To the extent that 260-page regulations can ever be said to be “famous,” Europe’s General Data Protection Regulation (GDPR) certainly had its moment in limelight in 2018. When it came into force on May 25, it was heralded by a flurry of emails from tech companies, desperate to re-establish their absolutely bona-fide relationships with your email address before the regulations’ stricter rules around user consent came into force.

The barely-concealed panic in some corners led to editorials, memes, and even a meditation app that marketed itself (presumably in compliance with the GDPR) by offering to lull its users to sleep with spoken excerpts from the law.

Did the GDPR live up to the year’s hype, good or bad? As Premier Zhou Enlai didn’t quite say about the French Revolution, it’s too early to say. There are plenty of ways that the GDPR can help with defending privacy online, but the real proof of the GDPR’s provisions will be in how they are enforced, and against whom. And those patterns will only emerge as European regulators begin to flex their new powers.

They have quite the backlog already. Hours after the GDPR came into effect, Max Schrems (2016 EFF Pioneer Award winner, and the successful challenger of the EU’s privacy safe harbor with the United States) filed a series of complaints in his home country of Austria. Aimed at Google, Instagram, WhatsApp and Facebook, the cases revolve around the claim that these services gave customers no real choice in accepting the new privacy policies – which would be a breach of the tougher GDPR rules. In November, Privacy International filed another series of complaints aimed at the practices of Europe’s leading data-brokers, credit agencies, and ad-tech companies. It wasn’t just non-profits: the company behind the Brave browser also filed a GDPR complaint in Ireland, challenging the basis of the modern online advertising business.

We’re waiting for the results of those complaints, and their inevitable appeals. Even without key enforcement decisions, GDPR’s broad popularity has already prompted regulators and lawmakers around the world to increase their oversight of personal data. In Italy, it was competition regulators that fined Facebook ten million euros for misleading its users over its personal data practices. Brazil passed its own GDPR-style law this year; Chile amended its constitution to include data protection rights; and India’s lawmakers introduced a draft of a wide-ranging new legal privacy framework.

The GDPR increases fines and the ability of regulators to intervene on behalf of potential privacy violations – but with great power can come great irresponsibility. If you’ve seen how copyright law can be twisted to turn into an engine for censorship and surveillance, it will have come as no surprise when Romanian authorities attempted to use the GDPR’s wide powers to threaten journalists investigating corruption in the country. The EU body in charge of the GDPR, the European Data Protection Supervisor, has yet to publicly comment on what is happening in Romania, but it’s a vivid reminder that even the most well-intentioned laws can have unimagined consequences.

This article is part of our Year in Review series. Read other articles about the fight for digital rights in 2018.

DONATE TO EFF

Like what you're reading? Support digital freedom defense today!