GDPR Three Years Later: What We’ve Learned and What’s Ahead of Us

Petar Todorovski

By Petar Todorovski . 8 August 2022

Data Privacy Specialist

The EU’s General Data Protection Regulation (GDPR) came into effect three years ago and changed the online world for good.

Businesses using personal data with almost no limitations now have to pay attention to what they do with users’ personal information. It followed a few lucrative years for online businesses earning loads of money by simply making data-based decisions using personal data, often without users’ knowledge.

The GDPR brought constraints to that use, so the outcry by the businesses came as no surprise.
It had to happen, though.

Cases such as the scandal with Facebook and Cambridge Analytica and the number of data security failures by Equifax drew the public’s attention to online data privacy. Media caused hysteria, legislators passed laws, and we were brought to a new reality of online privacy.

Three years later, the situation seems different.

GDPR After 3 Years

What We Have Seen So Far

What we’ve seen so far is that:

  • GDPR has set new standards for online privacy laws
  • But the US resists the wave
  • And that makes things complicated for everyone
  • Data protection authorities issue huge fines
  • Meanwhile, most of the businesses remain non-compliant
  • Yet, privacy by design could become a new standard

There is still a long way to go. Some of the challenges for the near and mid-term future include:

  • New EU-US agreement on data transfers
  • Schrems tackling the “cookie banner terror”
  • Passing the new ePrivacy Regulation, expected to bring some clarifications
  • Some big economies are expected to pass their GDPR-like laws, but not the US
  • In the US, though, they consider some novel consent such as property rights on personal data
  • Blockchains will be quite challenging in terms of privacy

GDPR Started a Wave of Passing of Similar Laws

25 May 2018 was just the beginning. When GDPR came into force, businesses worldwide wondered how they would meet the high requirements, claiming that the GDPR would not work.

But it did. And eventually, it caused a wave of introductions of new data protection laws all around the world.

Whenever some country introduces a new data protection law or updates the existing one, it always mirrors the provisions of the GDPR. It is not always as strict or demanding, but it is similar.

These countries include countries-candidate for membership in the EU, the United Kingdom, Israel, Australia, Brazil, and most countries in South America, Egypt, Kenya, Dubai (the Dubai International Finance Center only), Thailand, and others.

The US Still Restrains

GDPR was passed, among other things, to tackle the Googles and Facebooks of the world. Meanwhile, the tech giants’ homeland still restrains from passing GDPR-like legislation.

The United States is the only well-developed country without a comprehensive data protection law. US citizens are not as protected as EU citizens, Canadians, Brazilians, and others who enjoy the benefits of GDPR-like protection.

While the European Union tends to regulate everything everywhere, the US government often takes the opposite approach. As a result, data protection in the US is still very weak compared to other parts of the world.

Despite the calls for a federal data protection law, the data protection legal landscape in the US is still a big mess. Only three have data protection laws – California, Virginia, and Nevada, while the rest have only data breach laws.

From those three, the Nevada law is quite obscure compared to the GDPR, the CCPA of California does not apply to all businesses, and the Virginia CDPA will come into force in 2023 and is not comprehensive either.

The US is still lagging in terms of consumer protection when it comes to data. Most of the attempts to the introduction of new laws have failed.

At the same time, the US is home to data brokers who supply politicians with large amounts of data they use in political campaigns.

And That Makes Things Harder for Everyone

The US does not provide data protection on a level equal to the GDPR. Therefore the data transfers from Europe to the states are quite complicated.

Transfers used to be regulated by the Privacy Shield. That was an agreement between the US and the EU, according to which personal data of EU users could have been transferred freely to a list of compliant US companies registered with the Shield.

Max Shrems, the leader of the NOYB (None of Your Business), an NGO working in the field of data privacy, knocked the agreement down. He initiated a procedure at the Court of Justice of the European Union. He decided that personal data transfers from the EU to the US are unlawful under the GDPR because the data may be exposed to US authorities at any time due to the nature of US laws.

This court decision is known as Schrems II. The Schrems I decision brought down the Safe Harbor, the data transfers agreement that preceded the Privacy Shield.

Three years after the GDPR introduction, the EU and the US are negotiating a new deal. The constraints set by the Schrems II decision will be hard to get by.

Hefty Fines Have Become Usual

Back in 2018, the GDPR was known as the Boogeyman due to the huge fines it prescribed. 4% of the annual turnover of 20 Million EURO – whichever is greater, was unseen.

But very soon, it has become usual.

The national data protection bodies of the EU countries do not hesitate to issue hefty GDPR fines. The largest include 50 Million EUR. This doesn’t mean companies go out of business since this is not the law’s intention.

The GDPR aimed to tackle the tech giants, so it prescribed huge penalties. Nevertheless, many fines for small businesses are in the four digits.

Unsurprisingly, brands such as Google, Marriott, H&M, and other big companies get fined for violations. The authorities do not hesitate to issue such fines. They have become usual. However, these fines do not scare small businesses too much.

However, this doesn’t solve the non-compliance issues in general because…

Many Businesses Are Not Compliant Yet

Small businesses, in many cases, are not compliant with the GDPR yet. Although tech giants can violate online privacy laws on a massive scale, small companies often violate subject data rights.

