Abstract
The European Commission has argued that the General Data Protection Regulation (GDPR) adopted in 2018 created a solid framework of digital trust. This paper critically examines the statement. Firstly, a Kantian approach to trust is outlined. In the second section, key aspects of the historical development of commercial trade in personal data and the regulatory efforts of the EU are analyzed. The third part of the paper considers the concept of consent both as a philosophical concept and as the main legal tool for protecting citizens’ data, arguing that the idea that citizens are able to make rational and informed choices about consent to sharing of data is currently fictitious. The final section draws on the Kantian conception of trust to evaluate the EU’s efforts to enable trustworthy data stewardship for its citizens in the digital information environment. The Kantian analysis concludes that even though the GDPR has the potential to supply citizens with trustworthy data protection, its enforcement procedures as well as the 2025 proposed amendments to the GDPR work against trustworthy data stewardship.
Introduction
According to the EU Commission’s 2020 European Strategy for Data, its efforts to regulate the digital information environment have been effective. In particular, the Commission affirms: “With the General Data Protection Regulation (GDPR), the EU created a solid framework for digital trust” (Data Strategy 2020, 4). The GDPR was accepted as binding law in 2016 and came into force in May 2018, replacing previous data protection regulations. Since the 1990s, European legislators have sought to reconcile the two opposing values of enabling a growing digital economy and establishing high standards of data protection for citizens. In 2020, the EU commission lauded its efforts to regulate “the data-agile economy” as a specific “European way” of “balancing the flow and wide use of data, while preserving high privacy, security, safety and ethical standards” (Data Strategy 2020, 3). The regulations are prized for their proficient balance between protecting individual rights and promoting digital competition. Especially, the GDPR is “empowering individuals to exercise their rights” through “the high level of protection granted by the GDPR,” while at the same time industry and the digital economy can thrive on the “increasingly large amounts of data … generated by consumers when they use IoT [Internet of Things] devices and digital services” (Data Strategy 2020, 10).
In 2020 the Commission argued that it had resolved the tension between the economy’s thirst for personal data and the obligation to preserve citizens’ rights in the digital society. But already in November 2025, it has in collaboration with the EU Parliament proposed a collection of amendments and simplifications to the digital regulations under the title of a Digital Omnibus (DO 2025). EDRi, the European Digital Rights network of civil society organizations working to protect citizens’ digital rights has raised the alarm, warning that the Digital Omnibus is “part of a wide deregulation agenda” and “an attempt to covertly dismantle Europe’s strongest protections against digital threats … [and a] rollback of digital fundamental rights” (EDRi 2025, 1).
As is clear from these few citations, the regulatory efforts of the European Union have wavered between increasing citizens’ rights to data protection and relieving businesses from regulatory burdens. In this article I am interested in assessing how the value of trust fares as the EU attempts to balance citizens’ rights and corporate interests. My theoretical perspective is a Kantian conception of trust with emphasis on two types of trust, pragmatic and moral trust. Accordingly, the introduction includes an outline of key aspects of a Kantian philosophy of trust.
The Kantian Distinction Between Pragmatic and Moral Trust
While Kant did not write extensively on trust, he did throughout his writings emphasize the importance of trust in understanding human sociality. By reviewing Kant’s remarks about trust, ranging in scale from the close human relations in friendship to international politics, we can obtain a framework for reconstructing a Kantian theory of trust (see Longworth 2017; O’Neill 2002; Pedersen 2012, 2023; Schröder 2010; Süssmann 2002).
In Anthropology from a Pragmatic Point of View, Kant portrays human sociality as guided by trust in implicit norms of behavior by pointing out how experientially developed customs in different cultures mold interpersonal relations. Drawing on his own lifeworld, Kant highlights how at dinner parties in Königsberg one can expect that the conversations are carried out under “a duty of secrecy … for without this trust” there could be no enjoyment of “this social gathering” (Kant 1798, 7: 278). This kind of implicit social coordination is also and more generally recognizable in “ancient customs in the trust between human beings who eat together at the same table; for example, those of the Arab with whom a stranger can feel safe as soon as he has merely been able to coax a refreshment from him” (Kant 1798, 7: 279).
Kant underlines how such experientially based trust in social customs can be used by the cunning to exploit the trust of others. Humans who are masters in the art of simulating feelings are not “regarded as the best human beings with whom one can deal in trust, especially if they are practiced in affecting expressions that contradict what they do” (Kant 1798, 7: 300). The social bond of trust is therefore always risky and discloses the vulnerability of human relations. In his account of international politics in Perpetual Peace, Kant projects onto the relations between states the trust and ensuing dependence on the other necessary to achieve one’s objectives, which the con man can exploit in his peers. Whereas the con man relies on established customs of trust in a social environment, Kant emphasizes that states under maximal stress during wartime will assume a bare minimum of trust, as a reflection of a reciprocal wish to exist (Kant 1795, 8: 346). This trust takes the form of a mutual recognition that a “war of extermination” (Kant 1795, 8: 347) is not sustainable. Kant explains this level of assurance as “some trust in the enemy’s way of thinking” (Kant 1795, 8: 346). On the one hand, reciprocal trust is at the core of social coordination, preventing mutual annihilation; on the other hand, in peaceful social environments, it enables cunning individuals to exploit those who act in accordance with social habits.
From Kant’s discussion of friendship in the Doctrine of Virtue, we glean the differentiation between pragmatic trust and moral trust, that is, a differentiation between trust relations whose purpose is to augment some self-interest, and trust relations whose purpose is respect for the personhood of the other based on reason. The differentiation between pragmatic and moral trust corresponds to the distinction between motivation through imperatives of skill (Kant 1785, 4: 415) and the categorical imperative (Kant 1785, 4: 416). Accordingly, Kant differentiates between aesthetic and moral friendships. The aesthetic friendship is characterized by the fact that feelings unite the friends. Their relation is “a union aimed at mutual advantage” (Kant 1797, 6: 470). Moral friendship, on the other hand, exists, like black swans, “here and there in its perfection” (Kant 1797, 6: 472), and consists in the “complete trust of two persons in revealing their secret judgments and feelings to each other, as far as such disclosures are consistent with mutual respect” (Kant 1797, 6: 471). Moral friendship entails reciprocal trust in the good noumenal character of one another and testifies to the possibility of human actions guided by respect for the moral law.
The conception of moral trust and its rare realization in moral friendships thus produces a criterion by which all pragmatic relations of trust can be evaluated (see also Kant 1793, 6: 26–27, where the predisposition to humanity and thus rational goal-oriented actions is compared with the predisposition to personality, which includes the idea of responsibility as the key criterion for evaluating rational actions). Reciprocal moral trust between friends allows them to enter a social relationship in which they do not have to incessantly estimate risks. They can act in reciprocal freedom because the ‘complete trust’ in the good character of the other implies reciprocal respect and love. The possibility of personal and societal cultivation of moral friendship rests on the ability to trust. The existence of moral friendships evokes the possibility of realizing the ideal of a kingdom of virtue as a focus imaginarius of humankind.
