GDPR’s Impact One Year Later
The General Data Protection Regulation (GDPR) granted Europeans unprecedented rights to control their own data, including the controversial “right to be forgotten.” The GDPR has been in effect for a year now, but what’s been the overall impact?
One thing is certain: There’s been no shortage of complaints around GDPR. According to a February survey by DLA Piper, there have been 59,000 complaints of data breaches in violation of GDPR since the law went into effect in May 2018. However the same report found only 91 fines have been handed out.
The biggest fines have been handed out to social media giants, like Google and Facebook. In January, Google was fined $56.8 million (€50 million) by the French data regulator CNIL for failing to sufficiently inform consumers about collecting data used in online ads, citing a “lack of transparency, inadequate information and lack of valid consent to personalize advertising.
Facebook is also bracing for possible GDPR fines as a result of a 2018 data breach, among other potential problems. The social media giant has stockpiled a reported $3 billion to pay Federal Trade Commission (FTC) fines that are expected as a result of its handling of the Cambridge Analytica scandal in 2016.
But overall thus far, the GDPR hammer hasn’t come down to the extent that many expect it eventually will, so the jury is still out on that aspect of the regulation.
For example, in the United states, only 27% of companies are fully compliant with GDPR, according to an April study from Possible Now, a provider of consent solutions. Some companies struggled with GDPR’s requirements around access rules, while others struggled with the mandate that companies receive the consent of people before collecting and storing their data.
Most companies that deal with EU citizens are complying with the more basic aspects of GDPR. However the more difficult requirements of GDPR, such as the need to build “privacy by design” and “privacy by default” into business processes and systems will likely take years.
GDPR has spawned a number of copycat laws around the world, which is another aspect of the data regulation phenomenon.
For example, Brazil Lei Geral de Proteçao de Dados (LGPD) is almost a carbon copy of the GDPR. The law, which goes into effect in 2020, requires anybody doing business with Brazilian citizens to abide by the law or pay fines that could exceed the equivalent of $10 million.
Japan was acdtually ahead of the game with its 2017 Act on Protection of Personal Information, and following the enactment of the GDPR, it established a degree of reciprocity with the EU, which has resulted in a “white list” of foreign companies that are allowed to do handle the data of Japanese citizens.
Other countries, like India, are in the process of ramping up their own data protection bills. India’s Personal Data Protection Bill is modeled on GDPR and contains the provisions around consent and the right to be forgotten.
In the United States, there is no unifying law covering all applicable uses of private consumer data. However, the California Consumer Privacy Act of 2018 (CCPA) will introduce sweeping changes and give Californians broad digital rights when it goes into effect on January 1, 2020.
The recent increase in data protection laws passed around the world has helped fuel the rise of a phenomenon known as data localization, whereby companies must meet a very high bar before they’re allowed to move data about a citizen out of that citizen’s country. Russia and China have strict laws covering data localization, or data sovereignty as it’s often called, and it has created some conflict with American companies.
While Facebook CEO Mark Zuckerberg is not generally considered to be a friend of data privacy, he has strong views on the topic of data localization and the potential harm to the digital freedom that could come from it.
“The most likely alternative to each country adopting something that encodes the freedoms and rights of something like GDPR, in my mind, is the authoritarian model, which is currently being spread, which says every company needs to store everyone’s data locally in data centers,” he told TechCrunch recently. “And then, if I’m a government, I can send my military there and get access to whatever data I want and take that for surveillance or military. I just think that that’s a really bad future.”
GDPR is held up as the model for consumer data protection – even Zuck acknowledges that. But some Europeans are wondering if GDPR may go a tad too far in restricting the use of data and potentially hamstringing Europe’s emerging AI economy. That’s the gist of a report issued last week by the Center for Data Innovation, which has offices in Washington D.C. and Brussels.
“….[W]hile establishing a needed EU-wide privacy framework, [GDPR] will unfortunately inhibit the development and use of AI in Europe, putting firms in the EU at a competitive disadvantage to their North American and Asian competitors,” the group wrote.
Like any law, GDPR will need some tweaks here and there to dial it in, and to adapt to the rapidly changing data landscape. Although it’s not clear yet which changes will be adopted, there are several ways that it could change.
One way it could be changed is to include specific protections for location data. The EU is currently considering a new ePrivacy Regulation, or ePR, that could augment GDPR to set rules on the handling of electronic communications, such as cookies and location data.