10 Years of GDPR: Has privacy won?

Show Notes

Does data protection really protect our data, or has it just given us endless cookie banners to click through?

Did you know that the data protection rules protecting your phone today actually have their roots in a 1978 French law? Long before the modern web, legislators already believed that technology should serve citizens and never violate human identity. Fast forward to today, and that spirit lives on in the General Data Protection Regulations, commonly known as the GDPR.

In this episode of Yours Lawfully, produced by qLegal for the TMT Institute, we explore the realities behind GDPR, moving beyond the legal text to examine how it operates in everyday digital interactions. We are joined by Professor Ian Walden, who’s an Of Counsel at Baker McKenzie, and has been a Professor of Information and Communications Law at the Centre for Commercial Law studies for over 30 years. We look at how GDPR functions from consent and transparency to enforcement challenges and organisational compliance. We also unpack the regulation’s strengths, limitations, and evolving role in a data-driven world.

Transcript

SPEAKER_02 0:05

Did you know that the data protection rules protecting your phones today actually have their roots back in 1978 French law, long before the modern web legislators already believed that technology should serve citizens and never violate human identity? Fast forward to today, and that's where it does live on the General Data Protection Regulations, also known as the GDPR. It has changed expectations around organizations handling personal data inspired similar legislations around the world. But has it genuinely strengthened citizens' rights or simply created a costly compliance machine?

SPEAKER_01 0:40

Welcome to today's episode of Yours Law Flee, based on Queen Mary's award-winning commercial law collegal at the Centre for Commercial Law Studies. We are best in HEMA students here at the Queen Mary University of London. And in today's show, we are talking about the 10-year anniversary of the GDPR. Adopted in 2016, it elevated awareness of data protection from boardrooms to living rooms and setting a standard for countries and jurisdictions around the world. Now that the GDPR has hit the 10-year milestone, it's a good time to pause and consider what we have learned and how data privacy has influenced user experience in marketing, trust, and business practices globally. We are excited to be joined by Professor Ian Walden, who is of counsel at Baker Mackenzie and Professor of Information and Communications Law at the Center for Commercial Law Studies at QMUL for over 30 years. Professor Walden, it's a pleasure to have you on the podcast. Could you introduce yourself to our listeners and about your work in the field of data protection?

SPEAKER_00 1:53

Thank you, and uh I'm very pleased to be here. Thank you for the invitation. I first got involved in data protection in 1987, so a very, very long time ago, um, when I started doing uh a research project and my PhD in the field. And at the time I remember my mother asking me whether it would be a career. Um, and it's not just a career, data protection has clearly become an industry. Uh, and I'm I'm been involved in it in many different ways over the subsequent years, both as an academic, as legal advisor, as a solicitor, and a consultant. So I've been privileged to be involved in many aspects of data protection law.

SPEAKER_02 2:38

Thank you for the introduction, Professor Walden. We will start with introducing GDPR a little. Let's begin. The GDPR emerged after years of work by European lawmakers to modernize data protection rules and give people stronger control over how their information is used. It replaced the 1995 directive with a far more ambitious framework, one that required organizations to build privacy into their systems from the start and raise the bar for consent. Its impact was immediate because the rules apply to any organization handling the personal data of data subjects in the EU. The GDPR quickly became a global reference point, influencing new laws from Brazil to Japan, China, California, and beyond. So the main question here is: has the GDPR meaningfully shifted how countries and organizations think about privacy around the world? Professor Walden, what's your view?

SPEAKER_00 3:31

Well, first I would make the point that privacy and data protection are friends and relations, but not necessarily the same thing. But the GDPR has undoubtedly had an incredibly significant impact around the world. Even though there are only a few countries that have been officially recognized as having adequate or essentially equivalent legislation to the GDPR, it is certainly the model upon which all jurisdictions will have consideration to a greater or lesser extent. I have been fortunate to be involved in law reform projects in in countries as diverse as Sri Lanka and Kenya and Sierra Leone and in all these jurisdictions, the GDPR is certainly the starting point. Countries may struggle to reach the standard of the GDPR, but it is certainly the reference point upon which everything else is built.