The Kantian understanding of trust highlights a conflictual tension between an individual’s responsibility to be morally trustworthy and to place trust in others wisely, on the one hand, and all individuals’ simultaneous mutual dependency in connection with the development of moral trustworthiness on the other. Just as the individual cannot enlighten herself but needs free and critical public discussions to form enlightened opinions (see Kant 1784, AA 7: 36, Pedersen 2012, 148–149), the individual will only be able to develop a morally trustworthy character through interaction with others who also strive to become morally trustworthy (see Kant 1793, 6:93, Pedersen 2023, 139). Hence the enlightened collective effort to form a just societal order is a necessary condition for moral progress. Individual moral progress is mirrored by the primary political duty to enter a law-governed state because the state provides the condition of possibility for protecting the individual and his freedom.
Human sociality relies on trust relations for individuals to coordinate and collaborate in everyday life situations, within states, and between states. Pragmatic trust relations strive to maximize the self-interest of the interacting individuals, citizens, or states. The ideal directing pragmatic trust relations is mutual material advantage. Moral trust shifts the focus from the extension of material gains to reciprocal freedom and mutual respect. At the core of moral trust is the ideal of a social practice in which interdependent freedom is realized. Accordingly, the Kantian conception of trust posits moral trust as the condition of possibility to evaluate the practical worth of any trust relations. The distinction between pragmatic and moral trust and the ensuing differentiation between two motives for entering social relations – to increase either self-interest or reciprocal freedom – suggests a route to assess whether an individual or a state is trustworthy. As will be discussed in section 3, Kant highlights that a recommendation to trust in agents only motivated by self-interest cannot be endorsed morally. This implies, as I will argue, that if legislation only considers pragmatic trust in material gains, such legislation will not support and promote a just society.
Outline
In what follows, the Kantian distinction between pragmatic and moral trust will be employed to assess the EU’s regulatory efforts to enable digital trust. To qualify the discussion, I present key aspects of the development of information and communication technologies and their economic underpinnings, as well as past European attempts at regulation. In the first part, I outline the development of the commercial trade in personal data and the European regulations from the 1990s that resulted in the adoption of the GDPR. This followed by an analysis of the concept of informed consent as the primary vehicle of data protection in the GDPR. In the final discussion, I employ the Kantian differentiation between pragmatic and moral trust toevaluate the European legislative efforts to ensure digital trust. The question is whether the digital information environment the EU recommends its citizens to trust is indeed trustworthy. My analysis indicates that the EU recommends EU citizens to trust digital companies as their data stewards. Whether this recommendation to trust is morally warranted depends on the regulations and their implementation. Four scenarios are compared: (1) the situation prior to the adoption of the GDPR; (2) enforcement of the GDPR, as is currently the case; (3) the outcome if the 2025 proposed amendments to the GDPR are enacted as law; and (4) the outcome if the GDPR is stringently enforced. Only in the last case, so I argue, can the EU’s pretention to establish a trustworthy digital information environment be said to carry weight.
Balancing Data Protection and Economic Growth in the Digital Realm
The EU is recognized worldwide as a global leader when it comes to regulation of the digital information environment. Already in 1995, the EU adopted the Data Protection Directive (DPD 1995) a precursor to the GDPR which formulated the principle that processing of personal data can only take place if “the data subject has unambiguously given his consent” (article 7, DPD 1995). The Directive should ensure that “data-processing systems are designed to serve man” and that they respect “the fundamental rights and freedoms” of natural persons while also contributing “to economic and social progress, trade expansion and the well-being of individuals” (Recital 2, DPD 1995). Accordingly, the Directive formulated the double constraint of promoting citizens’ rights to data protection and enabling economic growth through the free flow of data in the European commercial internal market. The balancing act undertaken by the EU has from the outset aimed at squaring the commercial interests inscribed in competition laws of the internal market with the ideal of establishing high standard rights for EU citizens.
The Directive was adopted to approximate national privacy protection laws and “remove the obstacles to flows of personal data,” harmonizing “the level of protection of the rights and freedoms of individuals with regard to the processing of such data … in all Member States” (Recital 8, DPD1995). The Directive emphasized the promotion of individuals’ rights as the primary principle in the regulation of the emerging industry of computer and information networks (see article 1, DPD1995), relegating economic progress to one among other fundamental rights and freedoms made possible by data-processing systems. The first regulation was sternly focused on safeguarding individuals’ rights within the internal market as the computer revolution enabled data flows and new economic opportunities (see Recitals 1 and 2, DPD 1995).
The priority assigned to data protection by the EU was not greeted with applause by the US. The Clinton administration published its position in 1997 under the heading Framework for Global Electronic Commerce, asserting that the novel “Internet” was best served by “industry self-regulation” (FGEC 1997, 1). Its first principle announced: “The private sector should lead” (FGEC 1997, 2). The EU’s efforts to “safeguard their citizens’ privacy” were met with skepticism because they “might disrupt transborder data flows” (FGEC 1997, 13). Instead, the US supported “industry-developed solutions to privacy problems and … market driven mechanisms to assure customer satisfaction about how private data is handled” (FGEC 1997, 14). To achieve “sufficiently flexible” criteria for evaluating adequate conformity to the EU regulations, the FGEC proclaimed that it would continue discussions with EU nations and the European Commission about the rationale of the American way. This included convincing governments globally to “recognize the unique qualities of the Internet.” If global laws and regulations hindered electronic commerce, they “should be reviewed and revised or eliminated to reflect the needs of the new electronic age” (FGEC 1997, 3).
The American ideal was a booming business environment facilitated by the development of the “Internet,” unconstrained by regulatory guardrails. The struggle between commercial interests and citizens’ rights to data protection played out in a technological landscape specific to the 1990s. The present deregulation of AI under the second Trump administration continues the policy of earlier administrations. The EU has vacillated between passing laws that uphold citizen centered rights or that accommodate commercial interests. The latest proposal from the European Parliament and the EU Council for a Digital Omnibus (DO 2025) that simplifies the regulations marks – as I will discuss in section 4 – a realignment with the American ideal of industry self-regulation.
Commodification of Human Behavior via Data Traces
Concerns for privacy and data protection have tailed the development of computers and the internet from the outset, and the growing power to steer and control data flows has been highlighted as a potential risk (see McChesney 1993; Moor 1985; Nissenbaum 1998; Solove 2001; Weizenbaum 1976). Technological developments and the ensuing attempts to commodify personal data in the form of digital traces left unknowingly by internet users have continuously met with criticism from privacy researchers (see Nissenbaum 2010). In hindsight, it is noteworthy that the Clinton administration authorized a digital economy without regulatory boundaries before the key technologies enabling the commodification of personal data as we know it were invented. This was effectively a political decision to promote industry-developed solutions rather than letting the developing digital information environment be guided by a precautionary principle or imperative of responsibility (Jonas 1984) to prevent possible harms arising from new technologies.
