GDPR is still here apparently


Manage episode 266264330 series 1402032
By Ciarán & Hugh. Discovered by Player FM and our community — copyright is owned by the publisher, not Player FM, and audio is streamed directly from their servers. Hit the Subscribe button to track updates in Player FM, or paste the feed URL into other podcast apps.

Support us on Patreon!

We now have a website that you can find here!

There's a discord here

WE HAVE A T-PUBLIC STORE what a fashionable way to support our podcast

Feel free to send us an email at or follow us on Twitter @PrevInEurope

If you can please leave us a review on Apple Podcasts and if you can't do that tell a friend, this stuff really helps us out

Also, have you considered Matteo Renzi?

## Also Happening: GDPR turns two

EU Commission GDPR Formal Review

The Cookies Thing?

Yes! Well.. not entirely the cookies thing, but yes the cookies thing. Most people interact with this by seeing those annoying popups being like "I consent to all cookies, please leave me alone", but what if I told you that was actually a good thing?

The general idea was to do what it says in the name "General Data Protection Regulation", so a regulation what was uniform across the EU and protected data. Cool so to keep data on someone via an EU state basically you now (as of 2018):

  • have to have consent
  • you can't keep it indefinitely
  • if they ask you to remove it you have to

This was actually a big deal considering how there's usually more concessions in EU legalisation for special interests - e.g. due to a major industry in a country or because David Cameron didn't want us to have nice things. But this was a pretty broad update to the 1990s data protection laws that really did seem planned to give some citizen level control over their data.

This was of course in the wake of Edward Snowden, Cambridge Analytica and that time Marc Zuckerberg gave a really crappy testimony to the EU ( So there was actually consensus that this was a good idea. It passed the council with only Austria complaining it wasn't strict enough and the parliament almost unanimously (though some who negotiated noted it was only after much convincing in negotiations

There were even fines built into it - up to €20m/4% of global turnover (whichever is bigger) if non-compliance continued.

So it worked?

Sort of! You've seen those cookies pop-ups right? See the EU Commission's very neutral infographic "the fabric of a success story" ( Also (

  • "Between May 2018 and November 2019, 22 EU/EEA data protection authorities issued 785 fines."

  • Google and Facebook are among those (, but in practice not much has changed

  • "The GDPR allowed for coronavirus tracing apps to be developed, all while respecting personal data protection as a fundamental right. "

  • EU countries spend a lot more on data protection officers than they used to (42% increase in staff and 49% in budget for all national data protection authorities)

  • They love to point out how nowhere else has as comprehensive a set of rules

  • "Citizens are more empowered and aware of their rights" - 69% (nice) of people are aware of GDPR... which seems like a pretty loaded stat but sure.

Cool so we're good?

There's been some issues:

  • Cross border complaints have worked only okay: "Between 25 May 2018 and 31 December 2019, 141 draft decisions were submitted through the ‘one-stop-shop', 79 of which resulted in final decisions."

  • In Romania Dragnea (of in prison for corruption fame) tried to use their data protection office to demand sources from journalists (

  • Probably the main issue.. which should have been apparent from the start was that tech firms tend to have EU bases in countries like say, Ireland or Luxembourg... who wouldn't have the cash for a big GDPR complaints processing centre. So there are big backlogs (

For instance the Irish regulator is basically the centre for big cases against Google, Facebook, Microsoft and Twitter... so their backlog is large. Plus don't forget the Irish government isn't super keen on pissing those companies off (see the apple tax case!)

Oh so its being misused and bad?

Well no... The EU needs data protection rules. The alternative is worse, and the big theoretical merit of the GDPR is still there - its universal and not riddled with exemptions that favour big business massively.

Consider the contrast to the upload filter and link tax plans they had for copyright reform ( The GDPR is pretty simple in principal and is still there. Nobody is getting anywhere seriously trying to soften it. These sorts of rights are hard to take away. Yes you can argue it's not really being followed properly, but I think it's a harder task to say its bad.

People are trying to argue however that the GDPR needs fixing... and they think that should happen before any new rules such as legislating against facial recognition and other AI...

They argue that public trust in internet companies continues to drop so the GDPR isn't working, but its also too strict so should be abandoned...

Also that "access to data" is harmed so it's bad for innovation (

The GDPR isn't the prettiest or most successful thing but its the one we've got and its far from the worst model to base future rules on emerging technology on

190 episodes