13+ Gripping GDPR Statistics for 2023

Updated · May 20, 2023

Discussion surrounding privacy has been ripe in recent years, often specifically concerning tech giants, such as Facebook and Google, who trade in user data.

The EU has stood at the forefront of this movement and has issued multimillion fines against many big corporations due to mishandling of personal information.

In this article, we’ll look into the General Data Protection Regulation (GDPR), which has become prototypical since its inception, with multiple countries throughout the world passing similar laws.

Below, you’ll find all sorts of GDPR statistics that will help us analyze its efficacy as well as provide crucial info on its public reception.

Gripping GDPR Facts (Editor’s Choice):

  • The deadline for GDPR compliance was May 25, 2018.
  • 45% of Europeans still worry about their privacy, even post-GDPR.
  • 67% of Europeans know of the GDPR.
  • Fines for non-compliance can reach 4% of the company’s global turnover or €20 million ($24.4 million), whichever is higher.
  • There are no apparent loopholes around the GDPR.
  • Data breaches must be reported within 72 hours.
  • There were nearly 150,000 complaints within a year of the GDPR becoming enforceable.
  • More than 1,000 news websites blocked EU netizens instead of complying with the GDPR.

Summary of the EU’s GDPR: What Is It?

The GDPR is concerned with data protection and is, therefore, a crucial part of the EU’s privacy and human rights law.

The following GDPR facts will let you know more about what exactly that entails and how such a regulation came to be in the first place.

1. The GDPR became enforceable on May 25, 2018.

(Source: EUR-Lex)

When did the GDPR go into effect? Well, like any law of such a large scale, the process of adopting the GDPR took a while. It was first proposed in 2012 and after years of negotiations between the European Parliament, Council, and Commission, it finally came into force in 2016. Its provisions became applicable two years later, on May 25, 2018. 

The GDPR also applied to EEA countries (Iceland, Liechtenstein, and Norway) from July 20, 2018.

2. “Opt-Out” is out, “Opt-In” is in.

(Source: Securiti.ai)

“GDPR” stands for General Data Protection Regulation and as such, you guessed it, it takes data protection really seriously. One example is the way in which consent is given to websites that collect our information. Previously, they did it without asking if we agreed and usually provided an “opt-out” that’d be deeply buried somewhere in the account settings tab. 

Post-GDPR, websites are required to explicitly ask if the user consents to hand over their data. In other words, it’s now an “opt-in” system, whereby as long as you don’t press the “I consent” button, the website has no legal right to collect personal information.

You’ve probably seen those “This website uses cookies…” pop-ups every time you open a new page, right?

That’s the GDPR’s doing. They can be annoying, sure, but we prefer it this way to the alternative.

3. The GDPR regulation requires companies to report breaches within 72 hours.

(Source: European Commission)

A data breach is a security incident that leads to the leaking of confidential user information. Breaches happen all the time, though some are a lot bigger than others, affecting hundreds of millions of people. Yet, companies will generally try to conceal the extent of damage or even the breach itself. 

That’s where the GDPR comes in—it requires companies to report security breaches within 72 hours. Furthermore, a simple press release won’t be sufficient either, they’ll need to personally notify affected users.

Next time you’re wondering why the GDPR was introduced, try to remember the case of Equifax. The credit bureau suffered a data breach in 2017 and a group of hackers stole the private information of nearly 150 million Americans.

The worst part? The incident happened in May, and Equifax only reported it in September. Under the GDPR, there’d be serious consequences for this delay.

4. The GDPR includes eight consumer rights.

(Source: IT Governance)

Since the GDPR implementation date, all businesses storing the personal data of EU citizens are required to follow eight rules. From the consumer’s point of view, these are his or her rights, with the regulation officially referring to them as “Rights of the Data Subject”. 

They’re as follows: the right to information, the right to access, the right to rectification, the right to erasure (also known as the right to be forgotten), the right to restriction of processing, the right to data portability, the right to object, and the right to avoid automated decision-making.

The Impact of the GDPR: Who Does It Target?

Since its inception, the GDPR has become a model for the creation and promulgation of dozens of similar laws throughout the world. The closest law in the US is the California Consumer Privacy Act. 

But while the GDPR is meant to enhance the privacy of European citizens, non-EU businesses also have to abide by it. Below, we look at key GDPR statistics to explore the impact the regulation has had since 2018.

5. There were nearly 150,000 queries within a year of the GDPR becoming enforceable.

(Source: European Commission)

The GDPR not only set clear boundaries in regard to what’s acceptable when processing data, but also opened up new channels for Europeans to report wrongdoers.

