Reflections on GDPR Turning Three
It’s been three years since the European Union’s General Data Protection Regulation (GDPR) went into effect, becoming the most visible data regulation in the world. What has been the overall impact of the law? Generally good, industry observers say, but with a few important caveats.
First, the basics. GDPR became law on May 25, 2018, giving residents of the European Union new rights regarding the use of their personal data. GDPR also gave companies a single consistent data standard to meet, an important change considering the mish-mash of various laws that existed before.
The GDPR required companies to, among other things, gain consent from users before collecting their data, and to tell them how they will use it. The law required companies to secure personal data and notify people promptly when their data was lost or stolen. At any time, users could demand that companies tell them what data they have on them, and even order them to delete their data.
It’s had an impact on the pocketbooks of companies over the past three years. Since it became law, the European Commission has imposed 661 fines, accounting for more than €292 million, according to statistics compiled by Privacy Affairs. Google leads the way with €50 million in fines, followed by a German ecommerce company, an Italian telecommunications firm, British Airways, and Marriot International.
While the law ostensibly only applied to the 746 million residents of the EU (or 670 million after the UK exited the EU in 2020), it actually had a far greater reach. Rather than set up different policies for managing customers based on nationality, many international companies decided to implement GDPR as a global standard for all of their customers. This was the case for big tech firms, such as Facebook and Google.
If the EU’s intent with GDPR was to put companies on notice that they will be held liable for data breaches, then it’s working. According to recent survey by Egress, 90% of security leaders are concerned about class action by data subjects in the event of a serious data breach. The survey also found that nearly half of consumers would join a class-action lawsuit if their data was involved.
“The financial cost of data breach has always driven discussion around GDPR – and initially, it was thought hefty regulatory fines would do the most damage,” Egress CEO Tony Pepper said. “But the widely unforeseen consequences of class action lawsuits and independent litigation are now dominating conversation.”
GDPR also set the standard for other data protection laws passed by other countries. South Korea, Thailand, Chile, New Zealand, India, China, and Canada have all passed (or taken steps to implement) data privacy laws that borrow ideas from GDPR, according to the data security company Comforte. In the United States, the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020, borrows some ideas from the GDPR, although it’s in the process of being replaced by the California Privacy Rights Act (CPRA), which brings even stricter regulations.
The global reach of GDPR is a notable achievement, according to Jennifer Glasgow, an executive vice president of policy and compliance, First Orion, a developer of call identification and call management software. “We are global citizens, and so too is our information,” Glasgow says. “No matter where an organization is based, we must ensure that all cross-border-data transfers don’t weaken protection of personal data.”
However, the law has also hampered innovation with data, which has weakened the competitiveness of European companies at a time when new and creative uses for data are being explored and implemented. According to Glasgow, that suggests that improvements to GDPR can be made.
“Global dialogues suggest that a stronger accountability-based approach allows more innovation with data, something business and government alike want,” she says. “As many U.S. states pass privacy laws and pressure rises for a single federal standard, 2021 will be a pivotal year in the U.S., the EU, and around the world in the evolution of privacy and data protection laws. It remains to be seen if we can break some glass and take the big leap to a different construct that protects individuals while encouraging innovation with data.”
As GDPR went up, Europe sought to restrict cross-border flows of data. That weakens the capability for companies to innovate with data, according to Alon Kaufman, the CEO of Duality Technologies, a provider of privacy-protected data collaboration solutions that enable data innovation while protecting privacy.
“When the GDPR came into effect three years ago, it was a landmark accomplishment – the world’s first multinational, comprehensive legislative act to protect data privacy,” Kaufman said. “Yet paradoxically, the perspicacity behind the GDPR has also been its Achilles’ heel, as other jurisdictions have legislated parallel privacy rules–leading to discrepancies which often impair organizations’ ability to conduct vital cross-border data collaborations, introducing a new level of complexity in global digital cooperation.”
Laws should be changed to enable privacy-enhancing technologies (PETs) to be used on data that flows across borders, Kaufman suggests. “PETs can allow multiple parties to collaborate on data despite competing data privacy regulations – even across borders – and their widespread rollout will be necessary as more and more countries develop their own privacy frameworks,” he says. “Three years on from the GDPR’s introduction, it is possible for the public to simultaneously enjoy personal data protection while also reaping the rewards of data collaboration.”