The development in the 1990s of novel software features such as “cookies,” which were invented in 1994 by Netscape, the first commercial web browser company, both enabled a stable, user-friendly internet and provided a technical precondition for transforming users’ browsing habits into a commodity in the digital economy. Combined with other tools of online advertising, the ability to track user activity would result in a billion-dollar business and make up the foundation of what Shoshanna Zuboff (2015, 2019, 2022) calls “surveillance capitalism.” The early distinction between “necessary” cookies, which enable webpages to recall information and remember users, and “third-party” cookies, used to collect personal data for commercial purposes, underscores that it was not inevitable that software such as cookies should be used to harvest and sell data about users. Within the EU, the GDPR is supposed to regulate precisely this activity by empowering individuals to decide who has access to their data.
In 1998, the internet company and search engine GoTo.com introduced an online advertising model, Overture, where advertisers would pay for their ads only when users clicked on them online. The economic crisis of the dot.com bubble in 2000 made it urgent for internet companies to find new means of revenue. Mining user data turned out to be a lucrative solution. While data mining in and of itself is core to the development and functionality of search engines, the technique was twisted and turned into a means to make money by using search queries as the basis for online advertisement. Google, at the time a small start-up, launched AdWords in 2000 to sell and show ads on its search engine. By combining its version of Overture’s pay-per-click advertising with the data created by users’ queries to its search engine, Google invented a new income generator. Its economic success was eminent, and “this service would soon become the company’s main revenue source” (Ungureanu and Popescu 2022, 125).
Keeping the design of advertising software a proprietary secret and thus excluding users, researchers, and regulators from detailed insights into the technical set-up of the digital information environment became an important part of the business model behind online advertising. Yahoo, having acquired Overture in 2002, filed a patent infringement lawsuit against Google AdWords for copying Overture’s original advertising model. The matter was settled in 2004, with Google agreeing to issue 2.7 million shares to Yahoo to secure the patent rights over the pay-per-click model (Bond 2004). But even before the settlement, Google had advanced the technology of online advertising with AdSense, introduced in 2003, which enabled advertisers to buy ads on third-party websites, outside of Google’s search results. AdSense marked the beginning of the era of programmatic advertising or real-time bidding. It exploits user data to generate targeted advertising as Google can scan any website, classify the content, and combine it with knowledge of users’ search histories, thus enabling a higher degree of precision in targeted ads.
Next to Google, the largest player in online advertising (outside of Meta and other social media, which are beyond the scope of this article) is the Interactive Advertising Bureau (IAB), founded in 1996. Today IAB is an inevitable mediator of online advertising, having patented industry standards and formats for digital advertising. Google and IAB have turned targeted online advertisement and its trade in information about internet users into a billion-dollar industry. IAB’s annual report of 2024 testifies to the success of this approach: “The digital advertising industry reached new heights in 2024, with ad revenue climbing to $259 billion, a 15% year-over-year increase from 2023” (IAB 2025, 4). The final section of this paper will return to the topic of real-time bidding in the context of the GDPR and the Belgian Data Protection Agency’s legal win against IAB Europe in 2022 and the later appeal verdict of May 2025.
The Effectiveness of Early Privacy Regulations and the GDPR
An American comparative study from 2011 on the effects of EU privacy regulations found “that even moderate privacy regulation does reduce the effectiveness of online advertising” (Goldfarb and Tucker 2011, 58). The study established that “privacy laws in the EU” decreased the effectiveness of banner ads displayed on a web page by “65 percent” (Goldfarb and Tucker 2011, 68). The reason for this loss of effectiveness – and, according to the authors, the problem with regulation of data flows – was that the EU Privacy Directive of 2002 “limited websites’ ability to use data on consumers’ past browsing behavior … [limiting] advertisers’ ability to show ads to consumers who were likely to be influenced by the advertising message” (Goldfarb and Tucker 2011, 59).
By requiring customers’ consent, the Privacy Directive curtailed the use of web-bugs that allow advertisers to track customers remotely (see Recital 24, PD 2002). It also regulated cookies, imposing the condition that “users are provided with clear and precise information … about the purposes of cookies” (Recital 25, PD 2002). The early cookie regulations proposed by the EU obliged companies to obtain user consent, which was costly for the companies. Goldfarb and Tucker (2011, 61) report how “in confidential discussions, executives at two large European companies suggested that explicitly obtaining user consent to be tracked online costs around 15 euros per user in administrative costs and promotional incentives.”
A third type of data harvesting discussed by Goldfarb & Tucker is the collection of clickstream data. It involves the tracking, analysis, and recording of user activities during web browsing sessions, including how long users spend on specific webpages and the users’ IP address. This kind of data harvesting is not explicitly discussed in the Privacy Directive, however, making it unclear whether clickstream data should be categorized as personal data. Goldfarb and Tucker (2011, 63) conclude that the “lack of clarity in whether or how the Privacy Directive applies to clickstream data therefore adds another challenge to online ad targeting beyond [restrictions on] web bugs and cookies.” The GDPR was adopted to remedy such ambiguity and included the proclaimed aim to strengthen the protection of citizens’ data.
The GDPR regulates how and under which conditions personal data can be lawfully processed. The first of six legal bases for the processing of data is consent from the data subject to the use of personal data. The others are contracts, legal obligations, vital interests of the data subject or others, tasks of public interest, and legitimate interests of the controller (see article 6, GDPR 2016). But digital advertising can only draw on consent as a legal basis for use of personal data. Processing of personal data can be manual or automated and implies a whole range of usage of the data, such as collecting, recording, alteration, retrieval, disclosure by transmission, and dissemination “or otherwise making available” (article 4.2, GDPR 2016). It is striking that the GDPR does not explicitly mention how it regulates the online advertising industry’s personal data processing. Instead, the act of processing and trading in personal data is shrouded in the vague terminology of “otherwise making available.”
Recital 4 of the preamble to the GDPR echoes the Data Protection Directive of 1995, as it declares that “processing of personal data should be designed to serve mankind.” But contrary to the DPD’s explicit prioritization of data protection and citizens’ rights, the GDPR states: “The right to the protection of personal data is not an absolute right; it must be … balanced against other fundamental rights.” Among those rights is “the freedom to conduct a business” (Recital 4, GDPR 2016). The GDPR balances the free market and citizens’ rights in article 6 by declaring that personal data can be processed and traded as a commodity in the digital advertising industry if and only if the data subject (e.g., the citizen) has consented to it. Thus, according to the GDPR, data protection of EU citizens is to a large degree dependent on the individual choice of users, who may consent to or deny the commercial use of their data.
Consent as a Legal Basis for the Processing of Data in the GDPR
The concept of consent plays a key role in Western political thought. The rule of law in democratic states is founded on the ideal of consent: citizens participate in the process of lawmaking by casting their vote and deciding who shall be lawmakers, just as running for democratic office is open to all citizens. Participation in free and lawful elections implies giving consent to the process of lawmaking and obliges citizens to follow the laws (see Johnson 2009). Consent also applies to relations between citizens. Through consent citizens transfer rights and duties to each other. As Hurd (1996, 123) notices, consent functions “to make an action right when it would otherwise be wrong. For example, consent turns a trespass into a dinner party; a battery into a handshake; a theft into a gift; an invasion of privacy into an intimate moment.”
