The European law set a global benchmark, stimulating the spread of similar privacy legislation, and inspiring initiatives from Brazil to India. Within Europe, it created a genuine common privacy standard. On June 16 and 17, 2022, policymakers gathered in Brussels at a major conference to issue a report card. 

At best, the General Data Protection Regulation (GDPR) gets a gentleman C. Analysts say it remains flawed, plagued by a failure to put strong limits on tech companies’ data collection and its weak enforcement. European regulators have brought few cases under the new law, with the Irish regulator that oversees the largest US companies, such as Google and Facebook, coming in for particular criticism. For most European consumers, the biggest change has been a proliferation of annoying cookie pop-up requests, requiring a click to accept tracking.  

“We’ve seen a proliferation of privacy legislation across the globe [inspired by GDPR],” said Ivana Bartoletti, Global Chief Privacy Officer at Wipro, an Indian IT giant. At the same time, “there are serious structural issues with the European law, beginning with enforcement.” 

The impact on consumer privacy is disputed. For Bartoletti, the GDPR has succeeded by transforming data protection into a fundamental right. Without it, individuals would be left with little protection. In some specific situations, notably a Dutch case against TikTok, the GDPR has protected consumer privacy.  

For others, though, the GDPR remains fatally flawed.  It allows companies to continue collecting data as long as they receive consent from consumers, explains Ari Waldman, a professor of Law and Computer Science at Northeastern University. In almost all cases, this consent represents a formality. Companies conduct their own audits and self-verify their compliance with vague standards. Smart corporate lawyers can skirt these compliance requirements – and the largest tech companies enjoy direct access to users, easing consent. Many small and medium enterprises (SMEs), in contrast, struggle because they reach customers only through the platforms.  

“The GDPR is a structural failure,” Waldman said. “Its compliance procedures are easily co-opted to achieve corporate goals. It legitimizes data extraction.”  

At the Brussels conference, European Data Protection Supervisor Wojciech Wiewiórowski agreed with some of these criticisms. He proposed giving a large enforcement role to a “pan-European” regulator, reducing the responsibility of national regulators.

“Way too often, the GDPR puts its constraints on small entities but spares the big ones,” Wiewiórowski said. “Big companies, thanks to their resources, can benefit from [a] lack of strong enforcement and further expand their advantage over small competitors.”

In contrast, predictions that GDPR would drive a wedge in US-Europe relations have proved unfounded. After the European Court of Justice ruled against the Privacy Shield on July 16, 2020, saying that US surveillance of European data sent across the Atlantic violated GDPR, both sides have worked to find a solution. This spring, US President Joe Biden and EU Commission President Ursula von der Leyen announced a Privacy Shield 2.0. Since then, a bipartisan privacy bill has emerged in the US Congress. The US is beginning to understand the requirements of how to meet GDPR guidelines set by the European Court, says Eduardo Ustaran, a partner at Hogan Lovells International LLP.  

Our Twitter panelists agreed that GDPR required reform, though they disagreed on how much. For Waldman, the only effective solution is new legislation to limit or even end the corporate collection and use of data. For Ustaran, such a solution would mean the end of the Internet as we know it, fatally wounding the tech industry and posing an unacceptable economic cost.  

Other suggestions proved less divisive. Large fines are insufficient to police tech violations, Waldman said. Tech leaders such as Meta’s Mark Zuckerberg should be held criminally liable and risk jail time. Another improvement, proposed by Bartoletti, involves writing legislation to protect vulnerable groups as opposed to looking at privacy on an individual basis.  

Given the GDPR’s mixed report card, the best solution to protecting privacy may be to put privacy into a broad attempt to protect users online, placing privacy protections into consumer, antitrust, and human rights laws. By itself, GDPR remains insufficient. 

Grace Endrud is an intern at CEPA’s Digital Innovation Initiative. 

Bill Echikson is the Director of CEPA’s Digital Innovation Initiative and edits Bandwidth.