Reflecting on 5 Years of the GDPR Principles
We’re nearing the 5-year anniversary of the EU’s landmark data privacy legislation, the General Data Protection Regulation. The GDPR came into effect on May 25, 2018, forever changing the internet.
While there were various laws relating to aspects of data protection in numerous countries before the GDPR, the EU taking the step to put together a comprehensive data protection law far outpaced anything that existed at the time. In fact, in the past five years, the GDPR has started a wave, leading to privacy laws passing in over 100 countries worldwide.
Many of those laws, such as Brazil’s LGPD and American state-level laws like CCPA and VCDPA, were directly based on GDPR core tenets. Because of this influence, GDPR is seen as the poster child for data protection globally.
On such a noteworthy anniversary then, it’s a good time to look at the GDPR principles that form the foundation of the regulation and see how they have stood up and been executed so far.
What are the GDPR Principles?
European regulators first laid out six principles, but later added a seventh GDPR principle–accountability–to help companies demonstrate their attempts to comply with the regulation.
Here are the GDPR principles, with a brief overview of each:
- Lawfulness, fairness, and transparency: These three are grouped together because they are so interconnected. Essentially, companies always need to have a proper reason for using personal data and they must be open about what those reasons are and not deviate from them.
- Purpose limitation: Companies must only use the data for the reasons explicitly stated.
- Data minimization: Companies should collect only what is absolutely needed for data processing purposes. This ensures less risk exposure for an event such as a data breach, as well as protecting individuals from privacy harms.
- Accuracy: Companies and data controllers need to make sure the data they hold is correct and up-to-date. As the “right to correct” is a core data right given to individuals, this GDPR principle also implicitly underlines the importance of data subject request handling, as that might be the only way for companies to know if the information they hold is inaccurate.
- Storage limitation: Companies must keep data only as long as necessary–and should disclose this in clear terms to the public–before deleting or anonymizing it.
- Integrity and confidentiality: This one is big. Organizations must keep data secure and protect it from threats or misuse. The idea is obvious in retrospect, but reframes companies as stewards of data rather than merely collectors of it.
- Accountability: The final principle added, it requires companies to have clear proof that they're following the GDPR principles, often in the form of records or documents. GDPR requirements like RoPA reports and DPIAs help enforce this, as companies must keep those current in case they are requested by data protection authorities.
GDPR Principles: relevant 5 years later?
Today, in 2023, the GDPR principles are still in effect and relevant, and since none have been amended or added, the regulation’s foundation has proven to be solid.
The amount of data privacy and protection regulation that has come into being since the GDPR alone is a massive success, but the significant increase in awareness of data privacy, data rights for the public, and how companies treat data is arguably the main success factor so far.
In the week of the GDPR’s implementation alone, the abundance of new cookie consent banners on innumerable websites was a message to people that data privacy was something to pay attention to. A 2020 European Commission report found that 70% of the adult population knew about the GDPR and their respective country’s data protection authority.
One can imagine that figure in 2023 is higher, as high profile GDPR fines and other data protection news has constantly made headlines in the past few years. In fact, as time has passed more European companies have committed to compliance and a proactive data privacy approach, leveraging technology gains for things like enhanced data mapping and automation to build robust privacy programs.
GDPR Principles: effective, but not perfect
Despite a major selling point of the GDPR being that it united data protection regulation under a single umbrella, the various data protection authorities within the EU often interpret and enforce the regulation in different ways. Ireland’s DPA, for example, constantly brings fines against corporations, while Germany’s DPAs usually take a more measured approach that results in warnings and notices well before fines.
This somewhat fragmented reality has been clear in the European response to ChatGPT. More than anything else, the GDPR is sound in theory, which is why the GDPR principles haven’t needed revision. In reality, however, enforcement is a battle, especially as advanced tech like LLMs and GPTs emerge. Italy moved swiftly against OpenAI, whereas other European DPAs took time to issue statements and inquiries into ChatGPT–or didn’t do anything at all.
The GDPR principle that has proven most challenging is accountability, which is logical given its immense scope and the need to add it to the original six principles.
Although nearly every company operating in the EU tries to maintain compliance, some are trying to do so by achieving the bare minimum. That’s because the type of substantial data protection reform the GDPR demands requires investment that some companies are hesitant to put into a non-traditional revenue source.
You can see this in the large percentage of companies that don’t even have full-time Data Protective Officers. A January 2023 survey by a Swedish DPA found that roughly 50% of companies that responded only had a part-time DPO.
Another problem that has arisen out of the accountability GDPR principle is the fact that so many fines have been levied against Big Tech companies like Google and Meta.
Fines act as the engine of enforcement, compelling companies to comply with the regulation, but Big Tech companies have dragged GDPR fines into legal battles, tying up DPA resources and in most cases fines do not end up getting paid until years down the line. Meta is still in the process of dodging a 10-figure fine over a GDPR complaint that was issued in 2018.
Yes, courts move slowly by nature, but the first half decade of GDPR enforcement has triggered more headlines than actual victories. Has the way Big Tech companies operate actually changed since 2018? It’s a dubious claim that few feel good about making.
What’s more important is what comes next. Innovators have not yet fully incorporated the GDPR principles into their product design, as tech show after tech show proves, indicating another area where lawmakers, regulators, and the public at-large need to make progress in the fight for data privacy.
The fight is upon us however, and although the seven GDPR principles that make up the foundation of the regulation have proven to be enduring thus far and the regulation has brought about positive change, these next five years need to be better for data protection than the first five.
Frankly, data privacy advocates need to package and spread the message better. You will not convert millions just by focusing on the GDPR’s existence and the fact that companies must be compliant.
The privacy community needs to get into the meat of the GDPR principles, simplifying them and explaining their importance to people so everyone can have more meaningful conversations around not just data protection regulations, but data protection itself. Here’s to hoping that takes root in the next five years.