As a result, a recent GDPR infographic indicates that just a year after the regulation’s implementation, individuals and organizations had contacted authorities with 144,376 queries or complaints related to inadequate data protection, security breaches, illegal video surveillance, and others.

Fun fact: July of 2019 saw a 98% increase in complaints (41,661) compared to July of 2018 (21,019).

6. 67% of Europeans have heard of the GDPR.

(Source: European Data Protection Board)

According to the latest GDPR statistics, two-thirds of Europeans have heard of the GDPR. Furthermore, 36% claim they’re well acquainted with its provisions. 

What’s surprising is that there is a significant discrepancy in awareness of the GDPR between different countries’ populations. For instance, 90% of Swedes know what the regulation is about, while only 44% of the French do.

7. 57% of Europeans know there are public authorities responsible for data protection.

(Source: European Commission)

While the GDPR’s purpose was primarily to enhance the privacy of Europeans, the publicity surrounding it also led to heightened awareness of data protection all around the world. 

In 2015, only about a third of the EU population was aware that public authorities responsible for protecting personal data existed. This number has since shot up to 57%. That said, only 20% know which public authority exactly they need to contact to lodge a query.

8. 67% of Americans want the US to follow suit.

(Source: PR Newswire)

Two-thirds of Americans say they’d like to see a “GDPR for the USA”—they agree that the government should do more about data protection and work on federal regulations.

Moreover, 78% of baby boomers are concerned about how businesses handle their data; naturally, most are unwilling to provide their personal information in exchange for discounts or fewer ads online. Astonishingly, young people seem not to care that much, with 45% of millennials saying they’d give up private data if they got a good deal.

9. The GDPR applies to the whole world.

(Source: GDPR.eu)

The regulation’s main purpose is to protect EU citizens’ personal data. If it let foreign business off the hook, that would render it completely pointless. Therefore, extraterritoriality is an important aspect of the GDPR—this enables it to apply to any organization handling the personal data of an EU subject, regardless of where the organization itself is located. 

In short, this means that the GDPR impacts every single business throughout the world that has European customers. And since we live in a digital age, it’s hard to guarantee that none of your customers are based in the EU, unless you region-block the entire continent and lose out on a ton of business. In other words, the GDPR applies to pretty much any organization anywhere in the world, with certain exceptions in place only for very small businesses.

10. Multiple high-profile businesses region-blocked the entire EU when the GDPR came into force.

(Source: Fortune)

GDPR statistics show that more than 1,000 websites, many of them American, completely blocked EU visitors from accessing their pages, instead of complying with the GDPR.

Among them were a third of the Top 100 American news websites, including big names like The Los Angeles Times and New York Daily News. 

Some claimed it wouldn’t be “economically viable” to comply (read: to stop harvesting user data indiscriminately), others said they were working on making changes to achieve compliance. That’s good and all, but they had since 2016 to make the necessary changes… and didn’t. It took many businesses several months to open their websites to EU audiences.

GDPR Compliance Requirements: How Not to Get Fined?

Not getting fined is usually a matter of not doing anything wrong, right? It’s kind of similar here, but when the GDPR was first enforced, it turned out that a majority of businesses were not, in fact, compliant with it. 

Many even region-blocked EU users from accessing their websites because they feared penalties. In this section, we’ll look at a bunch of amusing GDPR facts that’ll show you how even the biggest corporation on Earth couldn’t evade some absolutely humongous fines.

11. Luxembourg hit Amazon with a gigantic fine of €746 million ($865 million) in 2021.

(Source: Bloomberg)

Failure to follow GDPR guidelines can be costly… extremely costly. Amazon is huge but still can’t escape GDPR fines. Over the past few years, the company has been fined by France ($39.6 million in 2020) and the Luxembourg National Commission for Data Protection ($865 million in 2021). Both cases primarily have to do with Amazon’s alleged processing of user data without consent. Put simply, if Amazon wouldn’t “force” users to agree to cookies, it could’ve avoided the penalty.

Fun fact: In 2019, the US Federal Trade Commission issued the biggest-ever privacy-related fine. It stood at $5 billion, and the target was Facebook. That must have encouraged the EU to take on a more heavy-handed approach, too.

12. The GDPR prevents businesses from hiding behind legalese.

(Source: Osano)

Let’s face it, none of us read the Terms & Conditions, or the data privacy policy, or matter of fact anything else of the sort that we get bombarded with whenever we sign up for a new service. 

