THE European Commission is largely happy with the first year of its sweeping digital privacy rules. Evidence mounts, however, that the General Data Protection Directive (GDPR) hurts smaller firms and has no effect on tech giants, which are the least interested in preserving user privacy.

The directive went into effect in May 2018, demanding companies provide privacy by design and by default on all digital platforms and websites. It laid down the rules for collecting and processing private data, including the cases in which consent is necessary for their harvesting. This week, the commission put out an optimistic progress report, describing the GDPR’s first year as “overall positive” and suggesting a number of mild improvements in applying it.