Today marks the 2-year anniversary of Europe's revamped #privacy rules, known as GDPR. For some, they represent a game changer. For others, they've failed completely. As always, the truth is somewhere in between.

<<cue thread>>

So let's start out w/ some stats (who doesn't like some stats on a Monday morning, amirite?): Since May, 2018, €150 million in fines have been levied by Europe's #privacy agencies against everyone from @google to small companies to govts.

Collectively, 289k complaints have been filed across the 27-country bloc (+UK), and EU #privacy watchdogs, combined, have €292m & 3670 ppl in budget/resources to enforce some of the world's most complex data practices. Phew.

So have these rules been a success? Let me play the politician and say yes and no. We're still just 2 years into this new regime, but it's fair to say that GDPR has yet to live up to the hyperbole that many (including me, at times) had discussed in its build-up

For me, I ask myself 3 questions: Are people better protected? Do they know how to exercise their rights? And are companies behaving better & overhauling the ways that they handle/use people's data?

On the first two questions, I would say yes, ppl's data is better protected, but no, they don't know how to use GDPR (on average) to protect their rights. I wrote this back in early 2018 & stand by it: https://www.politico.eu/article/europe-privacy-data-protection-gdpr-general-data-protection-regulation-max-schrems-facebook-google/

Sure, there has been a record number of complaints, but for the majority, GDPR has become a beefed-up version of the (in)famous Cookie Directive: just click on the consent form when visiting a website and move on. Simples.

On the third question -- on corporate behavior -- I'm torn. Yes, there's been a major overhaul of internal structures within companies, but the most aggressive data practices are mostly still in place, all be with a few tweaks

You just have to look at the UK's shelving of its lengthy investigation into the online advertising market (a very very data-hungry sector) to see how the worst offenders are pretty much doing what they've also done.

And as for Big Tech? I mean, there's a lot of thought gone into giving ppl the guise of greater consent over how their data is collected/used (I'm not sure ppl really care or understand the consents they're asked for, but still)

But it's also true that GDPR has helped cement Silicon Valley's place in the digital arena, particularly in online advertising, b/c they are the only ones w/ bigger enough pockets to pay for compliance. More here https://www.politico.eu/article/europe-data-protection-gdpr-general-data-protection-regulation-facebook-google/

And that takes me to the geopolitical consequences. Brussels is/was eager to show how its #privacy rules have become the de facto global standard, and that's pretty much become the case (outside of China)

The biggest holdout is the US, and many in DC have also been eager to show how GDPR is cumbersome, favors Big Tech & potentially breaks the internet as we know it (just search for 'gdpr' & 'whois database')

To that, I say meh. It would be one thing if US had an alternative (sorry, California, CCPA is barely GDPR Lite). But w/ no federal #privacy standards on cards for foreseeable future, it's a little rich for US to throw shade on GDPR when US citizens don't have the same rights

<<ducks for cover>>

Right, so where was I? Oh yeah, geopolitics. Things me to my last point: where GDPR needs to be fixed, and fixed yesterday: EU cooperation (yes, yawn, but bear w/ me). It goes to 1) effectiveness of #privacy rules; 2) Europe's role in the world

Over last 2 years, the biggest failure of GPDR has been the inability for EU national privacy agencies to work w/ each other (they say they do, but it's far from perfect).