The GDPR promised to rewrite the rules of engagement for tech. Five years on, what’s the verdict?

Days after Meta was issued a €1.2bn fine, the GDPR turned five. We look back at its impact and the work still left to do.

By Emma Sheppard


June 2023

Meta had been waiting to hear about its GDPR fine for many months. But even its representatives must have been surprised by the €1.2bn figure revealed in May. It’s the largest ever fine to a single business over the five years the GDPR has been in place. 

When it first became law in 2016 (although it would take a further two years to come into force), the GDPR was hailed as something of a privacy superhero. It replaced the Data Protection Directive (DPD), which had been in place throughout Europe since 1995. The DPD had governed the way personal data could be collected and used but was enforced inconsistently across the bloc. And, with the acceleration of technology, it was quickly becoming out of date. 

The GDPR set out to stop the rampant personal data misuse associated with surveillance capitalism and achieve greater protection for EU residents. It gave individuals new rights over their personal data, including the right to be forgotten and the right to object to automated decision making. 

Johnny Ryan, senior fellow at the Irish Council for Civil Liberties and the Open Markets Institute, writes in The Economist that it was the revelations of the American whistleblower Edward Snowden that spurred the EU on to do something. “Enforcers gained formidable powers, including the authority to raid companies like Google, Meta and Amazon, and to force them to change how they operate. This showpiece regulation was hailed as the new global standard for data protection and privacy.”

Since 25 May 2018, regulators have issued more than 1,600 fines to organisations and individuals for breaching GDPR regulations. They total £2.5bn (€2.78bn), not including Meta’s latest sanction. The company has certainly been in the firing line – seven out of the 10 highest fines for GDPR breaches are attributed to Mark Zuckerberg’s company. Vodafone España has been fined on 63 separate occasions, and Google and its subsidiaries have been fined more than €215m. 

Has the GDPR succeeded in its mission? Here are some of its accomplishments and the work still left to do…

1.  There is much more awareness of privacy and data protection

Where the GDPR has certainly succeeded is in raising public awareness about the importance of privacy and data protection. Individuals are much more aware of the risks and their rights. Three in four consumers have concerns about how companies are using their data, and almost half (46%) would no longer use or buy from a company they were previously loyal to if it failed to protect their data from a breach. 

2. But enforcement is patchy 

Despite the EU-wide nature of the GDPR, not every regulator applies the rules in the same way. Indeed, it seems to be the big technology companies that get most of the fines. Yet Ireland, which is perhaps the EU’s most visible data protection watchdog by virtue of so many of the world’s biggest tech giants having their EU headquarters there, has been criticised for being soft on big tech. Almost two thirds (64%) of the 159 enforcement measures by late 2022 were merely reprimands, and a study of GDPR decisions in Ireland revealed 75% of the Irish regulator’s recommendations were overturned by Europe in favour of stronger action.

3. GDPR has become the standard that other countries follow 

Countries around the world have taken their lead from the GDPR. More than 70% of countries now have data protection regulations in place and a further 9% have legislation in development, according to the United Nations Conference on Trade and Development. Even recent calls for a federal privacy law in the US can be traced back to the GDPR. Some of the decisions made by regulators under the GDPR have also benefited people worldwide. OpenAI, the owner of ChatGPT, for example, was given a to-do list by the Italian DPA in order to have its suspension in Italy lifted. This forced it to make changes to the way data is used in its product which benefit everyone wherever they are based. Similarly, the introduction of the ICO’s Children’s Code resulted in the likes of Facebook, Instagram, YouTube and Google implementing changes to the way children interact with their products as well as inspiring increased protection for children’s personal data in other jurisdictions. For example, the California Age Appropriate Design Code Act is heavily based on the ICO’s Children’s Code. The global nature of the internet means a huge divergence in laws is unlikely to happen. Gartner predicts by the end of 2024, the majority of the world’s population will have its personal data covered by privacy regulations.

4. It’s still seen as the purview of lawyers and consultants

Too often, the GDPR is still seen as something to be outsourced to lawyers or data protection consultants. That breeds resentment. Companies should be able to comply without feeling overwhelmed, turning to specialist advisers only when they’re facing difficult, complicated questions. Everyone in a given organisation will interact with data in some way. So privacy should be something that everyone in the organisation understands and acts to protect. Done right, you’ll create a culture of responsible data handling and build customer trust.  

Answer our GDPR compliance checklist questions and we will email you an objective, personalised audit report within minutes, completely free of charge.

Get your audit

5. Many SMEs are still confused 

The GDPR has significantly changed how businesses collect, process, and store personal data. But many are still confused – particularly SMEs that can’t afford to hire an expert in house. When the GDPR was introduced, there was a lack of simple practical advice from the regulators who instead produced volumes of detailed advice for privacy professionals and lawyers. They were also written in a way that left a lot open to interpretation. The regulators insisted they would educate the market and only enforce where the most harm was being caused. Today, many companies are still unaware they even have to register with the regulator. And the Data Protection and Digital Information Bill (currently working its way through the British Parliament), which proposes changes to the UK GDPR, is likely to add even more confusion.

If you want more practical content like this article, please click below to sign up for our monthly newsletter.

Sign up now

6.  We are in a much better place than we were five years ago but there’s still work to do

As technological innovation has continued apace, the GDPR has in some cases protected individuals from abuse, even if some industries have been reluctant to embrace reform. Google’s AI chatbot tool Bard is not currently available in the European Economic Area and its had to delay launching it there after the Irish data protection authority seemed to confirm that it’s not GDPR compliant. The acceleration of AI has revealed an urgent need for more regulation in this area, leading to the EU working on the first ever legal framework on artificial intelligence, with the AI Act. It also proposes adding digital services co-ordinators in each EU jurisdiction, with their own regulatory powers across the whole digital agenda, in addition to the existing data protection authorities. 

Perhaps then, the GDPR was only the start of this conversation. In the future, experts predict the level of enforcement will become more rapid, more fines will be imposed, and data privacy regulations will continue to become more standardised across the world. But organisations need to continue to evolve too. It was recently revealed, for example, that some of the UK’s largest charities providing support for people with mental health difficulties shared sensitive details about their web browsing activity with Facebook, in a direct breach of the GDPR. Five years on and the message still isn’t getting through to some organisations.

More to watch and read