Case Study: GDPR's First Five Years

"The GDPR is both the most ambitious data protection regulation ever enacted and a permanent work in progress." — European Data Protection Board, Annual Report (2023)

Overview

The General Data Protection Regulation entered into force on May 25, 2018, after a two-year implementation period. It was the most significant overhaul of European data protection law in two decades, replacing the 1995 Data Protection Directive with a directly applicable regulation that imposed uniform obligations across all EU member states. Its passage was followed by a wave of global attention — and global anxiety. Companies scrambled to achieve compliance. Inboxes filled with consent re-confirmation emails. Privacy policies were hastily rewritten. And the world waited to see whether the GDPR would live up to its transformative promise or collapse under the weight of its own ambitions.

This case study examines what actually happened. It traces the GDPR's first five years of operation — its enforcement record, its practical impact on business practices, its influence on global regulation, and the persistent challenges that remain.

Skills Applied: - Evaluating regulatory effectiveness against stated objectives - Analyzing enforcement patterns and identifying structural factors that shape them - Assessing the gap between law on the books and law in practice - Connecting regulatory design to real-world outcomes

The Pre-GDPR Landscape

The Directive Era

Before the GDPR, European data protection was governed by the 1995 Data Protection Directive (Directive 95/46/EC). As a directive rather than a regulation, it required each member state to transpose its provisions into national law — producing 28 different implementations with significant variations.

A company operating across Europe might face different consent requirements in Germany and France, different breach notification rules in Spain and the Netherlands, and different enforcement cultures in Ireland and Italy. This patchwork undermined the single market, frustrated businesses, and created enforcement gaps that data-intensive companies could exploit.

The Directive was also a product of its era. Written before the commercial internet, before social media, before smartphones, before cloud computing, and before the emergence of the data economy as a primary economic force, it lacked the tools to address the defining data protection challenges of the 2010s.

The Reform Process

The European Commission proposed a new data protection framework in 2012. Four years of intense negotiation followed, involving the Commission, the European Parliament, and the Council of the EU. More than 3,000 amendments were proposed to the Parliament's draft alone — the most ever for a single piece of EU legislation.

The final text, adopted in April 2016, reflected compromises among member states with different regulatory traditions, between privacy advocates and industry lobbyists, and between the institutions themselves. The regulation was given a two-year implementation period, with enforcement beginning on May 25, 2018.

Year One: The Compliance Scramble (2018-2019)

In the weeks surrounding May 25, 2018, the most visible consequence of the GDPR was not enforcement but communication. An estimated 8 billion consent-related emails were sent worldwide as organizations asked users to re-confirm their marketing preferences. Cookie consent banners appeared on virtually every website accessible from Europe. Privacy policies — many of them untouched for years — were hastily rewritten.

For many organizations, the GDPR's most immediate impact was administrative. Companies appointed Data Protection Officers, conducted data mapping exercises, and implemented data subject access request (DSAR) procedures for the first time. The consulting industry experienced a boom: PwC reported a 30% increase in GDPR-related advisory revenue in 2018.

Early Enforcement: CNIL Leads

The first major GDPR fine came in January 2019, when France's Commission Nationale de l'Informatique et des Libertés (CNIL) imposed a 50 million fine on Google for lack of transparency, inadequate information, and lack of valid consent for ad personalization. The fine was significant for several reasons: it demonstrated that data protection authorities were willing to use the GDPR's enhanced penalty provisions; it targeted the world's largest advertising company; and it was issued by France rather than Ireland, where Google had its European headquarters, creating an early test of the GDPR's jurisdictional mechanisms.

Other early enforcement actions were more modest. Most DPAs spent 2018-2019 processing the flood of data breach notifications (over 89,000 in the first year) and responding to a dramatic increase in individual complaints (over 144,000 in the first year).

The Resource Problem

A pattern that would persist throughout the GDPR's early years emerged immediately: data protection authorities were significantly under-resourced relative to their expanded mandates. The Irish Data Protection Commission — responsible for supervising Meta, Google, Apple, Microsoft, Twitter, TikTok, and numerous other tech giants that had established European headquarters in Ireland — had a budget of approximately 15 million and 140 staff members. By comparison, Ireland's data protection obligations, measured by the scale and sensitivity of the data processing it supervised, were arguably the largest of any DPA in the world.

