GDPR went into effect in Germany in late May 2018. We just passed the one year mark. What have we learned?
There has not been anything major in the DACH market, really. The first fine in Germany was about 20,000 Euros, and it was logged against Knuddels (a social media site). An Austrian company got hit with a 4,800 Euro fine for illegal video surveillance activities, and as of a few months ago, there were 41 total fines under GDPR. (At the exact one-year mark of GDPR in Germany, it looks like 75 total fines were issued.) And check this out. Here’s a list of countries that offered zero GDPR fines in the first year: Belgium, Croatia, the Czech Republic, Denmark, Finland, Ireland, Italy, Luxembourg, Slovakia, Slovenia, Spain, Sweden, and the U.K.
Google and Facebook
Google was fined 50M Euros in France in early 2019, but it does not appear they incurred any fines in Germany. Germany has cracked down a bit on Facebook for “abuse of market power” in early 2019, and there is a broader, low-billions fine Facebook could face in the EU. But at this exact moment, has GDPR reined in the biggest tech-and-data companies? Not exactly and definitely not entirely. That’s probably to be expected, though: while these laws were a great start, they’re going to take some time to really see massive fines or corresponding behavior changes. And consider: even a $1B fine of Google or Facebook is mere percentage points of their revenues/cash on hand, so whether fines would lead to behavior changes is another topic altogether. Under the GDPR, companies can be fined 20 million euros ($22.4 million) or 4% of their total annual worldwide revenue in the preceding financial year, whichever is higher.
Anecdotally, it seems as if the DACH market is receiving less spam (good!) and the quality of sales emails is higher (great!). While there is limited actual research on the decline in spam — and it would vary by industry anyway — the general consensus seems to be that GDPR has declined spam overall, especially in DACH.
The first year of GDPR in DACH seems to have been good for improved privacy policies and generally better handling of user data, as well as more relevant and quality B2B sales emails. The next step, in addition to consistency in those areas, will be bigger fines (within reason) for the big players in data-consumption and use. But if we keep seeing better targeting and messaging for B2B offers and less spam (which brings all salespeople down!), then GDPR is doing its part so far. Was it worth all the hype we gave it in 2017 and 2018? Not yet, but it might still get there.