The GDPR two years on – success or failure?

9 June 2020

Two years ago, on May 25 2018, the European Union (EU) adopted the General Data Protection Regulation (the GDPR). At that time, the enactment was touted as the most important change to data privacy regulation of our generation.

The core ambitions of the GDPR were to:

  • create one coherent data protection framework across the EU, and
  • strengthen and protect the privacy rights of EU citizens.

One of the key changes under the GDPR was the expanded territorial scope, which meant many foreign businesses (including those located in New Zealand) were captured. The wide reach of the law, coupled with the potential for substantial fines for serious breaches (€20 million or 4% of global turnover (whichever is higher)) meant the world sat up and took notice.

So, two years on, we take a look at what the GDPR has managed to achieve, and what might need further improvement.


The GDPR has no doubt enjoyed a reasonable measure of success since it was first introduced. Included in those successes are:

  • Awareness: The GDPR has arguably become the most well-known piece of legislative reform in recent history. Leading up to the introduction of the GDPR, a flurry of media reporting was seen around the world, with daily reports reminding businesses of their obligations and consumers of their rights. Since then, European-based entities, along with several foreign offices, have become familiar with their obligations and have implemented systems and procedures designed to ensure compliance.
  • Accountability: The GDPR certainly has teeth. Breaches of the GDPR have resulted in significant fines, the most significant of which include British Airways (£183.39million, or approximately NZ$357million), Marriott International (£99.2million, or approximately NZ$193million), Google (€50million, or approximately NZ$83 million) and Italian Telecom TIM (€27.8 million or approximately NZ$48million). The power to issue massive fines, coupled with the broad restrictions on the use of personal data without consent, has meant entities operating in the EU have become increasingly accountable for the types of data they are collecting.
  • Reach: The global reach of the GDPR has meant organisations worldwide have reconsidered their data collection practices, and amended them to fall in line with the GDPR's requirements. The regulation has also had flow-on effects in other jurisdictions, with the GDPR being regarded as a “global standard". For example, since the GDPR has been enacted we have seen similar legislative reform worldwide, including in California, Brazil and India. New Zealand is in the process of updating its Privacy Act, with the Privacy Bill poised to undergo its third reading shortly.

Room for improvement

There is no doubt that the GDPR has made a big impact on privacy globally. There is, however, some room for clarification and improvement. In particular:

  • Insufficient privacy: There remain issues with whether the GDPR has actually afforded EU citizens greater digital privacy. There is certainly more information available to EU subjects about the ways their personal data will be used, with copious privacy and cookie notices being drawn to the attention of users at every opportunity. However, there are criticisms that the GDPR hasn't actually limited the collection of personal data by key organisations, or given EU subjects greater control over that information in the sense of granting access to it or not.
  • Unclear authority: There are also questions around the role of data protection regulators, who, as unelected officials, are increasingly being called upon to consider important policy decisions in fields relating to artificial intelligence and surveillance. Some are concerned this represents a “democratic deficit"1 in the GDPR.
  • Overregulation: Issues with overregulation and unnecessary reporting of data security breaches have also arisen in the context of the GDPR. For example, in 2018 UK Deputy Information Commissioner James Dipple-Johnstone highlighted the issue of over-reporting data breaches and notification fatigue. According to Dipple-Johnstone, at that time the UK Information Commissioner's Office was receiving about 500 reports per week, with the Office finding that approximately one-third of the incidents were not actually reportable under the GDPR data breach threshold. Given the substantial penalties under the GDPR, the practice of over-reporting is unsurprising, but it certainly creates logistical issues for those working in the regulation space.

The GDPR is one of the most globally recognised and significant pieces of regulatory reform enacted within the last decade, and is still just in its infancy. Further technological advancements over the next decade will be pivotal in determining whether the GDPR is truly the “data hero" success story it was hoped it would be.

If you have any questions about the matters raised in this article please get in touch with the contacts listed, or your usual Bell Gully adviser.

1 See, for example this article by Omer Tene published on the IAPP website.

This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.