Jun 9, 2021 - Technology

The EU privacy law's track record

Illustration of a screen and keyboard tied up by the circle of stars from the EU logo.  

Illustration: Aïda Amer/Axios

Today, most users know the EU's General Data Protection Regulation chiefly through the pain of having to click a box about cookie policies on every new website they visit.

Yes, but: Privacy experts tell Axios the EU's rules governing how corporations manage people's online data have had deeper impacts in three areas: company behavior, people's expectations and knowledge of how their data will be treated, and adoption by other nations and regions.

1. GDPR has changed the way businesses think about and handle user data.

  • GDPR has spread the message that companies need to map, inventory and account for their customer data, with processes in place to manage and store it.
  • "It's been helpful and effective in conveying a strong message to companies that privacy and data protection should be an important corporate responsibility," said Omer Tene, vice president of the International Association of Privacy Professionals.
  • That message has impacted conversations around the world. "You saw a significant number of American companies adopting GDPR as their standard in order to have one single compliance program worldwide," said Cameron Kerry, distinguished fellow at the Brookings Institution Center for Technology Innovation.

2. Consumers in the U.S. now have higher expectations about online privacy, as American companies adopted GDPR standards.

  • Americans have noticed that Europeans have privacy rights they do not. But they don't necessarily feel more protected with GDPR in the world.
  • "I think the fact that corporations have their house in order benefits consumers at the end of the day, but it's not the direct link one thinks about when you're talking about tracking or more privacy," said Tene.
  • The Pew Research Center found in 2019 that 6 in 10 U.S. adults feel like they're being tracked constantly, and a majority polled were concerned about how personal data was being handled by companies and the government.

3. GDPR inspired copycat legislation and bills both globally in countries like Brazil, India and China and in U.S. states including California and Washington.

  • It also caused new headaches for companies that must exchange data across borders.

The big picture: "From a policy impact perspective, GDPR succeeded in becoming sort of the lingua franca of privacy and data protection around the world," said Tene.

The other side: Critics have viewed GDPR as an exercise in compliance and "box-checking," with not enough focus on outcomes. Small business in Europe are struggling to comply with it. And it may already be outdated.

  • "Because GDPR is so focused on compliance and accountability on a one-size-fits-all basis, it becomes very much about that, and not about assessment of risks and understanding of the user's expectations," said Kerry.
  • Changes in how companies track users via targeted ad tech have called GDPR's effectiveness into question.
  • The data law is already out of date and must be re-shaped for a post-COVID world, said Axel Voss, a German member of parliament who helped shape GDPR, told the Financial Times in March. He said GDPR was not written for emerging technologies like blockchain and facial recognition or widespread remote work.

By the numbers: GDPR penalties have added up over three years, but rarely enough to make a big difference to multinational mega-companies.

  • Google was fined 50 million euro (about $61 million) in 2019, clothing company H&M was fined 35 million euro (about $43 million) in 2020 and British Airways was fined 20 million pounds (about $28 million) in 2020, according to the BBC.
  • Since May 2018, 661 GDPR fines of a total of 292 million euro (about $356 million) have been issued by European data protection authorities, according to research by firm Privacy Affairs.

Go deeper:

Go deeper