---
title: "5 years later, what is the assessment of the GDPR?"
id: "2532"
type: "post"
slug: "5-years-later-what-is-the-assessment-of-the-gdpr"
published_at: "2023-05-30T09:17:24+00:00"
modified_at: "2026-02-19T18:18:36+00:00"
url: "https://augustdeboustg.wpenginepowered.com/en/legal-article/5-years-later-what-is-the-assessment-of-the-gdpr/"
markdown_url: "https://augustdeboustg.wpenginepowered.com/en/legal-article/5-years-later-what-is-the-assessment-of-the-gdpr.md"
taxonomy_category:
  - "Legal Article"
taxonomy_language:
  - "English"
taxonomy_post_translations:
  - "pll_6980cf6b39082"
---

Menu          Interagir avec notre IA

 Practice Areas (66) Transactional- [Artificial intelligence](https://augustdeboustg.wpenginepowered.com/en/expertise/artificial-intelligence/)
- [Capital Markets](https://augustdeboustg.wpenginepowered.com/en/expertise/capital-markets/)
- [Commercial and International Contracts](https://augustdeboustg.wpenginepowered.com/en/expertise/commercial-and-international-contracts/)
- [Commercial Contracts and Strategic Partnerships](https://augustdeboustg.wpenginepowered.com/en/expertise/commercial-contracts-and-strategic-partnerships/)
- [Competition Law, European Regulation and FDI](https://augustdeboustg.wpenginepowered.com/en/expertise/competition-state-aid/)
- [Consumer, Marketing & Advertising](https://augustdeboustg.wpenginepowered.com/en/expertise/distribution-and-consumer-law/)
- [Financing](https://augustdeboustg.wpenginepowered.com/en/expertise/financing/)
- [Foreign Investment Control](https://augustdeboustg.wpenginepowered.com/en/expertise/foreign-investment-control/)
- [Go-to-Market](https://augustdeboustg.wpenginepowered.com/en/expertise/go-to-market/)
- [Intellectual Property](https://augustdeboustg.wpenginepowered.com/en/expertise/intellectual-property/)
- [International Trade](https://augustdeboustg.wpenginepowered.com/en/expertise/international-trade/)
- [Labor and Social Security Law](https://augustdeboustg.wpenginepowered.com/en/expertise/labor-and-social-security-law/)
- [Mergers-acquisitions](https://augustdeboustg.wpenginepowered.com/en/expertise/mergers-acquisitions/)
- [Patents](https://augustdeboustg.wpenginepowered.com/en/expertise/patents/)
- [Personal Data and Cybersecurity](https://augustdeboustg.wpenginepowered.com/en/expertise/personal-data-and-cybersecurity/)
- [Private equity](https://augustdeboustg.wpenginepowered.com/en/expertise/private-equity/)
- [Projects and Infrastructure](https://augustdeboustg.wpenginepowered.com/en/expertise/projects-and-infrastructure/)
- [Public Procurement](https://augustdeboustg.wpenginepowered.com/en/expertise/public-procurement/)
- [Real Estate and Construction](https://augustdeboustg.wpenginepowered.com/en/expertise/real-estate-and-construction/)
- [Restructuring](https://augustdeboustg.wpenginepowered.com/en/expertise/restructuring/)
- [Securities Law](https://augustdeboustg.wpenginepowered.com/en/expertise/securities-law/)
- [Tax](https://augustdeboustg.wpenginepowered.com/en/expertise/tax/)
- [Tech And Digital](https://augustdeboustg.wpenginepowered.com/en/expertise/tech-and-digital/)

Dispute Resolution- [Administrative and Public Law Litigation](https://augustdeboustg.wpenginepowered.com/en/expertise/administrative-and-public-law-litigation/)
- [Arbitration and ADR](https://augustdeboustg.wpenginepowered.com/en/expertise/arbitration-and-adr/)
- [Class Actions](https://augustdeboustg.wpenginepowered.com/en/expertise/class-actions/)
- [Commercial and Corporate Litigation](https://augustdeboustg.wpenginepowered.com/en/expertise/commercial-and-corporate-litigation/)
- [Competition Litigation](https://augustdeboustg.wpenginepowered.com/en/expertise/competition-consumer-and-distribution-litigation/)
- [Constitutional Litigation](https://augustdeboustg.wpenginepowered.com/en/expertise/constitutional-litigation/)
- [Defective Products and Insurance Litigation](https://augustdeboustg.wpenginepowered.com/en/expertise/defective-products-and-insurance-litigation/)
- [Employment and Social Security Litigation](https://augustdeboustg.wpenginepowered.com/en/expertise/employment-and-social-security-litigation/)
- [Environmental and ESG Litigation](https://augustdeboustg.wpenginepowered.com/en/expertise/environmental-and-esg-litigation/)
- [European Litigation](https://augustdeboustg.wpenginepowered.com/en/expertise/european-litigation/)
- [Insolvency and Restructuring](https://augustdeboustg.wpenginepowered.com/en/expertise/insolvency-and-restructuring/)
- [Intellectual Property, Media, and Press Litigation](https://augustdeboustg.wpenginepowered.com/en/expertise/intellectual-property-media-and-press-litigation/)
- [Patent Litigation](https://augustdeboustg.wpenginepowered.com/en/expertise/patent-litigation/)
- [Real Estate, Construction, and Land Use Litigation](https://augustdeboustg.wpenginepowered.com/en/expertise/real-estate-construction-and-land-use-litigation/)
- [Securities Litigation](https://augustdeboustg.wpenginepowered.com/en/expertise/securities-litigation/)
- [Tax litigation](https://augustdeboustg.wpenginepowered.com/en/expertise/tax-litigation/)
- [Tech, Digital and Data Litigation](https://augustdeboustg.wpenginepowered.com/en/expertise/tech-digital-and-data-litigation/)
- [White-Collar Crime and Investigations](https://augustdeboustg.wpenginepowered.com/en/expertise/white-collar-crime-and-investigations/)

