data protection, and data privacy in 2022. Data privacy and security ranked as the second-highest area of future concern for class actions and the number-two area in which respondents expect dispute exposure to increase over the next 12 months.
AI, GDPR, and the future of data privacy
The team at TechGDPR says that the solution is not to fight against new technologies but to harness their potential to prevent violations of laws. “AI has great potential to help educate people about their rights and how they can defend themselves against violations,” TechGDPR said.
“So a chatbot like ChatGPT, for example, can help people figure out what steps they need to take if they feel their privacy rights are violated,” TechGDPR said.
AI can also be used to pre-filter complaints and help with the collection of evidence to make a fair and educated decision about every case.
Rege, General Manager from OneTrust, agreed with the increased role AI can have. “As the data economy becomes more complex with automated decision-making and generative AI,” Rege said. “This movement toward responsible design and development can contribute substantially to addressing the privacy, security, and ethical risks of AI as well.”
The way users consume digital services and products can also be a determining factor. The Cisco 2022 Consumer Privacy Survey found that 76% of consumers would not buy from a company who they did not trust with their data.
“Accountability drives behavior, but regulatory enforcement can only go so far in driving accountability,” Rege said. “Compromising privacy is one of the fastest and most public ways to lose trust.”
Can the GDPR become irrelevant as technology advances? Bell from DataRep says no. Bell adds that GDPR is technology agnostic and designed to move with technology as it develops.
“Those who claim the GDPR is outdated usually do so because they don’t think their ‘new tech’ should have to meet the same standards as everyone else,” Bell says. Bells added that the GDPR is not toothless, for example, when it comes to AI. “The GDPR is as effective with AI as it is everywhere else, where that AI involves the processing of EU personal data.”
OneTrust remains positive about the future of data privacy regulations. “2023 is shaping up to be an incredibly busy year for privacy regulation across the globe, especially in the United States, with numerous comprehensive state privacy laws now passed, and in the EU, with organizations grappling with the implication of the EU AI Act,” Rege said.
Rege says that the key for organizations is to focus less on whether “regulators can keep up” and more on establishing privacy as a pillar of trust and competitive advantage with customers, employees, partners, and stakeholders. “The primary value of getting privacy right is that the business requires it, not avoidance of penalties,” Rege said.
Clearly, it is unlikely that the GDPR alone will be capable of providing the ultimate solution to all privacy rights problems. As privacy experts and our investigation revealed, the GDPR’s shortcomings and inefficiencies are as significant as its achievements. All we can do is see privacy regulations as the beginning of a journey still ripe with obstacles and ups and downs.
“GDPR’s journey is much like navigating a labyrinth filled with twists and turns,” Ahmed said. “Like a steadfast explorer charting unknown territory, GDPR continues to forge ahead, seeking to create a world where our digital footprints are guarded with the utmost care (apparently).”