SPEAKER_01 4:31

That was very insightful, Professor Walden. Thank you. But from your experience, Professor Walden, have organizations changed how they approach data protection now, or is it more about formal compliance?

SPEAKER_00 4:44

Yes, I think organizations have changed their approach. And partly it's push because they want to, and partly it's pull because they have to. Clearly, the introduction of sizable fines under the GDPR focuses the attention of uh boards of organizations and both the public and the private sector. But at the same time, organizations have recognized increasingly how valuable their personal data is. And if you don't look after that personal data, you will lose customers, you will lose trust, uh, and it will be detrimental to your business. So I think there has been a positive desire of organizations to be more uh careful with the way that they handle personal data. But at the same time, clearly there is the big stick that sits there in the form of fines, which, as I've already said, kind of uh encourage uh organizations to think more carefully about compliance.

SPEAKER_01 5:49

So on that note, when GDPR came into force, what was new or difference about it compared to earlier data protection rules?

SPEAKER_00 5:58

So compared to the 1995 directive, it really was just an evolution. I mean, all the component parts of the current regime can be found in the 1995 directive. So it was certainly an evolution rather than a revolution. But I do think some of the uh the the level of fine changed this the the the extent to which organizations took GDPR seriously, and also we have changed as as a as a society, as an environment, with the growth of the internet, and clearly there are aspects of the GDPR which reflect the emergence of of social media uh and are ever more online lives, and and clearly the GDPR uh needed to address that in a way that perhaps the 1995 directive was only beginning to think about. And you know, the latest developments in AI, for example, are reflected in some of the provisions of the GDPR, but those provisions date back to 1995. So some of the legislation has aged very well.

SPEAKER_01 7:13

Thank you, Professor Walden. Why do you think the GDPR became such a strong reference point for countries outside the EU, considering your international experience?

SPEAKER_00 7:25

I suppose two reasons. Uh the main one is probably you know the European Union is a uh massive trading block. It has huge numbers of consumers, huge numbers of wealthy consumers compared to you know many, many other parts of the world. And therefore, trading with the EU is incredibly important for all countries around the world, and therefore to uh have a barrier to trade caused by the absence or the failure to protect personal data was is is not doesn't make economic sense. So, from an economic perspective, if you want to trade with Europe in as a liberalized manner as you can, then you need to essentially reflect the legal rules that exist in uh the EU. So, I mean that that's probably the the re the the fundamental reason. But at the same time, I think the other reason is it was the first and is the primary example. The GDPR, I mean, we had the cat we had a Council of Europe convention dating from uh 1981, uh, but the GDPR in 1995, because of the you know binding nature of European Union law as opposed to uh Council of Europe conventions, the EU became the the sort of uh upon which the world has really looked for data protection law.

SPEAKER_01 8:51

Thank you. That actually brings me to something else. According to a research paper authorized by a team of researchers from the University of Oxford and presented at the 17th Symposium on US Privacy and Security, approximately 70% of mobile apps still send personal data to tracking companies the literal second you open them, often without the legally required consent. This suggests for many users, current legislation still fails short of providing enough protection against the continuous surveillance that happens behind the scenes. In your opinion, Professor Ian Molden, how well has the GDPR dealt with this problem? Are large platforms truly more transparent about the data use, or have they just made it harder for users to see what's happening?