Multiple reasons lead to this:

  • Small businesses do not have the resources for compliance. Particularly businesses that are just starting, businesses with scrappy budgets on the verge of going out of business, one-person businesses, etc.
  • They just try to get by. Many think DPA won’t come after them because they are too busy with big companies. And they may be just right. Many DPAs are understaffed and lack the resources to go after every GDPR violator. There are only 27 DPAs in the EU, while billions of online businesses worldwide need to comply with the law. Numbers imply that it is simply not possible for authorities to catch every business that violates the law unless users take action against them. And, that doesn’t happen as often because users lack awareness about their rights or maybe love the convenience of sharing personal data with an online business.

As a result, tech giants easily comply with the GDPR when they want, while small businesses often cannot carry the burden of compliance. Or they don’t want to bother because the policeman is too busy with big companies.

Awareness Around Data Privacy May Be Arising

Awareness around data privacy may be arising, but no one knows for sure.

On the one hand, we see privacy issues discussed in mass media more often.

We also saw people quitting Whatsapp due to data privacy, as well as a big debate whether Apple was right to require developers to be more transparent.

At the same time, the aforementioned Max Shrems and his NOYB are now after businesses that do not meet the cookie banner requirements.

On the other hand, most businesses are not compliant, which means they have never been challenged by a user who wanted to exercise their data subject rights.

So, are people more aware of their data privacy rights and try to protect themselves? Or do they react to outrage created by the mass media against tech giants?

No one can say for sure. Only time will tell what’s the truth.

Yet, Privacy by Design Becomes a Standard

Privacy by design is a framework for embedding data protection in products and services.

Before the GDPR, it was largely an unknown term. Nowadays, many developers consider data protection while building a product or service.

Privacy is now a feature of many products. For others, privacy is the product itself. In both cases, GDPR had a huge positive influence on embedding online data privacy into the products or services.

What Comes Next?

Three years into the implementation of the GDPR show that the online world has changed a lot.

But, this is not the end.

Some trends continue to grow, while some new ones appear on the horizon.

The Wave of New Privacy Laws Will Continue

Many countries have passed new laws, but many others have not done it yet. This includes big economies such as the United States, India, and Indonesia.

India is in the process of passing a new law. Indonesia may introduce a new one soon as well. Both are expected to rely on the principles present in the GDPR.

Canada is preparing a new federal data protection law as well. This one is expected to put companies at the risk of even bigger fines than those in the GDPR. At the same time, some Canadian provinces ponder passing provincial online privacy laws to protect their citizens.

On top of that, the EU is about to update its privacy laws by passing the ePrivacy Regulation. If passed at all, it is expected to bring clarification on the use of metadata, IoT-related communication, privacy around messaging apps, etc.

US Won’t Pass a GDPR-Like Law

Despite the calls for passing a law like the GDPR on a federal level in the US, it seems that it won’t happen anytime soon.

Politicians from some US states have continuous attempts to bring online privacy discussions into legislation bodies on a state level, but very few states have passed any data protection law. Even those introduced are far from the comprehensiveness of the GDPR.

But New Ideas Come From the US

Andrew Yang, a candidate in the US Democratic primary elections 2020, brought the idea of personal data as an asset. Yang’s idea was to grant data subjects the right to receive money in return for sharing their personal data.

This idea has not been included in law yet, although there is something like that in the CCPA. In some of the recent updates, the CCPA regulated the financial incentives for users who share personal data for that purpose. This pertains mostly to loyalty programs, though, so data is not an asset in California yet.

New EU-US Data Transfers Agreement Is Necessary

A new data transfer agreement between the European Union and the United States is more than necessary. Without such an agreement, data transfers are tricky and make it easy to slide into violation of the GDPR.

More Businesses May Become Compliant

Schrems is after small and medium businesses now. The action against the so-called “cookie banner terror” aims to make companies respect GDPR cookie banner rules.

They have employed an automated system that could create up to 10.000 complaints daily. The complaints will be sent to companies; if they do not comply within a month, NOYB will send complaints to data protection authorities.

It is reasonable to expect that such actions could make businesses consider their GDPR compliance one more time.

Blockchains Pose a Huge Challenge

When legislators had been writing the GDPR, they hadn’t thought of blockchains. Although the GDPR is tech-agnostic, it has some points of conflict with blockchains, such as:

  • The right to be forgotten, which is impossible on the blockchain
  • Applicability of the territorial scope of the GDPR, since nodes can be everywhere
  • Who is the data controller (are the nodes data controllers?)

Blockchains are a space of their own. Their development and alignment with the GDPR will also be exciting.


GDPR is here to stay. Its influence has been mostly positive. It burdens small businesses, but protecting personal data is more important.

GDPR has set the global standard for data protection. With so many countries mirroring its provisions, a GDPR-compliant business can easily be globally compliant with pretty much all the existing data privacy laws worldwide. If you comply with the GDPR, you comply with them all.

Unless your business is in the crypto space, that’s where real challenges lie. Blockchains bring an exciting future but a lot of headaches for EU legislators.

All we can do in the meantime is sit back and wait for the developments.

Leave a Comment