Basically, the act of consent implies that one individual freely and knowingly bestows on another the right to do something that would be unlawful without consent. Hurd’s examples concern actions that take place in the physical environment. The individuals involved can see and understand the interaction. Even if it may not be a straightforward matter to decide afterward whether consent was given, the difficulty does not lie in understanding what right was or was not transferred by the act of consent. In Hurd’s examples, individuals may disagree on whether consent was obtained or on the scope of the given consent.
The GDPR taps into this understanding. According to the GDPR, “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (article 4.11, GDPR 2016). The GDPR clarifies that prior to giving consent, the data subject must have access to relevant information about the processing of personal data, including the “purposes of the processing for which the personal data are intended” (article 13.1.c., GDPR 2016). The data subject possesses “the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data” (article 15, GDPR 2016) and the “right to … the rectification of inaccurate personal data concerning him or her” (article 16, GDPR 2016), as well as the “right to be forgotten” (article 17, GDPR 2016). These qualifications and rights comprise regulatory measures to establish that the data subject is enlightened and knowledgeable about the implications of giving consent. They place several restrictions on the controllers of data. Regardless of how the data subject relates to the request, the controller should – if the law is strictly followed – have met in advance the legal framework’s restrictions concerning the act of requesting consent. However, because the processing and commercialization of personal data is not visible on the user’s interface but is encoded in the possibilities of the software, far out of the sight of users, the question of consent to data processing becomes highly abstract and difficult to comprehend.
In the 2020 European Strategy for Data, the Commission recognizes that individuals may face difficulties such as “risks of discrimination, unfair practices and ‘lock-in’ effects” (Data Strategy 2020, 10) when trying to make use of the rights of the GDPR. This concession shines a bleaker light on the claim that the GDPR in and of itself guarantees a trustworthy digital environment. As an ameliorating act, the Commission suggests further support of digital NGOs, such as MyData (mydata.org) and the EU funded DeCodeProject (DeCode), that raise “calls to give individuals the tools and means to decide at a granular level what is done with their data” (Data Strategy 2020, 10). Besides raising awareness about data protection issues, these NGOs develop consent management tools and personal information management apps to relieve the individual from the burdens of comprehending and administering how her data are used online by other actors. The Commission underlined in 2020 that “such tools are still in their infancy, although they have significant potential and need a supportive environment” (Data Strategy 2020, 10).
The Data Governance Act (DGA 2022) and the Data Act (DA 2023) are meant to alleviate consent procedures. The DGA aims to “promote trust and bring additional legal certainty to the process of granting and withdrawing consent” (Recital 52, DGA 2022), and the DA seeks to “strengthen trust in data sharing” (Recital 52, 2023). The DGA is projected to promote tools that allow individuals to control what happens with their data by creating “data intermediation services” (article 10, DGA 2022), but currently it is judicially unsettled whether such “data trusts” can make it permissible “under the GDPR for data subjects to delegate these decisions [of declaring consent] to third-party fiduciaries” (Ditfurth and Lienemann 2022, 275 – see also Veale 2025, 248, who argues that the DGA is a “largely unhelpful act” when it comes to giving “individuals real agency”). The proposed Digital Omnibus is meant to simplify the regulations, as “a regulatory solution of the consent fatigue and proliferation of cookies banners is long-overdue” (DO 2025, 6), and would enable such delegation of consent decisions (see DO 2025, 8). Until the DO is passed as law, the GDPR is the most basic regulation regarding the right of EU citizens to data protection (see article 1.3, DGA 2022 and article 1.5, DA 2023). For that reason, I concentrate on the way the GDPR has established “a solid framework for digital trust,” according to the Commission’s Data Strategy of 2020.
The Fiction of Consent to Data Processing
While consent is a relatively straightforward matter in the physical environment, it is less clear what the legal act of transferring consent signifies in the digital information environment. The GDPR regulates both simple actions, such as a travel agency’s handling of its customers’ passports for the purpose of buying tickets, as well as the much more complicated but commonplace situations of an individual browsing webpages and being asked to consent to the use of cookies, or to the terms and conditions of an internet service, such as a social media platform, or of a device with internet access, such as a watch, a car, or a robot vacuum cleaner.
A recurring criticism of the various legal frameworks regulating data subjects’ actions regarding the processing of personal data concerns the fiction of enlightened users and rational decisions. Before the adoption of the GDPR, Schermer and colleagues (2014, 171) pointed out that “there seems to be a disconnect between the legal theory, which presupposes a rational, informed data subject who makes conscious decisions, and the current practice in which data subjects simply agree to almost all consent requests.” This challenge endures in the GDPR. The regulatory tool of consent to data processing assumes that users of webpages, smart devices, and apps know or can obtain the necessary knowledge about how their data are processed. But as Solove (2021, 5) has argued, the ideal of the individual self-managing her data is a “vast, complex and never-ending project that does not scale.” The problem starts with the user having inadequate information about what her data will be used for. It multiplies as this inadequacy is not restricted to the original webpage, smart device, or app that initially asked for consent to process and share data but also includes the 100 or more other companies in the chain of trading partners that will access the data. The difficulty of understanding the complexity of the digital infrastructures trading in personal data implies that the data subject’s consent most often does not reflect a rational and informed choice. Solove (2024, 597) argues that the legitimacy provided by consent under such circumstances “is unwarranted, creating a dangerous situation because it confers power where power ought not to be given.” That data subjects often consent to share their personal data by default can, according to Solove (2024, 632), be gleaned from experience with the GDPR: “After GDPR, more people were informed about cookies and more people accepted them. But below the surface, there is a more sinister story; people are not suddenly consenting more to cookies. They are clicking to make the cookie pop-up go away.”
Click Fatigue
The European Data Protection Board (EDPB) confirms Solove’s sinister story in a guideline on consent published in May 2020. The board states that the “multiple consent requests that need answers through clicks and swipes every day … may result in a certain degree of click fatigue: when encountered too many times, the actual warning effect of consent mechanisms is diminishing” (EDPB Guidelines 2020, 19). The EDPB underlines that personal data may be necessary for many digital services, and in such cases the processing can be legally justified according to any of the other five legal bases in the GDPR, for example in the context of a contract between a customer and a business, and explicit consent is not required. Thus, situations where data subjects experience “click fatigue” must involve the processing of personal data for commercial use, which can only be made legal by the data subject’s explicit consent. The EDPB concedes that the many clicks requested for commercial purposes may lead data subjects to click on various consent requests without thereby making a rational or informed choice about their data protection.
The idea that under the auspices of the GDPR, requests for consent to process data through cookie banners and terms and conditions function as warnings to users is difficult to uphold when examined empirically. A 2021 study reports that 40% of all Danes do not think they possess the necessary insights to decide which data they should share with others (Analyse and Tal 2023, 7). Furthermore, recurring high-risk data leaks indicate that not only ordinary citizens but also professionals have a hard time understanding what consent to the processing of personal data may involve. In 2018 the online magazine Wired ran a story revealing how Western military bases could be located through data trails from the fitness tracker Strava. This story was repeated in 2025, as Swedish media discovered that by analyzing public data provided by Strava they could track the movements of security personnel, which inadvertently reveal the daily routines of the Swedish politicians they are supposed to guard (see SVT 2025; Wired 2018).