While most of us might just be lazy, it’s also undeniable that the legal language such documents use is all but unintelligible for us common folk.

Don’t fret, though, the GDPR is here! With GDPR compliance meaning companies can no longer hide behind such legalese and are now required to be upfront about what exactly they do with our data and what’s more—explain it in a concise and clear manner.

13. The GDPR grants the right of DSARs to EU citizens.

(Source: Egnyte)

Yes, we’re fully aware of the irony—we just spoke about legalese and now we’re hitting you with this headline. We shall explain everything, don’t worry. DSAR stands for “Data Subject Access Request,” while “data subject” is any individual whose data has been collected by an organization. 

So, how to be GDPR compliant in this regard? Well, any organization storing the personal data of an EU citizen has to provide a clear way for said individual to request information on how their data is being used. Obviously, the organization should also actually provide said data upon such a request.

Fun fact: The CCPA (California Consumer Privacy Act) has even more specific provisions in place. For instance, the Act explicitly states that companies handling the personal information of a Californian have to provide two methods of submitting a DSAR, one of which has to be a toll-free phone number. California really took it to the next level…

14. The GDPR puts human rights above all else.

(Source: Secuvy.ai)

What is GDPR compliance? In its most fundamental form, it’s prioritizing human rights over all else, including profits or even user experience. Here’s an easy-to-understand example.

You know how Google Assistant is kind of better than Siri nowadays? That’s because Google harvests billions of users’ personal data, often without consent, and uses it to feed its AI algorithms. Apple doesn’t do that (you have to opt-in in the settings of your device).

While the user experience Google Assistant provides might be a tad superior, the GDPR says what Google’s doing is still impermissible if it’s at the cost of breaching human rights.

No surprise, then, that the EU has aimed four of the Top 20 biggest GDPR fines to date at Google, for a total amount of ~$240 million.

15. The GDPR protects virtually every kind of personal information.

(Source: CSO)

What does the GDPR do? Protect individuals’ personal information, of course. But what exactly does “personal information” comprise? Basic identity information (name, address, date of birth, etc.), web information (geodata, IP address, cookies), health and genetic data (all that info your phone’s Health app collects), biometric data (fingerprint scanners on smartphones, facial recognition), racial and ethnic data, political opinions (this includes stuff you post on social media), and even sexual orientation.

Fun fact: The CCPA (California Consumer Privacy Act) is similar in scope, but there are two notable exemptions: it does not apply to personal health data and financial information. Supposedly, there are other statutes that take care of those.

16. The GDPR applies to minors, too.

(Source: GDPR.eu)

The General Data Protection Regulation website makes it abundantly clear that it applies to children, too.

In fact, it goes so far as to say minors merit further protection, as they might not be aware of all the risks. “Minors” here refers to children under the age of 16 by default, though EU member states “may provide by law” for a lower age, as long as this age is not below 13 years.

One aspect of this is that organizations need to provide clear and age-appropriate guidance. Furthermore, the GDPR requires them to make “reasonable efforts” to confirm that the individual has parental consent, though we admit this is rather vague.

Wrap Up

To many of us, a mass surveillance society still sounds like something out of a dystopian fiction novel, but in reality, it might be closer than we think. It is precisely regulations such as the GDPR that are a key factor in preventing corporations from gaining undue power and influence through the harvesting of personal information.

We compiled this list of curious GDPR statistics to let you know more about the importance of privacy—and if you’re European, perhaps also to open your eyes to rights you might not have known you had. Now that you do, we hope you can browse the internet more confidently.

What are “statistical purposes” in the GDPR?
“Statistical purposes” generally refers to the use of data for surveys, analysis, scientific research, etc. Under the GDPR, if you collect any personal data for a survey, the regulation still applies to that data.
What are the major impacts of the GDPR?
The biggest impact comes from the GDPR’s extraterritoriality, which requires worldwide compliance with the regulation when it comes to EU data subjects’ personal information.
Is the GDPR really working?
Statistics show that it is—awareness of privacy among Europeans has risen significantly and many corporations are starting to market themselves as privacy-oriented in a bid to appease customers.
Has anyone been fined under the GDPR?
Oh boy, you’ve no idea! Amazon, Facebook, Google (several times), H&M, British Airways… even the Austrian Post service. In terms of numbers, Amazon takes the first place with a fine of €746 million ($865 million).
Nick Galov
Nick Galov

Unaware that life beyond the internet exists, Nick is poking servers and control panels, playing with WordPress add-ons, and helping people get the hosting that suits them.