Advisory- [Artificial intelligence](https://augustdeboustg.wpenginepowered.com/en/expertise/artificial-intelligence/)
- [Commercial Contracts and Strategic Partnerships](https://augustdeboustg.wpenginepowered.com/en/expertise/commercial-contracts-and-strategic-partnerships/)
- [Consumer, Marketing & Advertising](https://augustdeboustg.wpenginepowered.com/en/expertise/distribution-and-consumer-law/)
- [Go-to-Market](https://augustdeboustg.wpenginepowered.com/en/expertise/go-to-market/)
- [Governance and Corporate Law](https://augustdeboustg.wpenginepowered.com/en/expertise/gouvernance-et-droit-des-societes/)
- [Insurance Law](https://augustdeboustg.wpenginepowered.com/en/expertise/insurance-law/)
- [Intellectual Property](https://augustdeboustg.wpenginepowered.com/en/expertise/intellectual-property/)
- [Labor and Social Security Law](https://augustdeboustg.wpenginepowered.com/en/expertise/labor-and-social-security-law/)
- [Patents](https://augustdeboustg.wpenginepowered.com/en/expertise/patents/)
- [Private Clients](https://augustdeboustg.wpenginepowered.com/en/expertise/private-clients/)
- [Tax](https://augustdeboustg.wpenginepowered.com/en/expertise/tax/)
- [Tech And Digital](https://augustdeboustg.wpenginepowered.com/en/expertise/tech-and-digital/)

Regulatory- [Competition Law, European Regulation and FDI](https://augustdeboustg.wpenginepowered.com/en/expertise/competition-state-aid/)
- [Compliance and Investigations](https://augustdeboustg.wpenginepowered.com/en/expertise/compliance-and-investigations/)
- [Digital and Technology Regulation](https://augustdeboustg.wpenginepowered.com/en/expertise/digital-and-technology-regulation/)
- [Digital Assets](https://augustdeboustg.wpenginepowered.com/en/expertise/digital-assets/)
- [Environmental and Urban Planning Law](https://augustdeboustg.wpenginepowered.com/en/expertise/environmental-and-urban-planning-law/)
- [ESG](https://augustdeboustg.wpenginepowered.com/en/expertise/esg/)
- [European Law](https://augustdeboustg.wpenginepowered.com/en/expertise/european-law/)
- [International Sanctions and Export Controls](https://augustdeboustg.wpenginepowered.com/en/expertise/international-sanctions-and-export-controls/)
- [International Trade](https://augustdeboustg.wpenginepowered.com/en/expertise/international-trade/)
- [Personal Data and Cybersecurity](https://augustdeboustg.wpenginepowered.com/en/expertise/personal-data-and-cybersecurity/)
- [Product Compliance and Safety](https://augustdeboustg.wpenginepowered.com/en/expertise/product-compliance-and-safety/)
- [Public Law](https://augustdeboustg.wpenginepowered.com/en/expertise/public-law/)
- [Securities Law](https://augustdeboustg.wpenginepowered.com/en/expertise/securities-law/)