The GDPR, § 15, gives data subjects the right to access information about them stored by private companies and public institutions. In a 2023 study, researchers evoked this right for 8 Danish adults, obtaining between 1.000 and 100.000 files of varying length collected on each participant (Analyse and Tal 2023, 12). 82% of the data was inadvertently shared data stemming from updates of apps or registration of location data. The experiment led the researchers to “question whether acceptance of terms and conditions and cookie settings can be understood as informed consent. It is common for our participants … that they are not aware of what data is being collected about them. And even less aware of what this data is used for” (Analyse and Tal 2023, 13 – my translation). Experience thus indicates that as a tool to empower citizens to exercise their right to control the flow of their personal data, the GDPR and consent mechanisms have achieved only partial success.
Enforcement of the GDPR
The soundness of asking data subjects to exercise their rights by responding to consent requests, along with the validity of the Commission’s claim that the GDPR has created a “solid framework for digital trust,” ultimately depends on the enforcement of the regulation. According to Gentile and Lynskey (2022, 800), the GDPR is in fact under-enforced, and a major reason is “the very design of the composite decision-making procedures it necessitates.” The request for data pertaining to the 8 participants in the above-mentioned study discloses in a palpable manner one of the difficulties in enforcing the GDPR. Out of 55 companies and institutions, 31 returned data files within the 1-month limit set by the GDPR and 4 did not collect data, leaving 20 companies and public institutions that did not comply with the request (Analyse and Tal 2023, 22–24). The study underscores how the rights given to data subjects in the GDPR are not easy to exercise, and the restrictions put on data controllers are not always enforced stringently. One reason for this laxity is the vast network of partners interacting within the complex digital information environment and the rather limited resources allocated to oversee it.
The data protection authorities (DPAs) in each EU member country are crucial when it comes to maintaining oversight and compliance with the GDPR. Their chief task is to apply the GDPR in each country, making the DPAs an important hub for knowledge about the GDPR and its implementation. In a recent interview study involving 16 DPAs, all uniformly expressed concern about the challenges posed by digital technologies “to democratic rights and freedoms.” Among the threats they identified were data breaches and the ensuing “manipulation of votes in ways akin to the Cambridge Analytica case … the erosion of rights in periods of crisis, such as during the Covid-19 pandemic … [and] the use of profiling to try to manipulate people to behave in certain ways such as advertising” (Padden and Öjehag-Pettersson 2024, 5). According to one DPA, a close reading and stringent enforcement of “the GDPR to its full extent … would render industries like the Adtech sector non-existent” (Padden and Öjehag-Pettersson 2024, 7 – incl. succeeding quotes). In its present shape, however, the DPA maintained that “The entire system is a data breach, basically” and acknowledged that “some DPAs probably, and most politicians, see their job as being pragmatic, as finding the best balance” instead of pushing for rigorous enforcement. This observation was corroborated by Gentile and Lynskey (2022, 810), who analyzed how the Irish DPA in 2021 in a lawsuit against Twitter considered it “within its discretion to limit the scope of the inquiry,” resulting in the imposition of a fine of 450.000 Euro on Twitter – a much smaller amount than other DPAs advised.
Notably, every DPA regarded an increase in the number of citizens’ complaints of infringements of their data protection rights as one of their most significant achievements. They “expressed the view that increased awareness of one’s rights is an essential precursor to an individual taking steps to redress any suspected transgression under Article 6 of the GDPR” (Padden and Öjehag-Pettersson 2024, 9). The emphasis on citizens’ complaints as the route to the enforcement of data protection rights highlights how the GDPR, through the legal tool of consent, holds individual citizens responsible for the management of commercial data flows and the trade in personal data. This responsibility is arguably disproportionate. One DPA underscored that increased transparency might be a path forward, as it is “necessary to build trust: ‘It’s possible that sometimes practices are not transparent enough to make you [the data subject] understand what goes on. But they should be, because transparency is one of the most important principles about data protection’” (Padden and Öjehag-Pettersson 2024, 10). To further examine these claims and analyze to what extent the GDPR has created digital trust, I turn to the Kantian conception of trust.
Understanding Digital Trust From a Kantian Perspective
When EU regulators invoke the concept of trust, it comes without a clear definition. The EU Commission’s declaration in 2020 that the GDPR created “a solid framework for digital trust” leaves the reader wondering what digital trust means. A year earlier, when the EU High-Level Expert Group on AI published recommendations under the title Ethics Guidelines for Trustworthy AI, it likewise did not include a definition of trustworthiness. The experts simply asserted, “Trustworthiness is a prerequisite for people and societies to develop, deploy and use AI systems” (AI HLEG 2019, 4). These two examples highlight the value that the EU assigns to trust and trustworthiness while leaving the concept undefined. Evidently trust and trustworthiness are invoked as values to be promoted through EU lawmaking. Hence, a first step towards clarifying the meaning of trust within the EU system is to focus on institutional trust as it is upheld by legislation (Luhmann 1968). Whether laws can create trust in the digital information environment or, more specifically, make technology such as AI trustworthy hinges on the ability of the institutions creating and upholding the laws to establish a social environment in which all interacting partners acquire a common practice (Bachmann 2022).
When theorizing how legislation functions, the consequentialist tradition stemming from Jeremy Bentham and the Kantian rights-based tradition are two influential and opposing interpretations. The chief difference between these traditions with respect to the ability of a law to build trust concerns the ultimate purpose of laws in general. In the consequentialist tradition, the necessity of stable laws must be weighed against “the principle of utility as the sole and sovereign rational decision principle” (Postema 2019, 147), leading to the view that “certain exceptions [to established laws] may be made in some cases, without injuring or detracting from a rule of Natural Justice” (Bentham quoted in Postema 2019, 153). The Kantian view, on the other hand, defines the purpose of laws as the provision of reciprocal conditions for action by bestowing rights and duties on all affected persons.
The Kantian view equates the Utilitarian position with a pragmatic view on trust (see Pedersen and Mieli 2025). Pragmatic trust relations align with rational self-interest. When we pragmatically place trust and exhibit trustworthiness, we engage in cost-benefit analyses and strive to calculate the chance of gaining a better outcome from the collaboration. Like hypothetical imperatives, pragmatic relations of trust are indifferent to the moral worth of the pursued goal. They can be cultivated just as well between criminals and saints. Pragmatic trust relations are contrasted with and measured against moral trust. Moral trust shifts the focus from the material outcome of a collaboration to a reflection on the reciprocal conditions for action that are enabled through the trust relation. The perspective of moral trust supplies a principle for the evaluation of any pragmatic trust relation. Kant insisted that our moral agency goes beyond the rational calculation of interests to a view of the human being as a responsible being who may act against apparent self-interest out of respect for the autonomy and dignity of others and oneself (see Kant 1793, AA 6, 26). To engage in moral relations of trust entails setting the potential benefits of interacting with others in brackets if those benefits could only be obtained by disregarding the autonomy and dignity of others or oneself.
