One of the defining moments for tech in 2018 was on May 25, when the EU implemented its General Data Protection Regulation — the ominous GDPR. The ambitious legislation is the toughest privacy and security law in the world and was meant to guarantee users better control over their over their personal data.
But has it? For most people, both in the EU and outside, the ‘better control’ only took form in a myriad of annoying consent pop-ups on seemingly every single site they visited.
That’s why we’re taking a look at GDPR’s 2018, here’s what experts had to say.
First things first though, what exactly is GDPR?
If you’re already an expert on GDPR, you can probably skip this section. But considering that GDPR’s text counts more than 100 pages and the many misunderstandings regarding the legislation — like that you can read your boss’ email about you (spoiler alert, you can’t) — I’d wager that’s not likely. That’s why a short explanation of its main points is in order, based on this 2,000 word summary.
When the EU says it wants to give people better control over their personal data, it means it. All EU data subjects (legalese for EU citizens and residents who use computers and stuff) now have the right to have a say in how organizations handle their data, as they’re only ‘lending’ the data — your personal data should belong to you and nobody else.
So under GDPR, you have the right to:
- Information about how your personal data is processed
- Obtain access to the personal data held about you
- Ask for incorrect personal data to be corrected
- Request personal data to be erased (e.g. when its processing is unlawful)
- Object to your personal data being used for marketing purposes
- Request the restriction of the processing of your personal data in specific cases
- Right to data portability
- Request that decisions based on automated processing involving you or your data are made by natural persons, not only by computers
In order to enforce this, GDPR allows ‘data subjects’ to seek compensation for damages. But the biggest enforcement tool is the possible fine for violating GDPR: up to 4 percent of global revenue or €20 million, whichever is higher.
This staggering amount ensures that even tech Goliaths will be wary of GDPR, but its reach also plays a big part. The legislation actually applies to any company that handles personal data of EU citizens or residents — which is why GDPR was such a big deal in 2018.
GDPR puts a lot of responsibility on companies and how they handle people’s data. Those responsibilities include not using people’s personal data in any way, without proper authorization or reason. That can, for example, be an unambiguous consent, court order, or if processing is necessary to execute or prepare a contract with the person, e.g. background check before leasing them an apartment.
However, companies are also allowed to process a person’s data if there’s “legitimate interest” — which is just as vague as it sounds and is one of the major culprits for the confusion surrounding GDPR. We’ll probably see better definitions and guidelines for this in 2019, but it should refer to common sense usage.
Companies are also required to have appropriate data security, transparent data processing, and have to notify affected data subject within 72 hours or face penalties. This last obligation is great, but it hasn’t had much impact in 2018 as there’s been a ton of big data breaches, most of which didn’t notify affected users within the 72-hour period. Facebook waited more than two months to announce its latest data breach.
Wait, so if the rules aren’t followed, is GDPR worth anything? Well, let’s check in with the experts.
Not much enforcement in 2018
Raegan MacDonald is the Head of EU Public Policy at Mozilla, a company know for its stance on privacy and open internet. For her, GDPR has been a bit of a mixed bag, at least in its first months.
“While it is early, I haven’t yet seen that impact, although some progress is being made,” MacDonald told TNW. “Many companies have updated their privacy policies and created tools to give users more control, such as ways to request that their data be deleted.”
However, MacDonald is disappointed with how superficial this approach has been: “Many companies appear to be interpreting GDPR as narrowly as possible. I’m concerned that privacy is still by default put at risk without users understanding or having meaningful control.”
This is disappointing because one of the goals of GDPR was to encourage (or forcefully nudge) companies to implement privacy by design, but MacDonald is optimistic about the future: “We haven’t seen the big fines levied just yet. But I suspect that if 2018 is the year of implementation, 2019 will be the year of enforcement.”
She points out that there are nine EU member states that have yet to implement GDPR, and the new regulator — the European Data Protection Board — is still setting up shop, so it’s no wonder things are moving slow for now.
