Max Schrems, privacy activist and lawyer, brought a pivotal case against Facebook on 13 July 2020, questioning the validity of data transfers from the European Union to the United States under the General Data Protection Regulation (GDPR). This action highlighted not only the limitations of GDPR but also the broader issue of how privacy laws have morphed into compliance rituals rather than foundational safeguards for individual privacy.

During the post-GDPR landscape, major corporations such as Google LLC and Facebook, Inc. have often prioritized compliance over substantive privacy protections for their users. A key aspect of this compliance theater can be traced back to the lobbying efforts of significant technology firms, where they push for regulations that allow them to operate under vague compliance guidelines while maintaining their data-driven business models.

The Revolving Door at Play

In the wake of the GDPR's implementation, a notable example of the revolving door in action is Isabelle Falque-Pierrotin, who left the French data protection authority (CNIL) on 30 June 2019 and subsequently became a member of the board of directors at AXA Group, a key player in data management and protection. Her departure raises questions about the influence of her former role on new compliance demands AXA encountered, including a multi-year contract with the CNIL related to data protection frameworks, valued at €1.5 million, awarded on 15 January 2020.

Following the Money at the Compliance Level

The financial implications of compliance rituals are staggering. A 2020 survey by the International Association of Privacy Professionals (IAPP) revealed that organizations spent an average of $1.4 million to comply with GDPR within the first year of its enactment. This funding frequently flows from data processors to compliance consultancies such as Deloitte and PwC, with both firms having secured contracts worth over $20 million collectively to provide GDPR compliance services. The resulting advisory reports frequently provide superficial measures for compliance rather than enhancing true privacy protections.

Patterns and Structures of Compliance Theater

This is the third time since the GDPR's introduction that significant privacy reforms have been overshadowed by compliance theatrics. The strategic implementation of GDPR offers a remarkable case study in how regulatory frameworks can be manipulated to the financial benefit of tech giants and compliance consultants while leaving user privacy inadequately addressed.

Moreover, the European Data Protection Board (EDPB) has often championed these compliance measures without effective accountability for failures in actual data protection. The structure allows companies like Facebook, under the stable guidance of Sheryl Sandberg, who was COO in July 2020 during the critical discussions about compliance practices, to maintain their data policies with only minimal adjustments, relying on brief, often ambiguous commitments to GDPR compliance.

Historical Depth of Privacy Regulation

The historical roots of compliance practices can be traced back to early internet privacy discussions in the late 1990s, where privacy was treated as a regulatory checkbox rather than a principle rooted in ethics or user rights. As technology evolved, the ones tasked with the oversight and enforcement of privacy measures frequently found themselves embroiled in lobbying efforts to undermine more substantive privacy enhancements in favor of preserving the status quo.

While regulatory bodies such as the EDPB promote a facade of oversight, they operate within a system influenced heavily by those they aim to regulate. This inherent conflict of interest recalls Cold War-era intelligence operations where oversight was structurally compromised. This level of oversight in today's privacy regulations mirrors similar practices — designed not for protection but rather for the convenience of the interested parties.

The Silent Beneficiaries

The ultimate beneficiaries emerging from these compliance rituals are not the individuals whose data is being monetized but rather the corporations and consultants profiting from the stringent yet shallow requirements. Compliance consultants have reaped substantial rewards, with firms like Deloitte earning fees that collectively exceed $50 million in compliance contracts annually with varying organizations.

Max Schrems' actions, along with various investigations into the effectiveness of GDPR, indicate a growing awareness among consumers and advocates regarding the inadequacies of current regulations. These concerned individuals have mobilized through lawsuits and public awareness campaigns advocating for genuine privacy rights, highlighting the discrepancies between GDPR compliance and true safeguarding of personal data.

The net effect of GDPR and similar privacy laws is the emergence of a compliance-fast process that merely satisfies legal requirements while user privacy remains unaddressed. The compliance industry thrives on such superficial measures, and until a decision for real change arises, compliance theater will continue to masquerade as genuine data protection.

On 12 October 2023, the European Parliament will deliberate further over GDPR reform, yet whether these measures will address the core issues or merely reinforce the current theater remains an open question with stakeholders lining up to influence the outcome.