By asking whether specific pragmatic trust relations are morally warranted, we question the pragmatic endeavors from a moral point of view rather than seeking to understand the material gains we achieve. Legislation can be said to promote either pragmatic or moral trust depending on its purpose. If legislation is introduced to increase material beneficial consequences for a group of actors, it establishes relations of pragmatic trust. In contrast, if legislation is introduced to produce reciprocal rights and duties that demarcate the legality of actions independently of material gains, it aspires to create moral trust. The Kantian position underlines that legislation which produces reciprocal rights and duties is an approximation of justice. If legislation, on the other hand, promotes optimization of material interests as its primary purpose, it does not move beyond a relative principle of cost-benefit analysis and cannot from a Kantian point of view be understood as just legislation. From this vantage point, we may ask whether the EU framework for digital trust is based on an ideal of justice and moral trust or cost-benefit optimization and pragmatic trust.
The GDPR as a Form of Traffic Law
The Kantian view on how just legislation creates trust can be illustrated through traffic legislation. It enables pedestrians, bicycle riders, and car drivers alike to predict how others will act, thus making them trustworthy road users. The traffic law has been institutionalized in signs and marks on the roads as well as in the actions of the police and court system. Everybody ideally behaves by adhering to the rights and duties bestowed upon them as a particular type of road user. A Kantian conception of lawmaking highlights that in creating and enforcing traffic laws, the state provides the conditions of equal freedom to all potential road users (Ripstein 2009, 237–240). This type of legislation is conducive to moral trust relations because traffic law is a principled answer to a question of collective action: How can thousands of road users with different strengths and vulnerabilities move simultaneously and share the public good of roads? Each type of road user acquires a right and the ensuing freedom to move only by accepting the obligation to respect other road users’ rights and freedom to move. The institutional trust emerging from the traffic law is one of reciprocal predictability and assurance that if a road user violates the traffic law, the transgression is countered by some kind of penalty.
According to the Kantian tradition, citizens in democratic states have an obligation to trust the public institutions because the state and its laws constitute the necessary condition for the procurement of every citizen’s inherent right to freedom (Kant 1797, AA 6, 237 – see Myskja 2024, 23). In the example of traffic laws, the state authorizes public rights which are at the disposal of all, as the public rules regulating the roads are constituent parts of a system that guarantees the accessibility of all (Ripstein 2009, 250). The state can mandate compliance with its laws because this mandatory cooperation is required to enable equal freedom of action for all citizens. If an individual deems the laws unjust, she can publicly argue her case and try to convince others, vote for specific politicians, or run for office on election day, and in this cumbersome way work to improve the legislation.
The EU Commission’s assertion that the GDPR created “a solid framework of digital trust” can to some extent be understood according to the traffic law analogy. The digital information environment regulated by the GDPR, however, is much more complex than the physical network of roads. It includes an inherent asymmetry between the data subjects who wish to use the internet with its webpages, apps, and connected devices and the data controllers who, among others (such as computer engineers and capital investors), decide how the digital information environment functions behind the user interfaces. Another complicating feature is the concept of consent. Through consent, the data subjects are given the possibility to co-decide the make-up of the digital information environment with the data controllers. What without consent would amount to theft of personal data turns into consensual sharing of data. As noted, article 6 of the GDPR restricts consent to cases where processing of personal data has not been made legal either through a contract, a legal obligation, a vital interest of the data subject, a public interest, or a legitimate obligation of the data controller. Within these restrictions, the GDPR encourages the free flow of data, and businesses build on that data.
The public rights and duties bestowed on the data subject and data controller are different in type. The former has the right to protection of personal data, and a duty to make informed decisions concerning consent to data sharing. The data controller has the right to use personal data provided by the data subject under the condition of consent. The duties assigned to data controllers and other digital service providers concern how they actively work to design and sustain a digital information environment in compliance with data protection as defined by the GDPR. Digital businesses and institutions are obligated by an array of duties to certify that the requests they make of data subjects to consent to data sharing abide by the restrictions prescribed by the GDPR. This is supposed to level the data subject’s right to data protection and the controller’s right to request consent to process data.
Whereas citizens are morally obliged to trust the institution of traffic regulations because they create equal public rights for all, it is trickier to determine the relations of trust in the GDPR. Ideally, the data controllers are obliged to comply with the restrictions on requests for consent from individual data subjects. But as noted above, this is not always the case. The only obligations attached to the data subject by the GDPR concern the decision whether to share data with the controller and the vaguer duty to trust that the GDPR enables the data subject to make rational and informed decisions concerning consent to data sharing.
The EU Recommendation to Trust
The question whether EU citizens have an obligation to trust the regulation of the digital information environment established by the EU through the GDPR concerns the conditions under which citizens are asked to grant or withhold their consent to share data with controllers. If the GDPR bestows and enforces reciprocal, understandable, and public rights and duties on data subjects and controllers alike, citizens have an obligation to trust. The crux of the matter is the balance EU strikes between the right to data protection of its citizens and the digital technology companies’ right to conduct a business by means of the free flow of data. In the Critique of Practical Reason, Kant offers an example of a recommendation to trust which obviously cannot be taken seriously because the recommender vouches for a discernibly untrustworthy person. With a little adjustment, we can use it to explore the trust relations between the EU Commission, the tech companies as data controllers, and the EU citizens as data subjects. Kant writes (and I adjust in Suppose someone
The question is whether the GDPR has ensured that the digital companies acting as data controllers are, in the wording of the GDPR, trustworthy data stewards. If yes, then citizens have – from a Kantian point of view – an obligation to trust the data controllers’ stewardship of their personal data because it approximates moral trust and justice. If data controllers are not trustworthy data stewards, it would amount to making a fool of the citizens as data subjects to ask them to entrust the digital companies with their personal data. In this case the EU would have proposed a regulation advantageous to businesses at the expense of citizens in the role of data subjects. The EU legislation would thereby not create equal public rights and duties but an unlevel playing field by creating a pragmatic relation of trust in the digital companies and elevating the benefit of the digital economy over the rights of citizens – a cost-benefit optimization of the digital economy at the expense of citizens’ rights to data protection. Alternatively, the EU should be understood as having lost their mind by surrendering the EU institutions’ regulative powers as well as the digital rights of citizens to tech companies and their optimization of commercial gains. In both cases, the data subjects ought not to consent to the processing of their personal data but ought to demand the EU to repeal the regulation.