“Starting in 2019, I expect this ‘grace period’ to end, where companies will either shape up or face serious fines by regulators. Laws are only as strong as their enforcement, and we are encouraged by the fact that many data protection authorities are starting to closely scrutinize the underwhelming implementation measures taken by some companies (and the thousands of complaints filed).”
There have been a number of high profile complaints lodged with data protections agencies (DPAs) in Europe. Right away on May 25, noyb, a group of privacy activists, filed complaints against Google, Facebook, Instagram, and WhatsApp over “forced consent” — as users should be able to use services without having to consent to giving up their data. Google was also reported recently for its alleged illegal tracking of its users in the EU.
It’s great that complaints are being filed to DPAs, but in addition to this MacDonald says there’s a need for more actionable control, users should really feel in charge of their data:
“Mozilla strongly believes that users should be given meaningful control, not just tools buried in privacy notices or deep within settings menus. And ultimately, we need strong enforcement in Europe against those companies that aren’t genuinely delivering on the principles in the GDPR.”
Companies like Mozilla have started creating tools, like anti-tracking features in browsers, but more need to adopt GDPR’s mentality to truly deliver on people’s control over their data. What it seems to boil down to, like MacDonald points out, is the need for better enforcement — so where are the regulators?
GDPR will be felt in 2019
GDPR has only been effect for a few months, but regulators have been far from idle. DPAs in each member state have been growing their staff’s numbers and expertise. The Irish Data Protection Commission (DPC) has, for example, grown from less than 30 employees back in 2014 to 130 staff members in 2018, with plans for further expansion of staff and expertise in 2019.
The Irish DPC plays a pivotal role in the implementation and enforcement of GDPR as many of the worlds biggest tech companies have their EU headquarters in Ireland. That means that complaints filed against companies like Facebook, Twitter, Microsoft, LinkedIn, and soon Google are under the purview the DPC.
TNW spoke to Graham Doyle, Head of Communications with the Irish DPC, about GDPR’s first few months. For him, it’s obvious that GDPR has made people in general much more aware of the issue regarding personal data. A big indicator of that is the amount of incidents reported have skyrocketed: 3,500 breach notifications and 2,500 complaints, double the amount of last year.
“We conducted a survey in early 2017 where we assessed the awareness levels of the GDPR among businesses in Ireland and found it to be between 30 and 40 percent,” Doyle told TNW. “However, when we redid the survey in May 2018, we were at around 90 percent awareness levels.”
GDPR clearly had an impact in 2018 as it made people think more about how their personal data is handled. Doyle is happy with this as the DPC spends considerable resources on awareness as it considers educating businesses and the public to be key part of its role.
“We take a twin-pronged approach to upholding GDPR: enforcement and engaged supervision” says Doyle. “Engaged supervision is where we engage with organizations, consult on personal data-related legislation, and with companies regarding their new products. Basically, when we engage with organizations, we try to assist them in getting it right from the beginning.”
This approach is understandable as it’s undeniably better for companies to get it right the first time — and prevent any personal data to be compromised — than to focus solely on punishing offenders. However, Doyle adds that the DPC also intends to fulfill its corrective role and the lack of enforcement in the first few months of GDPR shouldn’t be interpreted as inactiveness.
“The new toolkit that the GDPR has provided DPAs brings significantly enhanced powers,” Doyle explains and adds the reason there haven’t any fines been issued yet is that current investigations are still ongoing. “We will use the full powers afforded to us, and the full extent of the GDPR’s toolkit, where it’s appropriate to do so.”
GDPR’s impact in 2018 can be summed up in greater awareness regarding handling of personal data and encouraged companies to change their approach — although most businesses could do more in that regard. To do that, better enforcement is needed, and it looks like it’ll be coming soon.
When asked when we could be expecting investigations to come to an end, Doyle was clear: “We’ll certainly be concluding some of the bigger investigations in 2019.”
GDPR’s impact will keep growing in 2019, when the legislation’s full capabilities will be realized.