Mapping the empirical literature of the GDPR's (In-)effectiveness: A systematic review

In the realm of data protection, a striking disconnect prevails between traditional domains of doctrinal, legal, theoretical, and policy-based inquiries and a burgeoning body of empirical evidence. Much of the scholarly and regulatory discourse remains entrenched in abstract legal principles or normative frameworks, leaving the empirical landscape uncharted or minimally engaged. Since the birth of EU data protection law, a modest body of empirical evidence has been generated but remains widely scattered and unexamined. Such evidence offers vital insights into the effectiveness of data protection measures but languishes on the periphery, inadequately integrated into the broader conversation. To make a meaningful connection, we conduct a comprehensive review and synthesis of empirical research spanning nearly three decades (1995 - March 2022), advocating for a more robust integration of empirical evidence into the evaluation and review of the GDPR while laying a methodological foundation for coordinated research. By categorising evidence into four distinct groups– Awareness and Trust, Operational Performance, Ripple Effect, and Normative Clarity, we provide a structured analysis therein and highlight the variety and nuances of the empirical evidence produced about the GDPR. Our discussion offers critical reflections on the current orientations and designs of evaluation work, challenging some popular but misguided orientations that significantly influence public debate and even direction of empirical and doctrinal research. This synthesis also sheds light on several understated aspects, surfaced by our systematic review, including the complex structure of the GDPR and the internal contradictions between components, the GDPR's interaction with other normative values and legal frameworks, as well as unintended consequences imposed by the GDPR on other values not explicitly recognised as regulatory objectives (such as innovation). We further propose a methodological improvement in how empirical evidence can be generated and utilised, stressing the need for more guided, coordinated and rigorous empirical research. By re-aligning empirical focus towards these ends and establishing strategic coordination at the community level, we seek to inform and underpin evaluative work that aligns empirical inquiries with policy and doctrinal needs, while truly reflecting the complexities and challenges of safeguarding personal data in the digital age.