97%
of consent banners don't comply with GDPR (NOYB, 2023)
€4.5B
total GDPR fines issued since 2018
17%
of Europeans feel in control of their personal data (Eurobarometer 2024)

The most ambitious privacy law ever written

When the General Data Protection Regulation came into force on May 25, 2018, it was heralded as a turning point for digital privacy. The EU had created the world's most comprehensive data protection framework, with unprecedented fines (up to 4% of global annual turnover), a right to erasure, a right to portability, and requirements for explicit consent before data processing. Other jurisdictions were expected to follow.

Seven years later, it's worth asking honestly: did GDPR work?

The answer is complicated. GDPR has changed some things significantly. It has left other things largely unchanged. And in some areas, it has been actively undermined — sometimes by the companies it was designed to regulate, and sometimes by enforcement failures within its own system.

What GDPR got right

GDPR has had genuine impact in several areas:

What GDPR failed to fix

Despite its ambitions, GDPR has failed to address several core problems:

Consent theater

The consent banner has become the most despised element of the modern web. And with good reason: most consent banners are designed not to obtain genuine consent, but to manufacture it. NOYB's 2023 research found that 97% of consent banners use dark patterns — pre-ticked boxes, buried rejection options, misleading language — to steer users toward "Accept All." The banner exists to create legal cover, not to give users real choice.

Enforcement inequality

GDPR enforcement has been dramatically uneven. Ireland, where most major US tech companies have their EU headquarters, handles an outsized share of GDPR complaints. The Irish Data Protection Commission has been criticized for slow, incremental enforcement that benefits the companies it regulates. The 2023 Meta fine took over five years to resolve after the initial complaint.

The RTB problem

Real-Time Bidding — the mechanism that broadcasts your data to hundreds of companies with every page load — was identified as a fundamental GDPR violation in 2018. Dr. Johnny Ryan filed a formal complaint with Irish and UK regulators that year. As of 2026, RTB still operates at essentially the same scale, with the same data sharing practices, despite years of regulatory attention.

Data broker opacity

The data broker ecosystem — companies that profile and sell personal data — was supposed to be brought under control by GDPR. Most people cannot name a single data broker that has their data, let alone exercise rights against them. The infrastructure of commercial surveillance continues largely unaffected.

The gap between rights and reality

GDPR gives EU residents extensive rights: access, erasure, portability, objection, restriction. In theory, you can contact any company, demand to know what data they hold on you, and require them to delete it. In practice:

A 2024 Eurobarometer survey found that only 17% of Europeans feel in control of their personal data — down from 24% in 2019. Despite GDPR, the feeling of being tracked has increased, not decreased.

What comes next

GDPR was a beginning, not an end. The regulatory landscape is evolving:

What Data Mirror measures

GDPR's effectiveness gap is precisely why transparency tools matter. Data Mirror shows you, in real time, which companies are collecting your data on every website you visit — regardless of whether the consent banner said they wouldn't. When your data leaves the EU to servers in the US, China, or Russia, Data Mirror flags it. When data brokers load on a page, Data Mirror identifies them by name.

Regulation is moving. In the meantime, visibility is the best available protection.

Sources: NOYB — "Dark Patterns and Consent" (2022–2023) · Eurobarometer — "Data Protection in the EU" survey (2024) · ICCL — GDPR enforcement tracker · European Data Protection Board — Annual Report 2023 · Enforcement Tracker (enforcementtracker.com)

See who's tracking you — right now

Data Mirror is free, local, and requires no account. Install it and start seeing the truth about every website you visit.

Add to Chrome — Free