5 negative, unintended consequences of the GDPR on its 5th anniversary

Photo by Tony Hand on Unsplash

Since there’s enough praise out there (including our own!) for the GDPR’s positive impact on our daily lives and the manner in which EU residents are enjoying their newly acquired rights, we thought this anniversary calls for a critical reflection on the things that we believe have backfired.

How are we to ever improve otherwise?

Cutting straight to the chase, we will start by disregarding what seems to be the number one complaint in the wider business world: annoying, useless consent banners have little to do with the GDPR (other than the manner in which it redefined valid consent). We believe the most infamous EU export should rather be blamed on: a) our shortsightedness back in the day (ePrivacy II, 2009), regulating a technology per se rather than looking at the fundamental rights and freedoms at stake; and b) the inability (or lobbying-infused malfunction) of the EU institutions to find common agreement for an updated ePrivacy Regulation that would have aligned such lex specialis with the new general framework, back in 2016–2018.

With that said, here’s our list:

1. The GDPR has hampered competition, playing in the hands of the biggest players. Yes, many thought privacy and competition were perfectly compatible, but we now have enough evidence to the contrary: large incumbents have the resources to deal with complexity or embark on much more expensive privacy-first deployments. Small businesses are stuck with pre-built tools and free (US-based) cookie-packed or ad-supported alternatives at all levels. We went slightly deeper on this when analyzing the Ethical Commerce Alliance’s London Summit last week.
2. National security programs have exposed naked the weak grounds on which international data transfers and even the entire data protection framework are built. Despite the fact that this particular purpose was left out of the GDPR’s material scope, the Regulation and its various cousins or predecessors (Convention 108, EU Charter of Fundamental Rights…) have so far sat atop a basic human rights layer — which is expected to persist across the wider legal system. The legislator failed to appreciate that such a layer cannot be taken for granted beyond Europe, including the United States. Unfortunately, the internet does not seem to function when US companies are taken out of the equation (and yet the biggest fine to date boils down to penalizing the perpetually unpopular yet widely used Facebook/Instagram/WhatsApp for such inconsistency). To make matters worse, AI-powered mass surveillance practices conducted by EU Member States have shown internal cracks in the deeper stack of common values.
3. Political agendas and “inherited pathologies” have found their way into GDPR enforcement actions by data protection agencies, undermining the consistent application of the law and doing away with one of the benefits of harmonization: France’s CNIL has shown clear bias by targeting US-based businesses (Apple, Microsoft, Meta, Google, Discord) with exemplary fines while proactively helping, softly nudging, or merely threatening national champions and local darlings in their struggle with the nuances of the Regulation. Welcome as it may be for EU chauvinists, “digital protectionism” seems beyond the mission of supervisory authorities as per the GDPR itself. For its part, Spain’s AEPD has been affected by a characteristic, almost naive desire to “help” regular citizens, more closely resembling an overloaded consumer protection ombudsman. This has resulted in an absolute record of enforcement actions, a clogging of the system, and the general perception that it can act as a faster replacement for civil courts in neighborly matters of personal acrimony.
4. A few core distinctions are arguably becoming obsolete. It is increasingly harder to differentiate between data controllers and data processors in complex digital marketing, AI, or data analytics scenarios (suffice it to look at the EDPB guidelines on the targeting of social media users and the temporary nature of joint controllership relationships). The line between pseudonymised and anonymous data remains blurry (despite the recent CJEU Banco Popular decision).
5. Data subject rights have not lived up to their promises (whatever happened to the leveling effects of portability?) and, in certain cases, they have even acted as deterrents for innovation (eg., blockchain vs. right to erasure).

I am fully aware that some of these things call for a more nuanced analysis, but that is the whole point of opening up the conversation. Let’s make it as nuanced as you wish.

In the meantime, happy 5th lap to the GDPR and lets hope for a pit stop before it breaks or damages the road.