What’s the first thing that pops up when you search online? Cookies. Privacy notices. Consent banners. Thankfully, the European Union’s General Data Protection Regulation (GDPR) was enacted to protect citizens from the risks of reckless data collection and misuse—at least in theory. With maximum fines of 4 per cent of a company’s revenue per year, it was hailed as a game-changer when it came into effect in 2018. Schools, businesses, and governments scrambled to update their systems. But has it truly lived up to the hype?

Recent incidents raise serious doubts. The European Commission itself has been fined for mishandling personal data, exposing gaps in enforcement. Major tech giants like Google and LinkedIn have faced investigations, yet data privacy violations persist. So, almost a decade later, is the GDPR successfully protecting individuals’ data, or is it just another bureaucratic measure struggling to keep up with Big Tech?

When the GDPR took effect in 2018, it promised to usher in a new era of data protection. As the “toughest data privacy and security law” in the world, it imposes obligations not only on European organizations but also on organizations anywhere that target or collect data related to people in the EU. Framed as guaranteeing the right to privacy as outlined in the European Convention on Human Rights, the GDPR was designed to grant individuals greater control over their personal data. The law requires that organizations obtain explicit consent before processing personal data, ensuring that individuals are fully informed about how their information will be used. It also grants individuals the right to be forgotten, allowing them to request the deletion of their data in certain circumstances. Additionally, the law requires data portability, meaning users can transfer their personal data from one service provider to another if they choose to switch.

For businesses, the law imposes significant obligations on data controllers—those who decide the purpose and means of processing personal data—and on data processors, third-party entities that handle data on behalf of controllers. These entities must adhere to principles like data minimization, ensuring that only the data necessary for a specific purpose is collected, and purpose limitation, meaning data must only be used for the stated purpose. Furthermore, organizations must maintain transparency in their data practices and ensure the security of the personal information they process.

However, while the GDPR has made significant strides in protecting personal data, several flaws in the legislation itself undermine its full potential. One of the most frequently cited criticisms is the vague and open-ended language of the regulation. Although the law clearly outlines the obligations of data controllers, the responsibilities of data processors are less defined, leading to potential loopholes that allow processors to avoid accountability. For example, Article 28(3) includes provisions for the processor to inform the controller about unlawful instructions, but the placement of this requirement in the second subparagraph introduces ambiguity. The controller may interpret it as a general duty to inform about all unlawful instructions, while the processor may argue that it only applies to specific obligations related to accountability and audits. This inconsistency complicates contractual negotiations and enforcement, allowing processors to potentially evade full responsibility, which undermines the regulation’s goal of ensuring robust data protection.

This lack of clarity complicates contracts and enforcement, allowing processors to potentially shirk their responsibilities. Furthermore, the law has been criticized for its overly complex framework, which can make compliance a burden for smaller businesses and organizations that lack the resources to navigate the intricacies of the regulation.

Aside from issues with the legislation itself, enforcement has also been a major challenge. Despite some high-profile fines—such as Amazon’s €746 million penalty in 2021—the European Union Agency for Fundamental Rights (FRA) warned that the enforcement authorities are underfunded and understaffed. With limited resources to audit companies effectively, implementation has been inconsistent across EU member states. A 2024 ISACA survey found that only 10 per cent of European organizations are fully confident in their ability to comply with GDPR requirements. This weak enforcement has allowed violations to go unchecked, preventing the law from fully achieving its goal of ensuring data privacy across Europe.

Beyond the GDPR, the European Union has introduced additional legislative measures to regulate the power of technology giants. The Digital Markets Act (DMA) and the Digital Services Act (DSA) are part of the EU’s broader strategy to regulate the digital landscape and curb monopolistic practices. The DMA targets anti-competitive behaviour by large tech companies, aiming to ensure fair competition in digital markets. The DSA, on the other hand, addresses issues such as online safety, harmful content, and transparency in the algorithms used by tech platforms.

While these laws are seen as important steps toward regulating Big Tech, there is skepticism about whether they will be effective in the long run. Critics argue that technology companies are so agile and powerful that these regulations may struggle to keep up. Supporters, however, believe that such measures are necessary to ensure that tech giants are held accountable for their role in data collection and privacy violations.

The GDPR has undeniably made a significant impact on the global data protection landscape. It has granted individuals greater control over their personal information and forced companies to rethink how they handle data. It has also paved the way for other data protection laws, such as those in California and China. However, the regulation is far from perfect. Ambiguous language, gaps in processor responsibilities, and enforcement challenges have prevented the GDPR from achieving its full potential.

Ultimately, while the GDPR has set a high standard for data protection, it will require continuous updates and stronger enforcement to remain relevant in an ever-evolving digital world. The journey towards comprehensive privacy protection is ongoing, and the fight for data privacy will continue to evolve in the years ahead.

Edited by Iona Riga

Featured image: Photo by Christian Lue is licensed under the Unsplash License.