SPEAKER_00 9:44

A difficult question because people have very varying opinions on how successful or unsuccessful data protection law is. I mean, you're right, it is difficult to know what's happening to your data, but it's difficult to know what's happening to your data, both because the world has become very, very, very complicated. So the whole way that the digital marketing ecosystem operates is incredibly complex and incredibly detailed and various, and and and it, you know, even somebody that studies it on a on a uh consistent basis will struggle to be able to map exactly how data flows between different organizations through different technologies and across international borders. But at the same time, I mean we we have to take responsibility ourselves. And unless you think that data protection law should simply protect us against ourselves, which it does do to a degree, it does protect us against ourselves. I mean, we do not read the cookie banners, we do not read the terms and conditions, we do not look at the privacy policies, we do not, you know, life is too short to keep up with how your personal data is being used. But at the same time, I love my free services. I love the fact that I can call anywhere in the world and not pay a telephone call. I love the fact that I can, you know, put up pictures and store and share and do all of the things that are possible in the modern world, and I don't pay for any of that. So I think there is this. I am a data protection lawyer and I'm interested in it, and I've been interested in it for a for a very long time. But I I don't think I'm a sort of privacy advocate. I don't think I'm a I don't think privacy is the most important thing compared to every other right, for example. And I don't think that, you know, I don't think law should protect us from ourselves. I think we have to take some responsibility. So so I I again I keep saying there are a number of different aspects, but I'm afraid I think there are. Um we we've become lazy, we enjoy the fruits of the use of our personal data, and and that economic model, we have been complicit in allowing it to exist.

SPEAKER_02 12:03

I think that's a that's a really good point, Professor Walden, that we click on cookie banners, we don't realize, we don't read anything, but the number given above scares me a little. It's also because I think I feel like most of us just click accept without like reading anything. And do you think, in your opinion, does the average user understand what's happening to their data today? I mean they click without reading, but do they actually comprehend the extent to which their data is being used or circulated?

SPEAKER_00 12:35

Oh, absolutely not. And I do this on a professional basis, and I don't have any idea either. And that's because the world is extremely complicated, and the the structures that deliver certainly are online experience, but to a certain degree our offline experience as well. You know, whether it be delivery of packages by Amazon or um all of the Uber cabs or Uber food or you know, whatever they are, we enjoy, we consume them, and that requires our personal data in order to personalize it, in order to supply it. Uh, and therefore we don't understand, but but that's not unusual. I mean, I don't understand how a car works really, uh, but I still enjoy using a car. I don't, I don't, I don't, I'm not, you know, there's so many, there's so much of the modern world that I don't understand, but just because you don't understand it, that doesn't mean it's not incredibly beneficial. Uh, and it doesn't mean that I uh should be protected from it.

SPEAKER_02 13:38

Do you think it could be the one of the reasons could be that there's a gap between what the regulation promises and what users experience in day-to-day life? Are we promised more beyond like more data protection beyond what's been given to us?

SPEAKER_00 13:52

Yeah, I think there I mean there's clearly a mismatch in expectations. I mean, I obviously haven't read the study that you referred to, but part of your comment was often without the legally required consent. Well, you know, you don't always need consent uh because some of those tracking devices are an essential part of supplying a service to you, and and the law does not require your consent. And so, you know, the answer is always complicated. Um, and I do, in my experience, you know, the companies I deal with, they try very hard to to make it you know transparent through through privacy policies and through mechanisms designed to help you recognize what's being done to your personal data, but that doesn't mean you read it. Uh, and that's yeah, this is one of the legal fictions of uh that that we've existed with for years. I mean, a contract depends on its terms and conditions. I don't have to read the terms and conditions, I simply have to have the opportunity to read the terms and conditions. You know, there is a mismatch of expectations, and and if users suffer, then they always would like to have somebody to blame. It's never their fault. But the life world's a bit more complicated than that.

SPEAKER_02 15:09

That's actually a really interesting point to be made. Thank you, Professor Walden. Let's zoom in a little and talk about dark patterns now. Dark patterns are basically essentially the design tricks that nudge, confuse, or pressure users into choices they didn't intend to make. Whether that's a free trial that automatically converts into a paid subscription without clear reminders or easy cancellations, or pre-text boxes adding travel insurance to a flight booking. They've become a defining feature of the modern web and a growing regulatory concern. Mary Potel Savel, founder of Fair Patterns and Amurabi, has been one of the leading voices documenting how this practice is influencing users' behavior. The question here is, Professor Walden, how effective is the JDPR at tackling the dark pattern problem?

