Mark Zuckerberg, chief executive officer of Facebook, Dan Rose, vice president, partnerships at Facebook, and Sheryl Sandberg, chief operating officer of Facebook, attend the annual Allen & Company Sun Valley Conference, July 12, 2018 in Sun Valley, Idaho. Drew Angerer | Getty Images

The European Union's General Data Protection Regulation was celebrated as a revolution in how internet privacy could be legislated. It was a reaction to long-term concerns in the EU about information collection by tech giants like Facebook, Alphabet and Apple. Known as GDPR, the regulation gave sweeping new powers to individuals in how they can control their data, including the right to demand that companies tell them how their data is used, and to ask corporations to destroy their data, a tenet of the law known as "the right to be forgotten." The law also imposed the world's stiffest potential privacy fines: Up to 20 million euros or 4% of a company's global annual revenue for the previous year for the most egregious violations. For Facebook, such an upper-level fine could therefore feasibly reach $1.6 billion. But one year later, GDPR hasn't lived up to its potential. Among some consumers, GDPR is perhaps best known as a bothersome series of rapid-fire, pop-up privacy notices. Those astronomical fines have failed to materialize. The law has created new bureaucracies within corporations, and with those, tension and confusion. And it's unclear if the EU data authority that oversees the law is adequately staffed to handle its demands.

'Our privacy policy has changed'

"I'm kind of a conscientious objector to the notice and consent model," said Laura Jehl, partner in the privacy and data protection practice at law firm BakerHostetler, referring to the GDPR framework that led to the now-ubiquitous "we've updated our privacy policy" notice. "It's offloading too much responsibility to the individual," to understand the notices and take action on them. The notices were meant as a jumping-off point where people could begin the journey of understanding how each of their applications and the websites they visit use their data. But, they have probably had the opposite effect, Jehl said. "If you have a job, or kids, or hobbies, or a life, you can't do that, keeping track of all that. It would be a full-time job to protect your privacy in a notice and consent model." Consumers are often confused as to how they can actually take advantage of GDPR's privacy powers. "I think it has given consumers a greater awareness of what data is being collected about them, and a greater ability to control that data," said Scott Pink, special counsel in the data security and privacy practice at law firm O'Melveny & Myers. "But now, I think there's still some lack of clarity from consumers on exactly what they need to do." "Consent fatigue" may be an unfortunate adverse side effect, said Odia Kagan, chair of the GDPR compliance program at law firm Fox Rothschild. "I think that the importance of people understanding what is going on with their data, and not having a surprised reaction that somebody has their information. When you need to click 329 toggles, that is also a problem, because you won't want to do it. The actual process is something we still need to work on so we don't get consent fatigue."

Unimpressive fines so far

Google was hit with a $57 million fine in January over how it uses data for ad-targeting, but the company is fighting it. Facebook was fined about $645,000 fine over the Cambridge Analytica scandal, which involved the alleged misuse of customers' personal information for election research conducted by Donald Trump's presidential campaign. "In the beginning, a number of [EU] regulators informally said 'we know you guys aren't ready for GDPR, and to be honest, we're not really ready either,'" said Jehl. That informal grace period is, however, likely coming to an end, she said. "The enforcement is just getting started," said Kagan. "The higher fines are very likely going to be in connection with very large companies with very complex structures. We haven't seen them because they aren't done yet." The data protection authorities have other tools as well, which might be even costlier than fines, Kagan said. In some cases, EU regulators can tell companies, "You have 90 days to rectify the thing you are doing wrong with the data, or after 90 days you cannot use the data." Sometimes, even the big fines won't make or break them, but the data will if it is a core component of their business.

A new bureaucracy, too

GDPR introduced something new to many corporations that do business with European clients: a data protection officer. To be compliant with GDPR rules, companies had to hire (or outsource) someone to lead a data protection office. This is a tricky proposition at many companies, especially the biggest ones, where this new role -- and the bureaucracy that goes with it -- often overlaps with existing executive functions, such as cybersecurity, privacy, legal, audit and technology risk, among others. "They have a lot of special protections that regular [executives] don't have," explained Jehl. The data protection officer's duty is to protect customers' data, even if that protection goes against other business objectives, meaning there are often different rules on how the executive can be disciplined or dismissed, she said. The new role is a positive step in terms of "increasing the importance of data and privacy management, and privacy professionals," said Pink. "But there is still somewhat of a tension between serving those requirements and making sure the business can make a profit, and also ensuring that the expense of complying is adequately funded but not too expensive."

Overwhelming to regulators