Is GDPR failing? a tale of the many challenges in interpretations, applications, and enforcement

Data have become a central part of our everyday lives. Whenever, wherever, and whatever we do, even in the slightest daily activity, we leave vast amounts of data on some server somewhere. A permanent record of our daily life is being created and stored with every interaction of our life. Such records are being used to –inter alia– profile our behavior, predict our actions and target our souls and minds. Among all the many possible ways, data can help understand the world or create a better life, commercialization has been the leading one and not in the best way we may wish.[1,2]

A long streak of privacy and ethical high-profile problems affecting almost all domains of our daily lives has prompted the world to respond with regulations to address society’s frustrations. The General Data Protection Regulation (GDPR) was the European Union (EU) regulation to address such privacy concerns and respond to the aspirations of humane laws that govern the ethics, privacy, human rights, and data usage across the members of the union. The data protection regulation was adopted in April 2016 and became enforceable – directly binding and applicable across all member states – around 2 years later in May 2018.[3,4] The extensive overhaul of privacy laws has impacted all areas of public and private sectors: Finance, health-care, research, and services to mention a few. Initially, GDPR has been hailed with massive fanfare, enthusiasm, and praise. Several countries around the world have used GDPR as a model for their privacy laws, for example, Japan, Turkey, South Korea, Kenya, Mauritius, Chile, and Argentina.

Nevertheless, a wide range of challenges, confusions, and uncertainties has emerged due to the sweeping far reaching regulations. It is safe to say, expert lawyers, academics, and data professionals have had much better days before GDPR knowing what they are doing. Those challenges did not only affect European countries, citizens, or institutions, but affected all the world. Every business that operates, reaches, or is reachable through a European citizen has to be GDPR compliant. GDPR entailed new requirements, processes, for example, keeping records, notification regulations, and data officers as well as keeping records of all processes.[5] In addition, GDPR came with vague or hard to interpret clauses such as “undue delay”, “disproportionate effort”, or “risk to rights”. However, strictly, the regulations were worded, businesses took liberty in interpreting such regulations. For instance, Facebook took almost 2 months to notify users of a breach and still claimed it complied with “undue delay” of three days maximum.[3]

GDPR has proven hard and oftentimes intricate to apply in real-life. Take for instance the case of The Interactive Advertising Bureau Europe’s (IAB Europe), who has recently developed a Transparency and Consent Framework that is widely used by a vast number of content developers, advertisers, and publishers. The framework was developed by experts and had input from regulators and data protection agencies to make sure that the framework is GDPR compliant. Yet, the Belgian Data Protection Authority (DPA) has issued a ruling that the framework does not comply with GDPR. Put another way, GDPR is even hard for state-of-the-art experts who want to comply with the regulation.[6]

The list of GDPR violations has been expanding and touching a large number of high-profile companies and agencies. Amazon holds the record of highest fine 877 million Euros in 2021 for violation of cookie policies. Followed by Meta which has an expanding list of violations, the largest of which was for WhatsApp (225 million Euros) for failing to properly explain data processing practices in the privacy notice. Google is no better: A series of rulings has hit the company, the largest being for 90 million Euros for Youtube cookie policy. The list includes several other businesses in telecommunications (e.g., Telecom Italia, Vodafone Italia,Vodafone Spain), airlines (e.g., British Airways), Energy companies (e.g., Enel Energia), and even governmental organizations (e.g., Dutch Tax and Customs Administration). Nevertheless, the rulings and penalties for big companies are far less of a deterrence as they may seem. For a large company such as Google or Meta, the fines are just so small.[7]

While the number and scale of rulings is growing, there is a considerable lag between filing a complaint and the time it takes to get a ruling or enforcement action. A large and increasing pile of filings are still unresolved, some of which date back to the day GDPR was launched. Several reasons can be cited for this delay that includes restrained resources, number of filings, case complexities, and the GDPR law itself that experts and regulators are finding difficult to apply.

The world that witnessed GDPR see the light has changed and will continue to change at the speed of the Internet. It is not hard to imagine that the challenges will be far different than what we have today while GDPR will stay almost the same.[4,8] The challenges around GDPR have left many wondering if GDPR is failing, has already failed, or is on the way to fail. Recently, a plethora of media attention and news coverage has raised the question. The story has garnered a large media coverage across technology news and blogs. For instance, Wired – the esteemed technology magazine – published a pessimistic story “How GDPR Is Failing” and Gizmodo – a widely known technology site– published “The Hidden Failure of the World’s Biggest Privacy Law” and so did many others.[4,8]

The difficulties in interpretations, applications, and enforcement of GDPR should not be taken as a ground for declaring GDPR has failed but rather as an opportunity for a remedial that makes GDPR – or the updated version thereof – a more responsive version that addresses societal aspirations and future advances in technology.