In the realm of data protection, a striking disconnect prevails between
traditional domains of doctrinal, legal, theoretical, and policy-based
inquiries and a burgeoning body of empirical evidence. Much of the scholarly
and regulatory discourse remains entrenched in abstract legal principles or
normative frameworks, leaving the empirical landscape uncharted or minimally
engaged. Since the birth of EU data protection law, a modest body of empirical
evidence has been generated but remains widely scattered and unexamined. Such
evidence offers vital insights into the perception, impact, clarity, and
effects of data protection measures but languishes on the periphery,
inadequately integrated into the broader conversation. To make a meaningful
connection, we conduct a comprehensive review and synthesis of empirical
research spanning nearly three decades (1995- March 2022), advocating for a
more robust integration of empirical evidence into the evaluation and review of
the GDPR, while laying a methodological foundation for future empirical
research