May 25th 2021: 3rd year anniversary of the GDPR

GDPR 3 years

Today, on 25 May 2021, the General Data Protection Regulation will celebrate its third year of entry into application. :birthday:

Three years in… What do you think about the GDPR’s success (or lack-thereof in certain areas)? What problems are still there and what have we seen improved in the past year? Where can it still do better? Discuss!

I have mixed feelings to be honest. GDPR in part has been a huge success in unifying EU data protection law, save for member state laws implementing the GDPR, although largely similar and brought more attention to data protection and the protection of fundamental rights, especially now that more and more things are digital.

However, member states enforcement of the GDPR is severely lacking, supervisory authorities for whatever reason fail to adequately enforce the GDPR, blatant breaches of the GDPR have been ignored for too long.[1] We have seen an increase in enforcement by SA’s the past year, but it is still falling short by miles. The protection of fundamental rights exists on paper, but in practice, because of the lack of enforcement more controllers are non-compliant than compliant. Groups like NOYB and other civil rights groups are great voice in changing this.

Worth reading: Three-Years-Under-GDPR-report


  1. Texts adopted - Commission evaluation report on the implementation of the General Data Protection Regulation two years after its application - Thursday, 25 March 2021 ↩︎

There are a lot of issues that have already been discussed elsewhere – too little enforcement (must not be the responsibility of NGOs), too little guidance (most member states don’t have the equivalent to the ICO’s excellent explanations), still no ePrivacy reform, and so on.

What I find a bit dangerous is that the compliance effort can become wholly disproportionate. GDPR compliance can be overwhelming, so that some controllers might just not care. To my amazement, this didn’t seem to happen when the GDPR came into force. Everyone rushed to update their policies, motivated by uncertainty about how fines would be handed out.

But then the Schrems II judgement suddenly destroyed the foundation of modern globalized IT. The result is that everyone replaced the Privacy Shield with SCCs, usually in full knowledge that they are probably invalid as well. The proper compliance response – to stop using US-based services – would be more costly to many data controllers than potential fines. (Corona didn’t help, where the choice often boiled down to compliance vs being able to continue business operations).

Of course the Schrems II judgement was entirely correct, necessary, and unsurprising. I just wish this shock could have come a couple of years later, when industry as a whole would have become more accustomed to compliance issues. Hopefully, future enforcement on this issue will focus on international companies that offer insufficient controls to their customers, most importantly Google.

But overall, especially as a data subject, I’m still glad that the GDPR exists. I’m also very happy that cookie consent banners have become noticeably more navigable and transparent over time, except for their discovery that legitimate interest is a thing :roll_eyes:

1 Like

Whilst I agree on this, and I don’t think smaller controllers should be enforced more or harder than big organizations, most organizations are still not GDPR compliant. In the Netherlands the majority of companies are not compliant with GDPR as of last month. This results in large scale infringements to data subject rights by - amongst others - processing personal data without legal basis. And the lack of enforcement is just depressing to be honest.

And many things, if not most things in the GDPR is not new, you need a legal basis for processing since the Data Protection Directive, if you are not doing it right now; you have been doing it wrong for the past 26 years.

GDPR entered into force on 24 may 2016, controllers had 2 whole years to get their stuff together, and even then on May 25th 2018, when the GDPR became applicable, we were still lenient and gave organizations even more time to get their stuff together. There was plenty of time, and the lack of compliance by a controller does nothing more than illustrating how ignorant it is.

I don’t think the the compliance effort is disproportionate at this moment, it isn’t that hard. That’s easy to say coming from a professional, but just like companies have the tax guy do ensure tax compliance, they should have the privacy guy to do the GDPR compliance.

FAQ | Privacy Policy |  ToS