Looking at the latest activity reports from the AEPD1 and CNIL2 (supervisory authorities for the protection of personal data in Spain and France respectively), it would seem like the world is now a much better place than it was in 2017. Thousands of individual complaints have once again been filed and followed through, resulting in crucial changes in the way businesses of all industries and sizes handle privacy concerns and data subject rights.
But I start to suspect that we fool ourselves, blinded by the bubble of our daily debates and practice, or by the impressive numbers on display.
Is it not true that, for all the efforts we have collectively made to respect core data protection principles such as transparency, accountability, or individual participation, the perception on the street is of complete chaos and open season on people’s data? Is it possible that regulatory fines, compliance efforts and control mechanisms have been outpaced by a tsunami of data collection, processing, sharing, and repurposing practices across the board?
The optimistic case could rest on the back of the enhanced protections enjoyed by EU or UK citizens when compared to their US counterparts. Many of the GDPR rights are simply not available in most states across the pond, and data brokerage is nowhere near the levels that Americans have become accustomed to (credit scoring, health insurance, and national security have long been Black Mirror-scale nightmares), but I have come to appreciate that such a large gap on paper does not translate into a palpable difference in terms of respect, transparency, or empowerment. Americans will keep on fantasizing about the privileges of Europeans (bar the always laughable cookie banners), and Europeans will keep on believing the horror story of unhinged profiling and data commoditization.
I recently asked a friend (a layman for these purposes, Dubai-based if that matters) what he thought of online privacy in general. He replied that “everyone is just in Survival Mode” - nobody trusts the system or understands what happens except for the clear fact that websites and mobile apps will collect your data one way or another.
In other words, for all the soothing policies, “trust centers”, and sweet consent gathering wording, the entire digital economy had become a ruthless vacuum cleaner. It matters little what citizens/consumers/individuals choose to do, other than send a little letter to their local data protection agency out of pure anger -and then wait for two years to hear about the 300 EUR fine.
What are we really protecting people from?
Accepting that supervisory authorities will always have very limited resources would force us to zero-in on top priorities. As a society we want to prevent bad actors from trafficking on personal data, tricking vulnerable groups into hampering their future choices, or simply running counter to basic principles of fairness and accountability.
Can we direct the efforts of enforcement authorities towards the worst possible scenarios and concentrate on effective individual empowerment tools for everything else? Should we not trust, beyond such clear common threats, people’s own judgment and the prevailing good business practice of treating customers (or readers) with respect?
Such a balance could result in honest personal data protection or privacy efforts aimed at complying with individual preferences. People would vote with their feet if they felt that a website was abusive or misleading, because such practices would automatically create an opening for others in a healthy, competitive space (ok, social media is not one, and a case could be made for the imposition of minimum standards in highly-regulated verticals).
But, I know, it was the very failure of these natural market dynamics that prompted regulators to act in the first place, so perhaps this is as delusional as believing that such a rich body of rights and responsibilities could be enforced in a consistent and effective way.
Survivors all around
The other problem we do not talk about that much -or at least not outside the industry- is the inability of most organizations to cope with an impossible patchwork of regulatory frameworks, external threats, and contradicting data transfer rules.
Data Protection Officers and other corporate privacy professionals have been tasked with answering data subject requests, embedding privacy safeguards into products and services, training internal teams, responding to supervisory authorities, assisting security teams in the face of data breaches and vendor audits, creating policies, drafting notices, keeping records, classifying data, and more. They most often lack enough support or budget, so many of those I speak to seem to be in a similar “survivor mode”.
The EU is making an effort to simplify things for smaller businesses (e.g., by exempting most of them from keeping Records of Processing Activities if they do not employ more than 750 people), but it has also introduced additional regulations that intersect with the GDPR: Data Act, AI Act, Data Governance Act, Digital Markets Act, Digital Services Act, etc. The US does not fall behind in terms of complexity, with a combination of 19 state comprehensive privacy laws and various federal laws covering data about children, health data, or financial data.
A tale of two jungles?
So, what is better? A certain degree of self-regulation and laisser-faire supported by market constraints and individual empowerment, or a strict web of intertwined regulations that most businesses won’t be able to follow? Both are open to abuse, but the latter introduces the additional uncertainty of inconsistent enforcement.
I definitely do not have the answer, but it feels like it is, once again, time for greater investment in personal agency. If we once jumped on Personal Data Stores and device-level controls out of pure excitement with the arrival of the GDPR, with its portability rights and privacy by design requirements, today we embrace personal “agents” for the opposite reasons: the GDPR and all that followed was a major disappointment.
(You are reading a GenAI-free article, solely relying on auto-correct for some expressions and typos. The image above is AI-free as well, retrieved from Canva’s photo repository.)
AEPD: Memoria annual 2024 (Spanish) https://www.aepd.es/memorias/memoria-aepd-2024.pdf
CNIL: Rapport annuel 2024 (French) https://www.cnil.fr/sites/cnil/files/2025-04/rapport_annuel_2024.pdf