SPEAKER_00 15:55

I think it has all of the basic components to help control dark patterns. I mean, one can always identify non-compliant practices, and the answer to the non-compliant practice is they should be compliant. And if they're not compliant, somebody should enforce against that non-compliance, whether it be you and me as an individual data subjects, or whether it be the regulator. But I do think there is an issue, uh, and European law recognizes there is an issue. And in um, we now have um something known as the Digital Markets Act. Um, and the Digital Markets Act is a form of competition law that regulates certain types of market participants uh known as gatekeepers. That regime also contains rules that are designed to govern the use of dark patterns as a means. Is the GDPR effective? Well, probably not sufficiently effective, and that's why we've got supplementary legislation coming from a completely different legal sector, i.e., uh competition law. And the combination of those pieces of legislation hopefully will be effective against dark patterns because competition law is is about prohibiting misleading and unfair trade practices. And of course, to the extent that DART patterns are misleading, you know, fraudulent, unfair commercial practices, then they should be prevented. So the GDPR, I think, has needed this additional regulatory support, and it's got that in the form of the Digital Markets Act.

SPEAKER_01 17:40

But Professor Rolden, why do companies use these design tricks and are they always illegal or just sneaky? Are dark patterns ethically justifiable or do they fundamentally undermine user autonomy and meaningful consent?

SPEAKER_00 17:55

Are they always illegal? Well, no, I don't I don't I they can't always be illegal, going back to the previous discussion. You may think you don't know about them, that's but that's because you don't you don't choose to know about them. Uh they may be completely explained and described in a privacy policy, for example, or or in a cookie, or you know, you may be have the potential to have full transparency, and therefore they're not just sneaky, but if you don't know about them, then they feel like they're sneaky. Uh and that's again the sort of mismatch between the law and uh people's experience and feelings of how this this works. But I I I I think you know, we do need to control illegal activities. Ethics and whether it's justifiable from an ethical perspective, that's kind of a very different question, um, which as a lawyer I will sidestep at this time.

SPEAKER_01 18:54

Thank you for your valuable insights. So let's talk about the bigger picture now. As we discussed, since its adoption, the GDPR has gone from a landmark reform to the global reference point for data protection, but its impact has often fallen short of its ambitions. Despite replacing outdated rules and reshaping privacy debates worldwide, gaps have emerged from the rise of dark patterns to the growing power of data-driven inference. Now, nearly 10 years on, the European Commission has proposed an update, the Digital Omnibus Proposal, published in November 2025, aimed at modernizing EU data protection for today's digital environment. Our main question is, Professor Walden, for listeners who may not be familiar, what are the key changes introduced in the digital omnibus proposal?

SPEAKER_00 19:51

I think it would be fair to say it's again evolution, not revolution. So there isn't any fundamental change in the GDPR. There are areas in which uh reforms have been proposed. One area, for example, is what constitutes personal data. You know, anonymized data is not personal and therefore falls outside of the GDPR regime, but there's always been uncertainty about what constitutes anonymous data and what constitutes pseudonymous data and the consequences of that. And so the proposal would try and clarify that to make the boundary between regulated data and unregulated data somewhat clearer. It is also going to redesign the the regulation of cookies, which I mean the whole cookie banner issue is actually originates in a different piece of European data protection law. But it is, if you like, the poster child of how annoying data protection law could be, because I don't think anyone could say that they enjoy the fact that they constantly have to respond to cookie banners. Uh or few people would perhaps uh say that they enjoy it. But what they're proposing some reforms to that to reduce the number of cookie banners and to to provide mechanisms to make it less burdensome upon users to have to deal with them. There are new rules on on uh statistics, and and again, that's about you know the boundaries of data, which whilst it may be technically personal data, is essentially pseudonymized to the extent that it doesn't really constitute um a threat to someone's individual data protection or their privacy. So there's not a not a huge amount has changed. Some of it is clarifying, some of it is trying to reduce the burden, but it is, you know, despite some of the headlines from some privacy groups that sort of say that this is, you know, a huge watering down. I don't I I really don't I don't agree with that. I think it's It's um and and and many of the changes actually reflect things that the UK has been trying to do by reforming its version of the GDPR, the UK GDPR, by by trying to reduce some of the burdens and and improve the certainty that exists around the regime.

