GDPR 7 years later: are we actually more private?

The most ambitious privacy law ever written

When the General Data Protection Regulation came into force on May 25, 2018, it was heralded as a turning point for digital privacy. The EU had created the world's most comprehensive data protection framework, with unprecedented fines (up to 4% of global annual turnover), a right to erasure, a right to portability, and requirements for explicit consent before data processing. Other jurisdictions were expected to follow.

Seven years later, it's worth asking honestly: did GDPR work?

The answer is complicated. GDPR has changed some things significantly. It has left other things largely unchanged. And in some areas, it has been actively undermined — sometimes by the companies it was designed to regulate, and sometimes by enforcement failures within its own system.

What GDPR got right

GDPR has had genuine impact in several areas:

• Awareness: Before GDPR, most Europeans had never seen a privacy policy and had little understanding of data collection. The consent banner — however imperfect — has made hundreds of millions of people aware that data collection is happening.
• Large fines as deterrent: Meta was fined €1.2 billion in 2023 for transferring EU user data to US servers without adequate protection. Amazon received a €746 million fine in 2021. These numbers have made companies take compliance seriously in ways they never did before.
• Right to access and erasure: EU residents can now request their data from any company and demand deletion. While compliance is inconsistent, the right exists and is increasingly exercised.
• Data breach notification: Companies must now notify regulators within 72 hours of a data breach. This has dramatically increased transparency about breaches.
• Privacy by design: GDPR's requirement to consider privacy at the design stage, not as an afterthought, has influenced how software is built.

What GDPR failed to fix

Despite its ambitions, GDPR has failed to address several core problems:

Consent theater

The consent banner has become the most despised element of the modern web. And with good reason: most consent banners are designed not to obtain genuine consent, but to manufacture it. NOYB's 2023 research found that 97% of consent banners use dark patterns — pre-ticked boxes, buried rejection options, misleading language — to steer users toward "Accept All." The banner exists to create legal cover, not to give users real choice.

Enforcement inequality

GDPR enforcement has been dramatically uneven. Ireland, where most major US tech companies have their EU headquarters, handles an outsized share of GDPR complaints. The Irish Data Protection Commission has been criticized for slow, incremental enforcement that benefits the companies it regulates. The 2023 Meta fine took over five years to resolve after the initial complaint.

The RTB problem

Real-Time Bidding — the mechanism that broadcasts your data to hundreds of companies with every page load — was identified as a fundamental GDPR violation in 2018. Dr. Johnny Ryan filed a formal complaint with Irish and UK regulators that year. As of 2026, RTB still operates at essentially the same scale, with the same data sharing practices, despite years of regulatory attention.

Data broker opacity

The data broker ecosystem — companies that profile and sell personal data — was supposed to be brought under control by GDPR. Most people cannot name a single data broker that has their data, let alone exercise rights against them. The infrastructure of commercial surveillance continues largely unaffected.

The gap between rights and reality

GDPR gives EU residents extensive rights: access, erasure, portability, objection, restriction. In theory, you can contact any company, demand to know what data they hold on you, and require them to delete it. In practice:

• Companies routinely delay responses beyond the 30-day deadline with minimal consequence.
• Responses are often incomplete or technically formatted to discourage further action.
• Data brokers are difficult to identify and contact.
• Exercising rights requires sustained effort that most people cannot or will not invest.

A 2024 Eurobarometer survey found that only 17% of Europeans feel in control of their personal data — down from 24% in 2019. Despite GDPR, the feeling of being tracked has increased, not decreased.

What comes next

GDPR was a beginning, not an end. The regulatory landscape is evolving:

• EU AI Act (2024): Addresses AI-driven profiling and automated decision-making with personal data.
• ePrivacy Regulation: Long-delayed replacement for the Cookie Directive, which would specifically address RTB and behavioral advertising. Still not passed as of 2026.
• Digital Markets Act: Targets gatekeepers like Google and Meta, restricting how they combine data across services.
• US state laws: California (CCPA/CPRA), Virginia, Colorado, and a growing number of US states have enacted data privacy laws influenced by GDPR.

What Data Mirror measures

GDPR's effectiveness gap is precisely why transparency tools matter. Data Mirror shows you, in real time, which companies are collecting your data on every website you visit — regardless of whether the consent banner said they wouldn't. When your data leaves the EU to servers in the US, China, or Russia, Data Mirror flags it. When data brokers load on a page, Data Mirror identifies them by name.

Regulation is moving. In the meantime, visibility is the best available protection.