The GDPR is five years old! This is well worth a drum roll because it marks the anniversary of a fairly uniform data protection standard in Europe. It is a Regulation and as such applicable in EU member states without the need for transposition into national law. And while its so-called “opening clauses” offer member states a certain leeway in some areas that they had to legislate for individually, the General Data Protection Regulation still provides the framework that sets important guardrails.

So far, so good. But even after five years there is a sense that we are still in the exploratory phase, as many provisions of the GDPR are worded in broad terms and are the result of political compromise. The classic example is the notorious “legitimate interest”. This term is so loose that it has time and again caused lively debates among privacy advocates and legal scholars.

A matter of interpretation?

This leads us to the murkier aspects of the GDPR, because the interpretation of its provisions has increasingly turned into a battle of contradictory court decisions often followed by years of appeals. The judges are largely uninspired, especially since technical questions collide with legal questions. Nor are lawyers without the appropriate specialisation particularly suited to handling such cases. Lastly, plaintiffs are facing costly proceedings. This risk only increases with the duration of the proceedings. The European Court of Justice frequently offers clear guidance in its last instance decisions. But unfortunately many of its decisions are also Solomonic, providing only a rough direction and thus leading straight to another round of interpretations; some of its decisions are even contradictory.

Well-defined rights are great, but the authorities are too sluggish

On the occasion of this five-year anniversary and in view of constant technological progress, we are nevertheless glad that this guiding framework for reference exists. It has brought us many good things, for instance well-defined rights for the processing of personal data. This includes the right to deletion, the right to be forgotten and the right to correction.

The public authorities should be a reliable contact for those of us who become victims of data protection violations. Alas, the machinery is not running smoothly. It is very common for proceedings to peter out in their journey between different authorities. The idea of clearly defined competence (one-stop shop) does not really work. Then there is the legendary Irish Data Protection Commission, which gives the impression that their often lax follow-through of cases is politically motivated, with them not wanting to endanger the minimum standard of data protection that they have achieved against the “data leeches”. (Update 29.06.: The DPC apparently even tries to make questionable GDPR cases “confidential” to escape from criticism.) Proceedings also take much too long; considerable time passes between the complaint and the final decision.

Thus the biggest problems occur at the administrative level, which simply does not work. Cases are closed without decisions. Authorities remain inactive and wait for further complaints, a cheaper solution that favours mega corporations. There are many more examples, the list of non-enforcement is long. Activist Max Schrems and his team at NOYB have compiled resources that would be almost funny if they were not so sad. You can find an overview here. The most common problems in Austria are listed here (German) and you will find an overview of failures to enforce and delays in proceedings brought by NOYB here. As a result, NOYB have called the GDPR a toothless paper tiger that urgently needs better enforcement.

It started with an idea

The introduction of the GDPR has helped raise awareness among the population that data are a commodity and a subject deserving of attention. Today many more people know about the value of their data and protect them better at an individual level. “Data theft” by large companies is under scrutiny and consequently made somewhat more difficult.
Fortunately we also have a codified right to request information. This low-threshold option costs very little and anyone can exercise it without any need for legal advice. Unfortunately, far too few people use their right of access. If everyone requested all personally identifiable data on record once a year, it would certainly contribute to companies’ awareness of privacy issues.

Rights must be enforced

There is considerable room for improving the enforcement of the GDPR’s rules. Data protection authorities tend to be very generous towards those who violate data protection rules. This is not really helpful in getting companies to implement the GDPR properly. If a company knows that the first breach usually does not carry a penalty provided they promise to improve, why work meticulously from from the get-go? For most companies, data organisation is only a cost item until they are blackmailed by their first hacker. And even when they provide against outside attacks on their business data, this still leaves staff, customer and supplier data in need of proper organisation and protection, marked with proper retention periods and deletion dates. The total fines of roughly four billion euros for GDPR breaches handed out so far are dwarfed by the money paid to blackmailers. GDPR fines are therefore often simply included in a business’ calculations and not seen as a motivation to protect its data and that of its customers etc. Companies should urgently change course because their behaviour, especially that of medium-sized businesses, often amounts to gross negligence.

Another item on our wish list for better enforcement is the matter of cookie banners. It is high time to take large-scale action against the constant, unlawful, annoying buttons that must be selected before users can even get to a website! How many websites are there whose mobile versions leave cookies active regardless? How many websites ask us to allow data traffic, but establish connections that we do not want before we even get a chance to reject them (German)? These examples are only the tip of the iceberg. We therefore demand substantial repairs.

Famous last words

But despite some inconsistencies, we are glad today and congratulate the GDPR on its fifth anniversary! It set the gold standard in Europe and has been copied many times. On a global scale, however, its standards are often considered too high and it is doubtful how many countries will adopt them. For them to succeed, politicians must finally see our fairly high standards as the advantage and protection that they are. Currently, the political debate is focused on the disadvantages. We therefore appeal once more to the political decision makers to continue along the good path that is the GDPR. This includes repairing certain provisions and ensuring proper enforcement.

The outlook for the future is highly uncertain. Currently, the wave of so-called artificial intelligence is upon us and it will certainly be at least as disruptive as the introduction of the iPhone. At the European level, we will find out the strengths and weaknesses of the Digital Services Act and the Digital Markets Act in their day-to-day application. And finally the really exciting question remains of how society implements and copes with the digital shift. Thank you GDPR for accompanying us on this bumpy ride and providing some protection for the time being. And now – Happy Birthday!

Since you're here

… we have a small favour to ask. For articles like this, we analyse legal texts, assess official documents and read T&Cs (really!). We make sure that as many people as possible concern themselves with complicated legal and technical content and understand the enormous effects it has on their lives. We do this with the firm conviction that together we are stronger than all lobbyists, powerful decision makers and corporations. For all of this we need your support. Help us be a strong voice for civil society!

Become a supporter now!

Related stories: