The EU GDPR Compliance or rather the EU General Data Protection Regulation showed great promise during development. But, after two years in effect, considerable blind spots are coming to the fore. Bearing in mind, on May 25, 2018, the European General Data Protection Regulation (GDPR) came into effect.
The first-of-its-kind policy showed great promise during development; it was intended to harmonize privacy and data protection laws across Europe. While helping EU citizens to better understand how their personal information was being used. Encouraging them to file a complaint if their rights were violated.
As a new regulatory framework, the EU GDPR Compliance was an acknowledgment that the digital economy — fuelled by (personal) information — should operate with the informed consent of users. And clear rules for companies who seek to do business in the European Union.
Implementing the policy, however, is illustrating just how much more work must be done before the EU GDPR Compliance is fully functional. European citizens, corporations and data governance frameworks still face a number of issues that the GDPR was intended to mitigate. As well as a handful of new problems.
Stronger fines, greater collaboration and an acknowledgment of some of the policy’s blind spots are sorely needed for the GDPR to be more effective in the months and years to come.
What is EU GDPR Compliance?
The EU GDPR (General Data Protection Regulation) regulates data protection law across all 28 EU countries. Whereby, it imposes strict new rules on controlling and processing personally identifiable information (PII).
Bearing in mind, almost 60,000 Data Breaches (such as Facebook Data Breach and Yahoo Security Breach) are reported under GDPR. It also extends the protection of personal data and data protection rights by giving control back to EU residents.
In general, the EU GDPR replaced the 1995 EU Data Protection Directive and went into force on May 25, 2018. Additionally, it also replaced the 1998 UK Data Protection Act. However, the General Data Protection Regulation (GDPR) regulates data protection law across all 28 EU countries.
The EU’s move to enact the General Data Protection Regulation comes in response to an increasing number of highly publicized data breaches. Such as the most recent Facebook Data Breach and Yahoo Security Breach.
And also, the misuse of personal information on several high profile retail, financial and social media sites. You can read and learn more in our What is the GDPR? blog article.
Which are the EU GDPR Compliance global concerns?
First, the political will behind and mandate of the GDPR were driven by the concern that individuals’ personal information was being exploited. Particularly, in ways that undermined privacy and, by extension, democracy.
As an example, Austrian lawyer and data rights activist Max Schrems played an important role. In developing both the awareness of and the eventual legal response to the exploitation of Europeans’ personal information.
After studying in the United States in 2011, Schrems returned to Europe and filed a request with Facebook for all the information the company had on him.
Shocked by the 1,200-page response, Schrems then started the group “Europe v Facebook.” Eventually, which until 2017, helped build the popular case and support for expanded privacy and data rights. As articulated in the GDPR.
Read Also: How does GDPR establish User-based Rights?
Secondly, while existing legislation already provided a fairly high level of privacy protection, the GDPR extended the scope of this standard. To non-EU organizations that process Europeans’ personal data. In anticipation of the passage of the GDPR, Schrems then founded noyb (short for “none of your business”).
A European privacy enforcement non-governmental organization (NGO). Schrems also filed the first complaints, mere minutes after the GDPR came into effect. A similar French NGO, La Quadrature du Net, also launched some of the earliest complaints. Especially, against what they dubbed GAFAM (Google, Apple, Facebook, Amazon, and Microsoft).
Crowdsourced from 12,000 French citizens, these complaints were subsequently made available as templates for others in the European Union to reuse. Given the GDPR’s citizen-focused origins, the regulation’s impact on individuals.
In Europe and elsewhere — it is an important benchmark for understanding its successes and shortcomings.
Success, however, must first be defined. Since the implementation of GDPR, more people clicked “I agree” and “I accept” than in previous years. In fact, for most individuals, pop-up buttons and persistent emails asking for consent were their primary interactions with the new legislation.
However, the act of quickly clicking a button is fairly incongruent with the concept of offering meaningful consent. Particularly when “consent fatigue” arises in the face of an endless stream of vaguely worded, often unreadable, notifications.
For this reason, allowing organizations to use this form of individual consent to signal compliance may not be the most effective means of reducing the use of individuals’ data without their knowledge. If anything, the GDPR has exposed just how low the bar was for transparency and obtaining consent.
As a direct result of the complaints jointly filed by noyb and La Quadrature du Net, Google was fined €50 million by the French data protection authority CNIL. For forcing consent by only giving one option: consent in full to non-specific, poorly explained uses of your data or don’t proceed at all.
In contrast, the GDPR framework has actually been a resounding success as a model for breach notification policy. With the ultimate goal being the notification of affected users so they can take action to protect themselves (and their information).