Years Two and Three: Enforcement Escalates (2019-2021)

Landmark Fines

As DPAs completed initial investigations, major fines began to accumulate:

Year Company DPA Fine Basis
2019 British Airways UK ICO £20 million Data breach (originally proposed at £183 million, reduced due to COVID impact)
2019 Marriott International UK ICO £18.4 million Data breach affecting 339 million records
2020 H&M Hamburg DPA €35.3 million Excessive employee surveillance
2020 Google (France) CNIL €100 million Cookie consent violations
2021 Amazon Luxembourg CNPD €746 million Non-compliant advertising targeting system
2021 WhatsApp Irish DPC €225 million Transparency failures in privacy policy

The Amazon fine — €746 million, the largest GDPR fine to date at that point — was issued by Luxembourg's data protection authority following a complaint coordinated by the French privacy advocacy group La Quadrature du Net. Amazon contested the fine, arguing that it had not violated the GDPR and that the Luxembourg DPA had exceeded its authority. The case underscored the tension between the GDPR's enforcement ambitions and the practical challenges of holding global corporations accountable.

The Ireland Problem

By 2020, a recurring criticism had crystallized: the Irish Data Protection Commission was too slow to act against the major technology companies headquartered in its jurisdiction. Under the GDPR's "one-stop-shop" mechanism, the DPA in a company's main EU establishment serves as the "lead supervisory authority" for cross-border processing. Because so many tech companies had their European headquarters in Ireland, the Irish DPC became the de facto regulator for much of the global data economy.

Other DPAs — particularly those in France, Germany, and Austria — grew frustrated with what they perceived as Ireland's reluctance to impose meaningful penalties on companies that generated significant tax revenue and employment. The European Data Protection Board (EDPB) intervened on multiple occasions, using its dispute resolution mechanism to override the Irish DPC's proposed decisions and impose higher penalties.

This dynamic revealed a structural tension in the GDPR's design: the one-stop-shop mechanism was intended to prevent companies from being subject to conflicting requirements from multiple DPAs, but it also concentrated enforcement power in jurisdictions that might have economic incentives to be lenient.

Individual Rights in Practice

Beyond headline fines, the GDPR's individual rights provisions produced measurable changes:

  • Data Subject Access Requests (DSARs): Organizations across the EU reported significant increases in DSARs. Financial services firms, in particular, experienced 300-500% increases in access requests.
  • Right to Erasure: Google processed over 1.2 million URL delisting requests in the GDPR's first three years under the "right to be forgotten" framework.
  • Data Portability: The right to data portability — the ability to receive one's personal data in a machine-readable format — saw lower uptake than expected, partly because interoperability standards were not yet in place.

Years Four and Five: Maturation and Persistent Challenges (2022-2023)

The Meta Decisions

The GDPR's most significant enforcement tests involved Meta (Facebook, Instagram, WhatsApp). In January 2023, the Irish DPC, following binding decisions by the EDPB, imposed fines of €390 million on Meta for GDPR violations related to its legal basis for processing personal data for behavioral advertising. The EDPB's intervention overrode the Irish DPC's more lenient initial proposals, forcing higher fines and ordering Meta to cease relying on "contractual necessity" as a legal basis for advertising personalization.

This decision was consequential because it struck at the economic foundation of Meta's business model. If Meta could not rely on "contractual necessity" to process data for advertising, it would need to obtain opt-in consent — a far higher bar that could significantly reduce the volume of data available for ad targeting.

Meta responded by introducing a "pay or consent" model in the EU: users could either consent to personalized advertising or pay a monthly subscription fee for an ad-free experience. This model itself faced legal challenge — privacy advocates argued that conditioning a "free" service on consent to data processing was not freely given consent under the GDPR.

Five years in, GDPR's consent mechanisms had produced an unintended consequence: consent fatigue. The average European internet user encountered an estimated 2,000-3,000 cookie consent banners per year. Studies found that the vast majority of users clicked "Accept All" without reading the options — not because they had made an informed choice, but because the friction of managing consent across hundreds of websites was unsustainable.

"Dark patterns" in cookie consent interfaces proliferated: "Accept All" buttons were prominently displayed in bright colors, while "Reject All" or "Manage Preferences" options were hidden behind multiple clicks and gray-on-gray text. The EDPB and several DPAs issued guidance requiring that rejecting cookies be as easy as accepting them, but enforcement was inconsistent.

