GDPR
Europe has been trying to protect your data since 1995. It took until 2018 for the law to have teeth. Cumulative fines now exceed €7 billion. Surveillance capitalism is still the dominant business model.
How to read this page. Tap any underlined word to see the precise legal term and a short definition. Expand any "Deeper" box for the evidence and contested points. The main text works on its own — you can skip both and still get the whole argument.
The long road
The EU's 1995 Data Protection Directive established baseline privacy rights. By the 2010s it was hopelessly outdated — Facebook, Google, and Amazon had built multi-billion-dollar businesses on behavioural data collection at a scale the Directive never anticipated. The GDPR was formally adopted in 2016 and became enforceable on 25 May 2018.
What GDPR requires
Personal data may only be collected with a lawful basis — including genuine, informed consent. Individuals have the right to access, correct, and delete their data. Data breaches must be reported within 72 hours. Fines can reach 4% of global annual turnover. The regulation applies to any organisation processing data of EU residents — regardless of where the organisation is based.
Lawful basis / consent
Under the GDPR a company may not process your personal data just because it wants to; it needs one of six "lawful bases", the most discussed of which is your freely-given, informed, specific consent. "Freely given" is the catch: consent buried in a pre-ticked box or extracted by a manipulative banner is not valid consent in law — which is why so much enforcement turns on how the choice was designed, not whether a box was clicked.
The fines
2019: France fines Google €50 million. 2021: Luxembourg fines Amazon €746 million. 2023: Ireland fines Meta €1.2 billion — the largest GDPR fine on record — for unlawfully transferring EU user data to the United States. 2023: Ireland fines TikTok €345 million for children's data violations. 2024: Ireland fines LinkedIn €310 million. 2025: TikTok fined a further €530 million. Cumulative GDPR fines exceed €7 billion.
What it has and has not achieved
GDPR established that data protection is a legal right with financial consequences. It created a global norm — companies worldwide updated practices partly in response to its extraterritorial reach. What it has not done is end surveillance capitalism. Cookie consent banners, frequently designed as dark patterns to funnel users toward acceptance, provide nominal compliance. The behavioural surveillance model continues. Fines, large in absolute terms, are manageable as a business cost for the largest platforms. GDPR is the strongest privacy framework in the world and an insufficient response to the scale of the problem.
Dark patterns
Interface designs that steer you toward the choice the company prefers rather than the one you would freely make: the giant "Accept all" button next to a greyed-out, three-clicks-deep "Reject". They exploit defaults, friction, and visual hierarchy. Under the GDPR a consent obtained this way is arguably not freely given — but the banners remain near-universal because the cost of ignoring the rule is low relative to the value of the data.
Sources
How we know — why €7 billion in fines hasn't changed the model
Three structural reasons. First, scale: a record €1.2 billion fine is real money, but set against the revenue the behavioural-advertising model generates for the largest platforms, it functions more like a cost of doing business than a deterrent. Second, the enforcement bottleneck: under the GDPR's "one-stop-shop", the regulator of the country where a company has its EU headquarters leads — which routes most Big Tech cases through Ireland's DPC, criticised by other regulators for slow, narrow enforcement. Third, compliance theatre: a consent banner can be technically present and still designed to defeat the choice it nominally offers.
The honest reading. GDPR succeeded at establishing data protection as an enforceable right and a global norm; it has not succeeded at dismantling surveillance as a business model, because the model's economics survive the fines. That is an argument about enforcement and design, not about whether the law was worth passing.
Sources
- GDPR Enforcement Tracker.
- GDPR Article 6 — lawfulness of processing.
- EDPB Guidelines on deceptive design patterns (2022).
- European Data Protection Supervisor (EDPS) — independent supervisor of the EU institutions' own data processing (distinct from the EDPB, which coordinates GDPR enforcement across national authorities).
- Zuboff, S. (2019), The Age of Surveillance Capitalism, PublicAffairs.