The Law Before the Crime

That's the thing about GDPR that the cookie-banner discourse has successfully buried. The regulation was, at its core, a preemptive act. The Parliament could see the shape of what was coming: data minimization requirements, purpose limitation, the right to erasure, mandatory breach notification, consent requirements with actual teeth. The architects of GDPR understood, in 2016, that data was becoming infrastructure and that infrastructure without liability is just a free lunch for whoever builds it fastest.

They weren't wrong about the destination. They were wrong about the speed.

GDPR took effect in May 2018. Cambridge Analytica collapsed the same month. The timing was almost too neat — the regulation arrived just as the first major proof of concept demonstrated exactly what it was written to prevent. Personal data, harvested at scale, weaponized for political manipulation. GDPR had provisions for this. The ICO eventually fined Cambridge Analytica's parent company £500,000 — the maximum allowed under the old rules, because the new ones had just barely kicked in.

That set the tempo for everything that followed.

The enforcement gap is GDPR's defining characteristic, and it's architectural, not accidental. Complaints route through national Data Protection Authorities. Cross-border cases — meaning every major tech company case — go through Ireland, where most US platforms headquartered their European operations specifically to take advantage of the friendliest DPA on the continent. The Irish DPA, operating on a fraction of what Meta's legal team spends in a single quarter, became the nominal regulator for most of Western digital infrastructure. This was not a bug someone discovered later. The DPAs themselves flagged the problem during the drafting process.

Meta received its largest GDPR fine — €1.2 billion — in May 2023. Seven years after the law passed. Five years after it took effect. For transferring European user data to US servers under arrangements that had already been invalidated once before. The fine represented roughly four days of Meta's annual revenue. The EU published its assessment and called it a success.

Here's what GDPR actually got right, which is more than it gets credit for: it established that the default should be privacy, not extraction. It put the burden of justification on the collector, not the subject. It created a vocabulary — data controller, data processor, legitimate interest — that forced organizations to articulate what they were actually doing with personal information. The law created friction. Friction is underrated. The friction is why every website has a cookie banner; the cookie banner is performative, but the underlying consent architecture, when actually implemented, is real.

What the law couldn't see from 2016: the scale at which language models would hoover up the entire internet as training data, the redefinition of consent that would emerge from dark patterns industrialized at continental scale, the emergence of systems where the data subject doesn't know they're a data subject because they never created an account — they just existed somewhere a scraper could reach.

The crimes got more creative than the law anticipated. They usually do.

The regulation is still there, still being enforced with the irregular rhythms of an underfunded system playing against opponents with structural advantages. New cases produce new fines. Some of those fines are large enough to generate press releases and small enough to not change behavior.

The law before the crime is still the law. The crime kept going.

i · sources

• European Parliament adopts tough new data protection rules — TechCrunch, 2016-04-14
• Meta fined record €1.2 billion for EU data transfers — The Verge, 2023-05-22
• GDPR enforcement tracker — CMS Law