This phenomenon raised a deeper question about the GDPR's notice-and-consent model: if the sheer volume of consent requests overwhelms users' capacity to make meaningful choices, does the mechanism serve its purpose?

The Global Influence

By 2023, the GDPR's global influence was undeniable:

  • Over 160 countries had enacted some form of data protection legislation, with the majority showing significant GDPR influence.
  • Brazil's LGPD, India's DPDPA, Japan's amended APPI, South Korea's amended PIPA, and numerous other laws drew directly on GDPR concepts.
  • The "Brussels Effect" was visible in corporate practice: multinational companies routinely implemented GDPR-compliant data practices globally rather than maintaining jurisdiction-specific systems.

Assessment: What the GDPR Achieved and What It Did Not

Achievements

  1. A global standard. The GDPR established a de facto global baseline for data protection, influencing legislation on every continent.
  2. Institutional infrastructure. The GDPR created or strengthened data protection authorities across the EU, establishing a permanent enforcement infrastructure.
  3. Corporate accountability. The combination of significant penalties and reputational risk prompted genuine changes in corporate data practices — particularly in data breach response, transparency, and the appointment of data protection professionals.
  4. Individual rights. Millions of Europeans exercised data subject rights that did not previously exist in practice, gaining access to their data, requesting erasure, and objecting to processing.

Persistent Challenges

  1. Enforcement asymmetry. Enforcement remains uneven. Large, well-resourced companies can challenge fines through years of litigation. Small companies and non-EU companies often fall outside effective enforcement reach.
  2. The Ireland bottleneck. The concentration of Big Tech enforcement in Ireland remains a structural weakness.
  3. Consent fatigue. The GDPR's consent model has not produced the informed, empowered data subjects it envisioned.
  4. The SME burden. Compliance costs fall disproportionately on small and medium enterprises, which lack the resources to navigate complex requirements.
  5. Speed of enforcement. Major investigations take three to five years from complaint to decision — an eternity in the data economy.

Discussion Questions

  1. The GDPR was designed to protect fundamental rights, not merely to correct market failures. Based on the evidence from its first five years, do you believe it has succeeded in protecting those rights? What would success look like?

  2. The "Ireland problem" reveals a tension between the GDPR's one-stop-shop mechanism and effective enforcement. How would you redesign the mechanism to preserve its benefits (consistency, reduced burden on companies) while mitigating its weaknesses?

  3. Cookie consent fatigue is not a failure of the GDPR's text — the regulation does not require cookie banners; the ePrivacy Directive does — but it is widely perceived as a GDPR consequence. What alternative consent mechanisms could better serve the regulation's goals of transparency and informed choice?

  4. Evaluate the following claim: "The GDPR's greatest achievement is not what it has done within the EU, but what it has inspired elsewhere." Do you agree?

Your Turn: Mini-Project

Option A: Research the three largest GDPR fines issued since the period covered in this case study. For each, identify the company, the DPA, the amount, and the legal basis. Write a one-page analysis of whether these fines represent an escalation in enforcement or a continuation of existing patterns.

Option B: Select one non-EU country that has enacted data protection legislation influenced by the GDPR. Compare the two frameworks on three dimensions of your choice. Write a two-page analysis of where the non-EU law follows the GDPR model and where it diverges, and assess whether the divergences are justified by local context.

Option C: Download and read the cookie consent interface of five popular websites. Document the design choices each makes: How easy is it to reject cookies? Are dark patterns present? What information is provided? Write a one-page assessment of whether these interfaces achieve the GDPR's goal of informed consent.

References

  • European Data Protection Board. GDPR First Five Years — Overview of Enforcement Actions. Brussels, 2023.

  • Satariano, Adam. "Europe's Privacy Law Has Been a Buzzkill for Some, Boon for Others." The New York Times, May 24, 2023.

  • Bradford, Anu. The Brussels Effect: How the European Union Rules the World. New York: Oxford University Press, 2020.

  • Enforcement Tracker (CMS). https://www.enforcementtracker.com — a publicly accessible database tracking all reported GDPR fines.

  • Noyb (None of Your Business). "Pay or Okay: Noyb Files Complaint Against Meta's 'Privacy Fee.'" Press release, 2023.

  • Irish Data Protection Commission. Annual Report 2022. Dublin, 2023.

  • Custers, Bart, et al. "Consent and Privacy in the Age of GDPR." European Data Protection Law Review 5, no. 3 (2019): 345–362.