SPEAKER_02 22:18

I think that that really helps clarify what's on the table. It sounds like some of these changes could have like a big impact on both organizational and individual level. But that being said, Professor, we have seen some strong reactions from organizations around the world. For example, the Irish Council for Civil Liberties and European Digital Rights. They've sent a joint letter, open letter to the European Commission. They're warning that the proposed changes could actually weaken individual data protection. Why do you think the scrubs are sounding so alarmed? And do you think they have a point?

SPEAKER_00 22:52

Well, I kind of touched on that already. I mean, I they're sounding alarmed because you know some people don't, you know, think the GDPR is should be strengthened, the rights should be, uh our rights should be strengthened, uh, that it's but but the concern is that the digital omnibus reforms slightly weaken data protection law. Um I don't share their concern, uh, as I've already said. Uh but you know, if you're if you are in the business of privacy and and advocating for civil liberties, then you know you are going to fight against any change that could be perceived or is in reality a lessening of the protections offered. That doesn't that doesn't mean it's it's valid, it just means you know they have a view that differs from the view of other others. And I'm I'm I'm more of the opinion that you know the data the GDPR could be improved as a regime, and partly because I think the the court, the European Court of Justice, has adopted decisions which haven't helped us to understand or to rely on the GDPR. Uh, I think the the the Court of Justice has, in some circumstances, changed what I think the GDPR was meant to be. Uh, international data transfers, I think, is is one area where where where I think that's done. So, you know, the GDPR is not just a uh sort of static instrument, it's a living instrument, and decisions that have been made by, particularly by the courts, have uh uh, but as uh as well as the courts' regulators have have have changed um the way in some of these things operate.

SPEAKER_02 24:37

Building up on what you just mentioned, uh, that the proposal could be improving GDPR as a regime, um, do you think it would be uh enough to keep up with the EI biometrics and other fast-moving technologies, or will we require more updates soon?

SPEAKER_00 24:54

It's always a balance. Uh, we don't want to change the legislation on a regular basis. And I would say the history of European data protection law is one of remarkable consistency. Uh, as I said earlier, the 1995 directive is not uh so different from the GDPR. And so the basis for that is European data protection law is built on a series of data protection principles, and those principles uh are designed specifically to be general and therefore capable of being applied to whatever the technology is. Uh, and I think those principles have have done very well. I think they've they they act robustly and can offer a basic level of protection, which is important. So I think there are there may be some edge cases where we do need to tinker with the rules, but as a as a general matter, I think the more we tinker, the the worse the regime will get. I think it's better for the regime to stay at a uh at a general level wherever possible, so so it can offer the benefits that we think it should.

SPEAKER_02 26:00

Thank you, Professor Walden. That was really insightful. So in today's episode, we asked a simple but important question. Does data protection really protect our data, or has it just given us endless cookie banners to click through? We explored how design choices and dark patterns often undermine meaningful consent, even when the law sets high standards on people. What we see is that the data protection is no longer a legal issue, but has become a central part of how we shape our digital future and the choices we make now will define how much control individuals truly have in the years to come.

SPEAKER_01 26:35

We also looked at how awareness of this practice is growing, yet many companies continue to push the boundaries of what users can realistically understand or control. Overall, this highlights the gap between strong legal standards and users' everyday experiences, showing that real data protection depends on meaningful control and practice and not just compliance on paper. And with that, we would like to say a huge thank you to Professor Waldom for joining us and sharing his insights today. Thank you for listening.