Is the GDPR data protection law working?

Last spring’s GDPR is one of the most complex pieces of legislation the European Union has ever devised. But is it achieving what it was supposed to? 

Google accounts for the vast bulk of the fines levied under GDPR

What is the GDPR?

It's the EU's General Data Protection Regulation (GDPR), an EU-wide set of rules governing data privacy in the age of the internet. It came into effect in May last year, and will remain part of UK law even after we leave the EU. GDPR took four years to debate and compose (mostly by privacy-conscious German lawyers) and consists of 99 articles and 173 explanatory comments, making it one of the most complex pieces of legislation ever produced by the EU. Its stated purpose is to "protect all EU citizens from privacy and data breaches in an increasingly data-driven world".

How does it do that?

Principally by dramatically expanding the definition of what counts as data; by compelling organisations to secure consumers' explicit consent to various forms of communications and data storage; and by beefing up penalties for data breaches and non-compliance. Until last year, EU citizens' rights over their personal data (everything from addresses and health records to credit data) were enshrined in a directive that hadn't been touched since 1995, when the internet was still in its infancy. GDPR expands the definition of data to photos, posts on social networks, and IP addresses (which identify your computer when you access a website). And it covers virtually any organisation that collects data about EU citizens, anywhere in the world.

What must companies do?

Companies can no longer hide their requests for consent to store or use our data in endless terms and conditions and legalese, or use pre-ticked boxes. Instead, people have to opt in. This explains the flood of messages in the nation's inboxes in the run-up to last May, when shops and hotels and websites we barely remembered visiting got in touch to ask permission for them to get in touch. Under GDPR, consent to allow our personal data to be used must be unambiguous, freely given, current, and for specific purposes. Moreover, firms (or other organisations) that handle large amounts of personal data must appoint a data-protection officer and design their systems around the need for privacy.

What rights do we get?

Consumers, meanwhile (or "data subjects") get several new rights. We can access data held on us within a month, free of charge. We have the "right to be forgotten" by making an organisation erase our data, and the right to be notified within 72 hours if our data is compromised and to get compensation more easily. For organisations, the fines for non-compliance are much bigger under the GDPR: a maximum of €20m or 4% of turnover, whichever is the greater. According to Vera Jourova, the EU commissioner for justice, the EU has "handed a loaded gun" to the national regulatory agencies whose job it is to enforce the rules, such as the UK's Information Commissioner's Office (ICO).

How has it been going?

GDPR has greatly increased the number of data breaches reported to the authorities by companies and organisations. In the UK, total reported breaches in 2019 are estimated to be about 36,000, nearly twice the previous annual rate of around 20,000. Doubling that number is no small achievement, reckons Josephine Wolff on Across Europe, the first nine months of GDPR showed 206,000 cases recorded, which included 95,000 complaints and 65,000 data-security breach notifications. That is a valuable trove of information about customers whose personal data has been compromised, and for regulators and technology designers trying to understand and mitigate the root causes of breaches. However, it's much less clear that GDPR has had much impact on corporate fines for mishandling personal data.

What are the figures?

Across Europe, in the first nine months national data-protection agencies in 11 countries had levied €56m in fines. That sounds impressive, but the vast bulk of that figure was a single €50m French levy on Google in January. Moreover, data for the UK shows that the chances of getting a fine are remote indeed. Between May 2018 and March 2019, 11,468 data-breach cases were resolved but only 29 of these led to a fine, including a £500,000 fine issued to Facebook and another half million issued to Equifax. Clearly, GDPR is a work in progress, but so far the vast majority of firms are not being fined for failing to protect customers' data, and any fines levied have hardly been onerous. Critics also say that the first year of operation has borne out their worst fears about the potentially damaging effects of GDPR.

What are they?

They worry that GDPR is cumbersome, outrageously costly to comply with, and over time is likely to entrench existing oligopolies while discouraging new investment in potential future champions. In other words, it increases the power of the biggest players, such as Facebook and Google who can easily afford the compliance costs and have used their market power to pass on some costs to others while making life much harder for smaller players and new entrants. For example, a study last November for US thinktank the National Bureau of Economic Research detected a 17% fall in venture-capital funding rounds for tech firms in Europe after GDPR came into force, and a fall of almost 40% in the overall funds raised. Meanwhile, in the UK Google and Facebook's combined share of the online advertising market has risen over the past year to 64%, compared with 59% in the US. Realistically, it's still very early days in terms of evidence-gathering, and regulators promise that some more big fines are in the pipeline. But for now, the jury is very much out.



Investment strategy

How the fear of death affects our investment processes

Many of our investment decisions are driven by one simple fact: the knowledge that, one day, we will be dead. Here, in an extract from his new book, J…
2 Jan 2020

The good investments of the 2010s – and the bad

John Stepek takes a look back on which investments did well and which did badly in the decade that’s about to come to an end.
26 Dec 2019

How long can the good times roll?

Despite all the doom and gloom that has dominated our headlines for most of 2019, Britain and most of the rest of the developing world is currently en…
19 Dec 2019

Beyond the Brexit talk, the British economy isn’t doing too badly

The political Brexit pantomime aside, Britain is in pretty good shape. With near-record employment, strong wage growth and modest inflation, there is …
17 Oct 2019

Most Popular


House price crash: UK property prices are falling – so where next?

With UK property prices falling for the first time in eight years, are we about to see a house price crash? John Stepek looks at what’s behind the sli…
2 Jul 2020

How can markets hit new record highs when the economy is in such a mess?

Despite the world being in the midst of a global pandemic, America's Nasdaq stock index just hit an all-time high. And it's not the only index on a bu…
3 Jul 2020

The end of the bond bull market and the return of inflation

Central bank stimulus, surging post-lockdown demand and the end of the 40-year bond bull market. It all points to inflation, says John Stepek. Here’s …
30 Jun 2020