  Sectors (13) - [Aerospace and Defense](https://augustdeboustg.wpenginepowered.com/en/secteur/aerospace-and-defense/)
- [Banking & Finance](https://augustdeboustg.wpenginepowered.com/en/secteur/banking-finance/)
- [Data Centers](https://augustdeboustg.wpenginepowered.com/en/secteur/data-centers/)
- [Energy](https://augustdeboustg.wpenginepowered.com/en/secteur/energy/)
- [Health and Life Sciences](https://augustdeboustg.wpenginepowered.com/en/secteur/health-and-life-sciences/)
- [Infrastructure Projects](https://augustdeboustg.wpenginepowered.com/en/secteur/infrastructure-projects/)
- [Luxury And Retail](https://augustdeboustg.wpenginepowered.com/en/secteur/luxury-and-retail/)
- [Manufacturing](https://augustdeboustg.wpenginepowered.com/en/secteur/manufacturing/)
- [Media](https://augustdeboustg.wpenginepowered.com/en/secteur/media/)
- [Real Estate & Construction](https://augustdeboustg.wpenginepowered.com/en/secteur/real-estate-construction/)
- [Sport](https://augustdeboustg.wpenginepowered.com/en/secteur/sport/)
- [Tech & Digital](https://augustdeboustg.wpenginepowered.com/en/secteur/tech-digital/)
- [Telecommunications & Digital Infrastructure](https://augustdeboustg.wpenginepowered.com/en/secteur/telecommunications-digital-infrastructure/)

Cet article résumé en une minute avec l’IA

On May 25, 2018, the General Data Protection Regulation (GDPR) came into effect with ambitious objectives: to enhance citizens’ control over their personal data, hold accountable the relevant actors, standardize the implementation of regulations across the European territory, and strengthen cooperation among authorities to legitimize regulation in this field. While it faced strong criticism at that time, with numerous organizations fearing it could hinder innovation and economic growth, it was also praised for the protection it was expected to provide individuals against the massive and sometimes uncontrolled processing of their data by internet giants.

Five years later, the GDPR appears to have fulfilled many of its missions but has also revealed its limitations.

- **A Surge in Complaints**

The highly publicized GDPR has succeeded in raising awareness among European citizens regarding the protection of their personal data. French citizens, in particular, have been notably active in this regard, with the CNIL recording over 12,000 complaints in 2022 [[[1]](#_ftn1)
], whereas its Irish counterpart received just under 3,000 [[[2]](#_ftn2)
]. The recent establishment by the CNIL of a reporting mechanism, allowing any individual to notify the authority of a GDPR violation they have become aware of [[[3]](#_ftn3)
], is likely to further increase the number of submissions in the coming years.

- **Increasingly Frequent Inspections and Record-Breaking Penalty Amounts**

The number of conducted inspections and subsequent measures taken [[[4]](#_ftn4)
], as well as the amount of imposed penalties, have significantly escalated over the years, compelling organizations to enhance their compliance out of fear of the financial repercussions and, more importantly, the reputational damage that a violation might expose them to. In total, European data protection authorities have imposed approximately 2.5 billion euros in fines over a span of five years. The CNIL stands out as one of the most proactive authorities, accounting for more than 500 million euros in fines since 2018.

However, these figures should be put into perspective as the majority of these amounts stem from sanctions against tech giants like GAFAM (making up nearly 93% in the case of France). While such penalties might seem substantial (for instance, CNIL fined Google 150 million euros in 2021), data protection authorities (particularly the Irish Data Protection Authority, responsible for overseeing most of the internet giants) have been criticized multiple times for being too lenient in limiting the potential sanctions’ magnitude (which often constitutes only a tiny fraction of the penalized company’s revenue, whereas the maximum amount can reach 4% of the global turnover). The European Data Protection Board has, on several occasions, issued decisions urging the Irish authority to revise upward the proposed sanction amounts within contentious proceedings. The issuance, on May 22, 2023, of a record-breaking fine of 1.2 billion euros against Meta [[[5]](#_ftn5)
] by the Irish authority reflects a likely trend of authorities being much more severe in the future.

- **Significant Cooperation among Regulatory Authorities**

European data protection authorities are increasingly collaborating effectively when GDPR violations involve cross-border data processing. More than 809 cooperation procedures have been implemented between 2018 and 2021, resulting in nearly 300 decisions being adopted [[[6]](#_ftn6)
]. While such cooperation undeniably promotes a harmonized interpretation and application of the GDPR across Europe, it still encounters challenges due to procedural differences between countries and lingering national legal specificities (for instance, concerning regulations related to health or commercial outreach), which curtail its scope.

- **Exploitation of Individuals’ Rights**

By introducing new rights, requiring greater transparency from entities about their practices, and establishing stricter consent acquisition methods (such as the redesign of cookie banners on websites, necessitating users to click an “accept” button to consent to the use of trackers), the GDPR has unquestionably enhanced individuals’ control over their data.

However, individuals, now well-informed about their rights, are increasingly prone to exploiting them for ancillary interests. Indeed, in recent years, there has been an exponential rise in requests for data access (under the basis of Article 15 of the GDPR), aimed at obtaining the disclosure of documents subsequently used as evidence in contentious proceedings, particularly labor disputes. Faced with this misuse of the right to access, data controllers often find themselves in a delicate position, torn between their obligation to comply with the GDPR and their desire not to disclose elements that could incriminate them. The lack of pragmatism on the part of authorities in this regard, which mandates organizations to provide any data held regardless of the requester’s motivation, is evident.

