We hoped for the General Data Protection Regulation (GDPR) to be a truly trans-national regulation: not only one legal text applicable across the continent, but above all, its consistent enforcement. Watching the hype over financial fines when this regulation was thrown to the market, we were hoping to see compliance from big and small companies alike. How much of this promise has already been fulfilled? In this issue of the GDPR Today we reflect on some of the obstacles that prevent this regulation from gaining full speed but also take stock of its positive impact a year after it entered into force.

In May 2019, the European Data Protection Board (EDPB) published numbers showing that trans-national impact of the GDPR is happening – slowly but surely. So far the EDPB hasn’t adopted any opinion on application of the GDPR across the EU or cases which affect more than one Member State. The first “big” Google case was resolved by the French authority CNIL without even notifying other supervisory bodies. But – at the same time – there are 446 cross-border cases logged in the EDPB’s case register. 205 of these have led to One-Stop-Shop procedures and 19 of these procedures have already been resolved. Right now, it seems that supervisory authorities across the EU are more keen on informal cooperation and seeking compromise, rather then testing the more formalised procedures, such as starting joint operations or requesting EDPB’s binding decisions.

While this approach may pay off in terms of cutting the waiting time to resolve complaints, it remains to be seen whether it will also deliver courageous and consistent standard of the GDPR interpretation. Not less than eleven complaints against Facebook that came to Ireland from various countries and as many as fifteen similar complaints against IAB and Google (related to the functioning of behavioural advertising ecosystem) are waiting to be resolved. Will supervisory authorities seize these opportunities to obtain EDPB’s opinion on matters that clearly have an effect in more than one Member State? What will happen with decisions that have already been issued but fall short with EDPB’s guidelines that are on the way, such as new guidelines on the conditions of obtaining consent?

GDPR will only take shape by its consistent and courageous interpretation by supervisory authorities and courts. After its first year, it is clear that big and small companies alike will avoid and circumvent data protection obligations as long as they have a chance of getting away with it. No matter how clear provisions on obtaining consent are, there will be irritating pop-ups, dark patterns (think of closing pop-up window interpreted as “unambiguous action”!) and pre-ticked boxes expressing “consent” for third party marketing. GDPR is based on respect for human dignity and data autonomy, while data-driven capitalism is not. After more than 20 years of watching it grow, we cannot expect that business models built on data exploitation will cease to exist just because one EU Regulation said what they do is no longer legal.

We are facing a power struggle that will require new narratives, new institutions (such as EDPB itself) and new alliances. It will require greater engagement from regular users of data-driven technologies as well. We already see them waking up: just one tool meant to support data access requests, provided by Bits of Freedom, attracted 17 000 active users in seven months only. But this change will not happen in a year, probably not even in five years.

After one year of living with the GDPR we can, however, draw lessons on what needs to be improved if we want to win this struggle one day. This issue of the GDPR Today brings to you statistics, cases and opinions, hoping to feed such reflection.

Enjoy and digest well!

Katarzyna Szymielewicz

— Prezeska | Panoptykon Foundation President and EDRi Vice-President