Statement: 3rd Anniversary of the GDPR

25 May 2021
3 years of gdpr

Statement: 3rd Anniversary of the GDPR

Three years ago, on 25 May 2018, the General Data Protection Regulation became applicable. The GDPR was meant to give rights to everyday people that are subject to data processing (“data subjects”). At noyb, we apply the GDPR from that user perspective every day.

After three years, our first interim conclusion is mixed: The GDPR has clearly brought the issue to everyone’s attention, ensured that companies reviewed practices (often for the first time) and users became more aware that they have rights in the digital sphere.

Privacy on Paper?

Having rights and getting justice are two separate things: Just like under the previous rules in the Data Protection Directive from 1995 (the Directive 95/46) we are in a state where the EU has managed to issue a progressive law (if compared on a global scale). However, the Member States largely fail to enforce this new European legislation. This leads to “privacy on paper”, but not necessarily on users’ phones or computers.

As an organization specialized on data protection and privacy, our ten lawyers apply the GDPR on a daily basis. Nevertheless, we regularly see cases that take years to resolve, especially when users want to enforce their rights across national borders. While some Data Protection Authorities (DPAs) do a great job, others do not even accept the users’ right to have a complaint investigated, let alone have users’ rights enforced. As companies declare their headquarters in the most convenient Member State (“forum shopping”), users in the entire EU suffer from weak links among DPAs.

In some Member States, the courts have been equally reluctant to enforce users’ rights. It often seems that judges did not receive any training on the GDPR, which leads to decisions that reignite legal debates that should have long be overcome – for example the right to get monetary compensation for emotional damages. Equally, courts apply local procedural law in a way that makes the enforcement of the GDPR close to impossible.

This situation does not only lead to gross violations of citizens’ rights, but also leads to unfair competition, as some players on the European market may not feel the need to comply, while others are worried about the possibility of fines.

Small and Medium Companies

Another element that becomes clearer now, is that the “one size fits all” approach of the GDPR is inadequate. Large companies pushed for a unified law, to ensure that they only have to comply with medium requirements. Especially political parties that pride themselves to be “pro-business” followed that idea. These medium requirements now overwhelm many small businesses that do not really process data on a relevant scale, while they are too weak to combat big tech.

Unlike other regulations where there are classes of companies, the GDPR often requires the same procedures from a small shop and from tech giants like Google, Amazon or Facebook. This leads to high burdens for the vast majority of companies, while not adequately regulating the relevant players. It seems the main beneficiaries are large data processing conglomerates and maybe the consulting industry. Nevertheless, there is (for good reasons) no appetite to reopen the GDPR, as there is fear of big tech using any such opportunity to poke more holes into the law.


Europe can pride itself to have passed the most progressive privacy legislation in the world, but small errors in the law and the lack of enforcement lead to legitimate frustration of users and small business. It will be upon the DPAs and Courts to overcome these problems within the existing legal framework to make the GDPR a true success. We are glad to work on triggering such changes in our daily work at noyb.