- **Discrepancies in Compliance**

While many large enterprises have achieved a significant level of maturity in GDPR compliance and allocate substantial resources for this purpose, the compliance level of SMEs and micro-enterprises often remains unsatisfactory. Less attuned to these matters and unable to allocate the financial and human resources necessary for implementing the numerous initiatives mandated by the GDPR, they frequently fall behind.

However, even within the most diligent companies, significant discrepancies in compliance are observed across different areas. Certain obligations are indeed challenging to adhere to, even for them, in light of economic realities. As an example, numerous organizations continue to engage vendors located in the United States and consequently transfer data to them, despite the invalidation of the Privacy Shield and the implications of the Schrems II ruling.

- **New Challenges**

The advancement of artificial intelligence (AI) presents unprecedented challenges and prompts us to question the adequacy and relevance of the current legal framework to effectively regulate the use of personal data by these new tools. The primary challenge for the GDPR, the forthcoming regulation on AI, and the authorities responsible for ensuring compliance in the coming years will be to strive towards shaping the development of privacy-respecting AI. This will involve appropriately and pragmatically guiding the stakeholders in this field.

[[1]](#_ftnref1)
 [https://www.cnil.fr/fr/sanctions-et-mesures-correctrices-la-cnil-presente-le-bilan-2022-de-son-action-repressive](https://www.cnil.fr/fr/sanctions-et-mesures-correctrices-la-cnil-presente-le-bilan-2022-de-son-action-repressive)

[[2]](#_ftnref2)
 Irish Data Protection Authority, [2022 Annual Report](https://dataprotection.ie/en/news-media/press-releases/data-protection-commission-publishes-2022-annual-report)

[[3]](#_ftnref3)
 [https://www.cnil.fr/fr/lanceurs-dalerte-adresser-une-alerte-la-cnil](https://www.cnil.fr/fr/lanceurs-dalerte-adresser-une-alerte-la-cnil)

[[4]](#_ftnref4)
 For instance, the CNIL conducted 345 inspections in 2022, resulting in 21 sanctions and 147 formal notices: [https://www.cnil.fr/fr/sanctions-et-mesures-correctrices-la-cnil-presente-le-bilan-2022-de-son-action-repressive](https://www.cnil.fr/fr/sanctions-et-mesures-correctrices-la-cnil-presente-le-bilan-2022-de-son-action-repressive)

[[5]](#_ftnref5)
 [https://edpb.europa.eu/system/files/2023-05/final_for_issue_ov_transfers_decision_12-05-23.pdf](https://edpb.europa.eu/system/files/2023-05/final_for_issue_ov_transfers_decision_12-05-23.pdf)
 – It’s worth noting that while the Irish authority intended to impose a fine of 390 million euros on Meta, the EDPB (European Data Protection Board) determined that the penalty amount should fall within 20 to 100% of the applicable legal maximum, which is 4% of the total revenue of all entities within the Meta group.

[[6]](#_ftnref6)
 CNIL, [42nd Activity Report](https://www.cnil.fr/sites/cnil/files/atoms/files/cnil_-_42e_rapport_annuel_-_2021.pdf)
, 2021

Share

- Linkedin
- Copy Link

Cet article résumé en une minute avec l’IA

### Authors

2

- [Alexandra Antalis](https://augustdeboustg.wpenginepowered.com/en/collaborateur/alexandra-antalis-2/)
- [Florence Chafiol](https://augustdeboustg.wpenginepowered.com/en/collaborateur/florence-chafiol-2/)

## Discover more content that might interest you

News

[09/06/26 Competition Litigation 0 min Aerospace Manufacturer – Commercial Dispute Represented an aerospace manufacturer in a major commercial dispute that evolved into competition litigation. Assisted in defending against allegations of abuse of dominance and excessive pricing following complaints filed before both European and national competition authorities. Read more](https://augustdeboustg.wpenginepowered.com/en/business-case/aerospace-manufacturer-commercial-dispute/)
[09/06/26 Competition Litigation 0 min Engineering And Technology Consulting Group – Investigation Advised a consulting and engineering group involved in a cartel investigation relating to information exchanges, price-fixing practices, and no-poach agreements following an unannounced inspection carried out by the French Competition Authority. Read more](https://augustdeboustg.wpenginepowered.com/en/business-case/engineering-and-technology-consulting-group-investigation/)
[09/06/26 Competition Litigation 0 min Industrial Group – Competition Investigation Advised an industrial group involved in a cartel investigation concerning information exchanges, price-fixing practices, and no-poach arrangements following a dawn raid conducted by the French Competition Authority. Read more](https://augustdeboustg.wpenginepowered.com/en/business-case/industrial-group-competition-investigation/)