The EU’s Pragmatic Trust in Data as the New Gold
In 2010 the Commission published a high-profile communication called A Digital Agenda for Europe with the proclaimed aim “to deliver sustainable economic and social benefits from a digital single market” (Digital Agenda 2010, 3). Written in the wake of the 2008 financial crisis, which according to the Commission “wiped out years of economic and social progress and exposed structural weaknesses in Europe’s economy,” the Digital Agenda was launched “to exit the crisis and prepare the EU economy for the challenges of the next decade” (Digital Agenda 2010, 3). Economic growth became the primary goal of the EU’s regulatory efforts in relation to the digital information environment. Enabling the borderless internet to set up an online market without regulatory fragmentation was highlighted as a win for the EU, private companies, and consumers alike. The claim was that without new (de-)regulation, consumers cannot reap “the gains of price and choice … because online transactions are too complicated” (Digital Agenda 2010, 10).
According to the Commission in 2010, the modernization of the EU regulations was necessary to clarify citizens’ digital rights, since the rights that citizens enjoy with relevance to the digital environment “are scattered across various laws and are not always easy to grasp” (Digital Agenda 2010, 11). This observation was combined with the contention that “a lack of trust in the online environment is meanwhile seriously hampering the development of Europe’s online economy” (Digital Agenda 2010, 12). Citing “payment security concerns, privacy concerns, and trust concerns” as the top reasons why people “did not order online,” the Commission pushed to “modernize all relevant legal instruments to meet the challenges of globalization and to create technology neutral ways of enhancing trust and confidence by strengthening citizens’ rights” (Digital Agenda 2010, 12). The Commission further proclaimed that “Europeans will not embrace technology they do not trust – the digital age is neither ‘big brother’ nor ‘cyber wild west’” (Digital Agenda 2010, 16). The result was a Commission that prioritized the economic benefits of an interoperable digital single market over citizens’ rights to privacy and data protection.
The precedence given to economic growth over citizens’ rights was made blatantly evident in the EU launch of the Digital Agenda under the heading “Data is the New Gold” in December 2011. Neelie Kroes, vice-president of the European Commission responsible for the Digital Agenda, declared: “Web entrepreneurs assemble and sell content and applications and advertising, based on data. With those efforts they make our lives more convenient and they keep authorities accountable” (Kroes 2011, 2). The statement indicates that the EU Commission in 2011 did place pragmatic trust in the digital tech companies as trustworthy data stewards, thereby not only enhancing convenience for users but also keeping authorities accountable. Kroes professed that the EU Commission’s new regulatory efforts “can drastically increase the efforts for those web entrepreneurs” (Kroes 2011, 2). In the words of the launch speech: “We will boost business opportunities very substantially” (Kroes 2011, 3). To top it all off, Kroes ended by declaring: “the real message I want to send to public authorities today is: don’t wait for this package to become law. You can give your data away now – and generate revenue and jobs, and even save money from the better information and decisions that will flow. … In short, ladies and gentlemen, my message today is that data is gold. We have a huge goldmine in public administration. Let’s start mining it. Start releasing your data now. Join the future. Join the growth” (Kroes 2011, 3).
Kroes’s speech suggests that the EU Commission did believe in the benefit from deregulation and data mining for commercial purposes as a path to economic growth. Thus, in 2011 – and before the GDPR – the EU Commission had moved beyond the original Data Protection Directive of 1995, in which citizens’ rights took precedence over commercial interests. With the 2011 Digital Agenda, the EU squarely placed pragmatic trust in the tech companies and the data driven digital economy as a beneficial development. The large breaches of trust in this common advantage that were exposed by the Snowden revelations in 2012 and the Cambridge Analytica Scandal in 2016 accentuate the risk entailed in the EU’s pragmatic trust in the digital economy’s ability to self-regulate and create trustworthy data controllers. From a Kantian point of view, the 2011 recommendations from the EU Commission to trust private digital companies with the stewardship of EU citizens’ data is bluntly a pragmatic trust rooted in increased economic outcome, customer convenience, and the tech industry’s constructive self-regulation, with benefits distributed to states, industry, and citizens/consumers alike. As a crude cost-benefit optimization of the advantages of letting the industry set its own rules without regard for citizens’ rights to data protection, it cannot be endorsed. It did not create equal public rights and duties for citizens and digital businesses but relied on the idea that cheap consumer prizes and easy access to online services would be advantageous enough to cancel out any problems with privacy and data protection rights. The question is whether the implementation of the GDPR, along with the tightening of its data protection regulations in 2018 and the subsequent proposal of the Digital Omnibus in 2025, has succeeded in overturning the EU’s almost blind trust in the industry’s self-regulation. To assess the EU’s success in regulating data flows for the benefit of citizens’ rights, a closer look at the GDPR, its enforcement, and the revisions proposed in the Digital Omnibus is needed.
Although the Commission and the EU Parliament in 2025 are hoping that the Digital Omnibus’ simplification of existing regulations will yield gains similar to those achieved by the Digital Agenda, it is noteworthy that trust is less central in the argumentation. Over the course of the proposal’s 153 pages, trust is mentioned only three times. The proposal states that the amendments of the Digital Omnibus “seek to cut direct costs on businesses and authorities, observing that the same regulatory objectives can be reached with lower burdens … For example, the mandatory regime for data intermediary services provided for in … the Data Governance Act is transformed into a voluntary, trust-enhancing regime…” (DO 2025, 11). These regulatory simplifications are meant to reduce administrative burdens on companies, while the building of trust relations will depend on voluntary efforts from those same companies. Thus, it seems that the Commission and the EU Parliament are once again proposing the path of deregulation and pragmatic trust in the beneficial outcomes of companies’ unfettered development of for-profit business models in the digital information environment.
Restrictions on Data Flows Through the GDPR and Their Enforcement
The adoption of the GDPR in 2016 resolved the problem identified in the Digital Agenda, namely that the legislation enhancing citizens’ rights to data protection passed by the EU was scattered over various legal texts. The GDPR is an ambitious law, and article 6, which defines when the processing of personal data is legal, is especially crucial for creating trust in the digital information environment. As mentioned earlier, one DPA in the 2024 interview study declared that in principle “the GDPR renders the entire AdTech industry illegal.” This statement is backed by a legal decision issued by the Belgian Data Protection Authority in February 2022 concerning real-time bidding advertising.
Real-time bidding (RTB) or programmatic advertising is the main avenue for the commercial processing and trading of personal data and enables targeted advertising in all its different disguises, ranging from ads for products over fundraising campaigns to the promotion of specific content in online political advertisements. Its complex digital structure is kept hidden in the proprietary walled gardens of especially Google and IAB. Through a combination of empirical computer science and legal scholarship, Veale and Borgesius (2022) have constructed an outline of the crucial parts of RTB. The main components are the tracking and mining of personal data by webpages, digital devices, and apps with the intent to sell the harvested data in programmatically automated auctions. The sold and bought data are fundamental to where and which ads are shown to users in real time. When the user interacts with an interface, the publisher of that interface collects data that is put up for bid on either Google’s Authorized Buyers or IAB’s OpenRTB auctions. The vast amount of data is managed by data management platforms (Cambridge Analytica is an infamous example) that analyze the data and sell it to advertisers participating in the auctions.
