three years gdpr||GDPR three years|GDPR three years

GDPR: Three years in, and its future and success are still up in the air

The EU’s General Data Protection Regulation (GDPR) is not living up to the hype. When first implemented in 2018, the GDPR was presented as the new world standard for privacy and data protection. The law has increased data protection awareness and led to significant legal changes all over the world. Yet Access Now’s new report, Three years under the GDPR: An implementation progress report, explores just how far this legislation still has to go before its promises — and potential — are truly fulfilled.

“Three years in, and Access Now’s new report highlights how GDPR implementation is proving to be nothing but hot air,” said Estelle Masse, Senior Policy Analyst and Global Data Protection Lead at Access Now. “We’ve passed the settling in phase, and we now need to seriously address issues with the enforcement of the law. The next few years will decide if the internationally-acclaimed legislation soars like an eagle, or crashes and burns like a le(a)d zeppelin.”

The GDPR is a robust legislation but its sweeping data protection commitments have yet to materialise: a huge number of complaints remain unaddressed, violations are everyday news, and Big Tech is holding fast to data harvesting business models. The hopes and expectations raised by this flagship legislation are turning into frustration over the slow enforcement. 

Access Now’s new report delves into the GDPR’s facts and figures, evaluating how data protection authorities (DPAs) are, due to a combination of operational difficulties and insufficient financial and staff resources, unable to address complaints, leaving them to flap in the wind. But are DPAs at fault? They are themselves citing inadequate communications tools, incompatibility of national procedures, lengthiness of the process for cooperating, and difficulties in identifying who is in charge of cases, as key obstacles to enforcing the GDPR. From May 2018 to March 2021, DPAs did levy 593 fines and sanctions, but data exposes the huge discrepancy in how the authorities are using their powers, and confirms that major cases are stuck due to procedural issues.

So, should the EU reform the GDPR? No — at least not yet. As Access Now’s report explains, regulators and lawmakers can address many of the impediments to enforcement without changing the law. To support the next phases of the GDPR’s implementation, Access Now is providing recommendations to address the shortcomings, including:

  • Creating new communication and collaborative tool for the DPAs;
  • Developing additional guidelines to clarify “one-stop-shop” procedures;
  • Clarifying and increasing use of the urgency procedure; and
  • Increasing resources for DPAs.

The GDPR is still in its infancy, and while it is too soon to consider revisions to the law, EU regulators and decision-makers have the power to improve enforcement and fulfil its promise for vindicating data protection rights and spurring the development of privacy-protecting business models. The past three years hold important lessons for decision-makers and regulators to leverage to deliver on that promise. A lot is at stake. Getting GDPR enforcement right is vital for guaranteeing the right to data protection in the EU. Last year, on the legislation’s second anniversary, Access Now raised the alarm over weak enforcement; this year, the organisation just feels deflated.

Read Three years under the GDPR: An implementation progress report.

More information on data protection: Of course, data that is not collected cannot be used to violate privacy. Access Now’s recent report, Data Minimization: Key to protecting privacy and reducing harm, addresses how companies and organisations can limit data collection to protect human rights.