Few Internet laws generate more opinions than the EU’s General Data Protection Regulation (GDPR). Many companies see these regulations as expensive, unwieldy EU bureaucracy. Online privacy activists, meanwhile, say things have massively improved for consumers.

Four years ago, the European Union introduced the General Data Protection Regulation (GDPR), the toughest data protection regulation on the world. How well is it working?

The new regulation applies to some 450 million consumers in Europe, enforcing citizens rights to information, allowing them to correct and delete their data, in a rule whose reach extends to the biggest corporations in the US.

Those benefits are not yet being felt in daily life for some in Europe, however. Only 9% of people in Germany say they feel significantly better protected thanks to the regulation, according to a poll carried out by YouGov.

Meanwhile 38% of those polled saw no improvement at all, according to the representative survey. Only 31% said they felt their data was at least partially better protected than it was before.

Unfortunately, what people focus on when they think about the GDPR is not the right to be forgotten online, or better rules for moving personal data from one provider to the next – much to the regret of the European Commission and data protection experts.

‘Accept all cookies?’

Talk tends to focus on the constant queries about cookies that pop up online since the GDPR came into force.

These requests about cookies and the use of personal data are annoying, say 53% of Germans, the poll found.

Some 14% don’t care about consenting to how their data is used, saying “I just click on anything”.

Just 12% feel a sense of self-determination over their data when they see the requests, they told pollsters.

Cookies are text files with small pieces of data – like a username and password – that are used to identify your computer as you use a computer network, helping web servers and browsers communicate with each other.

It is thanks to cookies that browsers can remember your login, for example – or what you have put in your virtual shopping basket.

The technology is also what facilitates personalised advertising.

While some cookies are useful, among the most controversial are the third-party cookies that track users across several websites, creating profiles of personalities for advertising purposes.

Now that the use of cookies has been significantly restricted by the GDPR, the industry is making less use of this method of tracking consumer behaviour, in Europe and beyond.

German Federal Data Protection Commissioner Ulrich Kelber says this makes the GDPR a global benchmark in data protection, four years since its inception.

But the law does not necessarily mean citizens are automatically better protected. “For that, we need data protection supervisory authorities, court rulings and responsible handling of data by states and companies.” Much has happened in these areas over the past few years, he says.

Hundreds of millions in fines

Even large US corporations cannot circumvent the GDPR, as data protection authorities can impose fines of up to 4% of global annual turnover for serious violations.

Online retailer Amazon has paid the highest fine so far, after Luxembourg ordered the company to pay a record €746mil (RM3.52bil) in July 2021 when a European civil rights group complained about the processing of personal data.

After Amazon’s whopping fine came WhatsApp, slapped with a €225mil (RM1.06bil) fine by the Irish data protection authorities for failing to comply sufficiently with European information requirements.

The French data protection authority meanwhile fined Google €90mil (RM424.72mil) for lacking sufficient legal basis for how it processes data.

German data protection commissioners have been relatively restrained, according to the GDPR Enforcement Tracker, issuing fines of €52.1mil (RM245.87mil) in 63 notices that were made public.

The highest was for fashion retailer H&M, which was forced to pay €35.25mil (RM166.35mil) by the Hamburg Data Protection Commissioner in October 2020 for serious violations of employee data protection rules.

However, Germany’s data chief Kelber says the GDPR is not only a means to exert pressure: More and more companies now see data protection as a sales advantage.

This also applies to other countries outside the EU, which are following the GDPR with their own laws. “It is particularly important to me that citizens become aware in the first place that their data is worth protecting.”

Representatives of the digital economy meanwhile are critical of the GDPR. Achim Berg, who leads tech industry association Bitom, says so far, the regulation has only partially achieved its goal of standardising European data protection legislation and practice.

A Bitkom study found 37% of companies say that the GDPR was an international competitive advantage, while “40% do not see any advantage in it – and 18% see it as a disadvantage”, Berg says.

Meanwhile 64% said data protection hinders the implementation of data-driven business models in their company.

Products or business models that have gained an international competitive advantage from a particularly strict interpretation of the regulation are still not known, he said.

Data protection must be oriented towards real dangers, not theoretical risks, says Berg. “If, for example, teachers are banned from using functioning and proven video conferencing systems in schools solely because the providers are based in the US, then we are chasing a ghost. No US authority will be interested in the maths teaching at a Berlin primary school.” – dpa