GDPR: One Year Later – Has It Lived Up To Its Promise to Protect Consumers?
By Jack Carvel, Qubit
It’s been more than one year since the General Data Protection Regulation (GDPR) came into force, so it’s a good time to reflect on the legislation and evaluate whether it has lived up to its promise — and what it was designed to do: to protect the data privacy of citizens in the EU and give them more control over how and when their data is being used. The GDPR also addresses the export of personal data outside of the EU and therefore affects American brands and any company doing business with individuals residing in the EU.
Europe isn’t new to the efforts to protect their citizens’ private data. The GDPR supersedes the Data Protection Directive adopted in 1995, which regulates the processing of personal data within the EU. The Directive was considered an important component of EU privacy and human rights law. Relying on the same principles, the GDPR is very much an extension of the Directive. While the GDPR was an evolution and improvement on the 1995 Directive, did it fulfill its promise?
Let’s start with some assumptions made prior to the implementation of GDPR and what’s happened since:
- Unquestionably, there is continued reliance on third-party data. Many (including myself) thought the GDPR would essentially eliminate the selling and reselling of third-party data. This would mean that data brokers that heavily profit off of third-party data — and there are many — would also disappear. We see now that didn’t happen and may not unless enforcement of third-party data is better regulated. The fact is, enforcement has been lackluster in this area and consumers are still not aware that their data is being sold by vendors that profit off of it. Whether enforcement isn’t up to par because regulators have their hands full or because these large data management companies are “too big to fail,” we may never know. What we do know is there is a lack of transparency and consumers currently have no idea how many of these data management platforms are trafficking their data at this point.
- Fines have been lackluster to say the least. With the threat of fines looming, there was a hectic scramble to prepare for the GDPR in the lead-up to its implementation. It wouldn’t be an overstatement to say that a lot of people thought there would be a focus on enforcement in general, especially for companies that either didn’t take the steps needed to achieve compliance, or knowingly just ignored GDPR and let the chips fall where they may. There have been some fines, one on Google for €50 million and another on Facebook for £500,000 by the Information Commissioner’s Office in the wake of the Cambridge Analytica scandal, after allowing third-party developers to access user information without consent. One could argue the fine on Facebook was a slap on the wrist.
- Many data breaches are going unchecked. The GDPR also has strict guidelines on data breaches. Businesses must report any data breaches within 72 hours if they have a negative effect on consumer privacy. Businesses that violate this part of the statute could be fined up to £20 million or up to 4% of profits from the preceding financial year. However, according to personal data security platform Digi.me, of the 11,468 self-reported data breaches handled by the ICO between May 25, 2018 through March 2019, only 29 penalties were handed out and none of them were under the GDPR, but rather the older Data Protection Act. In total, 37,798 data-related concerns have been reported by consumers since the start of GDPR. It seems there’s a long way to go in terms of investigations of consumer complaints as well as enforcement of the GDPR.
There is also good news on GDPR after its first year. One key aspect is the awareness on the part of consumers about how their data is being monetized and used in all facets of marketing and advertising. And we are all much more aware of how bad actors are misusing our information as well (see above reference to Facebook/Cambridge Analytica).
Perhaps more importantly, GDPR has been an inspiration for many consumer privacy laws around the world, most notably, the California Consumer Privacy Act (CCPA), due to go into effect in January 2020. The purpose of the CCPA is to further Californians’ right to privacy by giving consumers an effective way to control their personal information and how it is being used.
The CCPA may even be more stringent than the GDPR. Brands that intend on continuing to do business with California’s 39 million residents will have to comply with the law or face the consequences, including fines up to $750 per consumer or up to $7,500 per intentional violation. When you’re talking about data breaches that affect millions, these fines could be devastating to small or mid-sized companies.
Unlike the GDPR, which was very much an evolution of the existing rules, the CCPA represents a fundamental shift in how data is conceptualized and protected for the companies that are affected. As such, in many cases it is unclear how these new rules will be interpreted and enforced, but there is at least a major opportunity for the regulators to make a real difference on the issue of citizens’ privacy rights.
One thing is for certain, we’ve entered the age of consumer data privacy and both the GDPR and CCPA are steps in the right direction. Brands that take steps to comply with both are showing they respect the privacy of the consumers they owe their success to. And there is no question that this is a good business decision.
Jack Carvel is General Counsel for Qubit. He is responsible for driving global legal strategy alongside the C-suite team, acting as primary counsel for all commercial, product, data protection, financial, litigation, employee, real estate and regulatory matters.