An important element in the complex infrastructure of programmatic advertising, which is completely invisible to the users of digital services, is the array of multiple actors involved in the processing and selling of data that “is designed to identify and profile individual users” (Veale and Borgesius 2022, 234). The profiling of individuals implies that the activity of auctioning personal data in programmatic advertisement should be regulated within the GDPR, as the Belgian DPA’s 2022 case against IAB Europe demonstrates. But the opaque mechanisms of programmatic advertising also entail that ordinary users are unable to understand what happens with their personal data, making the idea that data subjects can control their data through consent highly fictitious. According to Finck (2021, 334), the trade in personal data in the digital economy has led to “the design of complex cobwebs of control [of personal data] the principal purpose of which is to complicate enforcement.” An example hereof is the IAB, which underscores that its “record growth reflects the industry’s ability to adapt to evolving technologies, regulatory changes, and shifting consumer behaviors” (IAB 2025, 4). In response to the implementation of the GDPR, in 2018 IAB Europe created a “Transparency & Consent Framework (TCF) … aimed to provide the necessary legal basis for the data processing as part of RTB to continue” (Veale et al. 2022, 13), without IAB Europe itself taking responsibility as a data controller. Nevertheless, the Belgian DPA ruled that “IAB Europe is acting as a data controller” and “identified a series of GDPR infringements” (BE DPA 2022).
The backdrop of the Belgian DPA’s decision was a series of complaints about the practice of real-time bidding performed by various actors in the AdTech industry that citizens filed with DPAs in 13 EU countries and one in the UK. Veale et al. (2022, 14) laud the decision as a hallmark because “the Belgian DPA has started to sketch out the roles of the many different actors in the RTB ecosystem and envisage some clearer allocation of responsibilities … While DPAs have long been grabbling different bits of the metaphorical elephant, arguably now for the first time they have a formal decision that can serve as a blueprint for what the RTB elephant looks like as a whole.” The case also corroborates that citizens’ awareness of their rights and complaints of infringement can nudge the industry toward better data protection, as DPAs in the interview study underscored (Padden and Öjehag-Pettersson 2024, 9). But asking citizens to file lawsuits to obtain what from the outset ought to have been a public right amounts to asking pedestrians to ensure that cars do not go through red lights by filing private lawsuits against the drivers. Traffic is not regulated by citizens themselves but by the enforcement of traffic laws ab initio. The GDPR is only enforced ex post through lawsuits. This is neither desirable nor necessary. Finck (2021, 346) argues for a stringent and ab initio enforcement of articles 24 and 25 of the GDPR on the grounds that requiring data controllers to take responsibility for data processing and commanding the implementation of data protection in all online services and devices by design and by default could ensure that “data subjects benefit from complete and effective protection.”
IAB Europe’s appeal has resulted in a half win for the Belgian DPA and IAB Europe, as the appeal court confirmed that IAB Europe was liable to GDPR infringements and upheld the imposed fine of 250.000 Euros but simultaneously limited IAB Europe’s responsibilities to the processing operations directly governed by its own TCF software. It thereby disagreed with the first court’s finding that IAB Europe was responsible for the entire processing chain under the OpenRTB protocol used by the digital advertising ecosystem (see DPA-BE 2025). Consequently, the appeal ruling is not the watershed moment for real-time bidding that some NGOs had hoped for. The Belgian case demonstrates that the enforcement of the GDPR is dependent on the coordination of citizens’ complaints and proactive DPAs willing to file suits against the tech industry.
Did the GDPR Create a Framework for Pragmatic or Moral Trust?
From the Kantian perspective, the claim that the GDPR creates a “solid framework of digital trust” can be interpreted in two ways. It can be understood as the EU Commission’s way of dressing up its pragmatic trust in the mutual benefit to states, companies, and citizens of the free flow and commercial use of data in the digital information environment. If this is the case, the Commission is making a laughingstock of the high ideals of data protection promised to citizens if the GDPR lacks enforcement. Kant would emphasize how the Commission is vouching for untrustworthy data stewards which amounts to making a fool out of citizens who through consent entrust tech companies with their data. If the GDPR, on the other hand, is understood as a regulation that gives equal public rights to citizens and tech companies alike by defining the circumstances under which data controllers may ask data subjects for consent to process personal data, it could be a regulation that promotes moral trust in the just laws of the EU. Just after the Belgian court in 2022 made IAB Europe responsible as data controller for the whole chain of processing personal data, Veale et al. (2022, 22) expressed hope that the decision could “give impetus for alternative advertising logics that have been pushed to the margins because of the hegemony of real-time bidding to re-emerge, such as contextual advertising, user elicitation of advertising, or subscription models.” However, the appeal court’s decision that IAB Europe is only responsible for part of the chain of data processing downplays the implications for real-time bidding. Thus, the appeal ruling also downplays the need to regulate when and how digital advertisers may lawfully ask individual users for consent to data sharing.
From the Kantian point of view, the potential of the GDPR to create a trustworthy digital information environment can only be achieved if data protection by design and by default is demanded before any digital service is allowed to operate, just as vehicles have to pass tests before they are declared roadworthy and drivers of motor vehicles have to pass a test certifying that they know the traffic laws. The GDPR would have to ensure that requests to consent to share personal data are only addressed to data subjects in situations where an ordinary citizen really does understand what the data is used for. It would also require tech companies operating in and developing the infrastructure of the digital information environment to ask for GDPR conformity approval of their new designs, devices, and tools. Only if the GDPR was stringently enforced could the EU legislators’ recommendation (Data Strategy 2020) that citizens should trust that the GDPR has created a solid framework for trust be endorsed. As this is currently not the case, the recommendation to citizens to trust the digital information environment can at best be described as a form of pragmatic trust that prioritizes the growth of the digital economy over the safeguarding of citizens’ digital rights.
As long as citizens qua data subjects are asked to manage requests for consent to sharing of personal data without understanding the implications of their consent, the EU’s recommendation to trust tech companies as data stewards is indeed making a fool of its citizens. With the proposed Digital Omnibus regulation this course is speeded up, as a “more cost-effective and innovation-friendly implementation of our [the EU’s] rules” (DO 2025, 1) is promised. While the 2010 Digital Agenda was optimistically calling businesses to reap the new gold of data, the 2025 Digital Omnibus is more tempered in its appraisal of the added value “of EUR 791 billion across the EU in 2022” stemming from the ICT sector. The message, however, is the same. To acquire even more economic value, the existing regulations should be amended “to bring immediate relief to businesses, public administrations, and citizens alike, to stimulate competitiveness” (DO 2025, 2). The Commission and the EU Parliament have decided to mandate a pragmatic trust in the benefit to all of the commercial digital information environment. Now that artificial intelligence has become the new frontier for development, the refusal to regulate the use of personal data for training indicates a reiteration of the difficulties of regulating the industry of digital advertisement and data profiling. Whether the EU legislators lost their mind when they put pragmatic trust in the benefits of entrusting private digital companies with the stewardship not only of consumers’ data but of the entire digital information environment, including data from almost all public institutions, future developments in the EU as well as globally will tell.
Footnotes
Funding
The author disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: Research funded by Velux Foundation: VEL56607.
Declaration of Conflicting Interests
The author declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