There has been a massive increase in the reporting of breaches (including self-reporting). According to the International Association of Privacy Professionals (IAPP), more than 89,000 incidents have been reported — roughly double the previous rate.
The obligation to directly notify individuals of potentially damaging breaches in a timely fashion is an example of the unambiguously positive impact of a unified regulation. That expands the definition of personal data and the protocols around its use.
Automated Decision Making:
Provisions exist that address individuals’ right to keep their data from being subject to solely automated decision making that has legal or other significant impacts, such as profiling. However, the overall lack of precision in how the rights of data subjects are defined with regard to artificially intelligent algorithmic systems makes the GDPR a bit “toothless” in this area.
The problem is that automated decision making is still relatively new, and accountability systems to audit and oversee them are generally not yet in place. How would a citizen first know that such a decision is taking place when all they may receive is the result?
This is particularly concerning if automated decision making is regarded as more “objective” when it is actually perpetuating historical biases. Researchers have documented how risk-assessment algorithms used in the US justice system are racist. Not that different from human-led criminal justice systems, which are also prone to bias.
The GDPR’s provision against profiling in automated decision making also states that the profiling may be allowed if the user consents. Or if the profiling is necessary for entering into or the performance of a contract. This could be argued as the basis of all algorithmic media, that it creates a profile of the user to customize content.
And that said profile is necessary for the operation of the algorithm. Profiling is, in fact, where the failure of the individual consent model is most apparent. Simply, because profiles created by using aggregated, de-anonymized data, or inferred or predicted data, can be generated without the knowledge of the individual.
While user interactions with GDPR-sparked initiatives (such as the reporting process or consent buttons) are on the rise, citizens’ attitudes about and expectations of data governance are not keeping pace. Certainly, Europeans’ awareness of data protection and data privacy has increased.
According to an EU survey, Eurobarometer, 73 percent of Europeans have heard about at least one of their new rights. Unfortunately, only three in 10 Europeans are aware of all of their rights.
On a more positive note, there has been a huge increase in people exercising their rights, with 144,000 individual complaints. Concerning access requests, unwanted marketing, employee privacy, and deletion requests. The GDPR also seems to have brought to the fore a new awareness of the many potential flaws.
Or even shortcomings regarding data protection in many smart city plans. And has given the entire notion of privacy as a human right a currency it did not possess before.
Data Protection Attitude:
An interesting, if foreseeable, turn of events is the apathy evident among EU citizens in their attitudes toward data protection. The 2019 CIGI-Ipsos Global Survey on Internet Security and Trust found that Europeans are the least concerned about online privacy among those surveyed. Who, overall, are more concerned than they were before the GDPR.
Another survey reveals that one year after the GDPR’s implementation, the population’s high general awareness of the GDPR (67 percent) is paired with a decreased sense. Among individuals that the regulation will improve their interactions with organizations. For example, respondents had lower expectations that companies would stop selling their data.
Still, 63 percent of respondents believe that the GDPR improved data privacy and five percent fewer people are now opting out of data collection. As well, there has been an 11 percent decrease in the number of people asking for data deletion.
Corporate Data Prevalence:
If a certain cynicism about corporate behavior prevails, so does an implicit faith. That the mere existence of the new regulation precludes the need to take further action to protect their data.
Yet, unknown to most citizens, potential loopholes persist in the GDPR. For instance, an exemption from obtaining explicit, prior consent is available to those who can argue a “legitimate interest.” As a business in processing personal data in manner users might “reasonably expect.” Such as on the basis of an existing relationship.
While the lack of consumer awareness of rights probably contributes to corporate non-compliance, why change when no one is reporting you? A greater number of fines and actions could dramatically reduce such practices.
Regulating Cash-rich Corporations
Concern for citizen data sparked the development of the GDPR. And the technology companies that deal primarily in data were the cause for that concern. Corporate data collection practices were reaching a level that left many citizens uneasy. While the value of data grows, so does the industry competition to gather more personal information.
The GDPR’s role in addressing industry practices included not-so-radical policy changes; the new framework is more of an enhancement of the laws that were already in place. Ideally, future revisions to the GDPR would go beyond penalizing a handful of companies for their operations.
The GDPR has the potential to help change the data collection ecosystem as a whole — whether or not it has done so yet is up for debate.
The first year of the implementation of the GDPR seems to have had a negative impact on the funding of EU-based tech companies (and in particular, start-ups). After all, which saw a downturn in venture capital investment and a similar decrease in advertising budgets.
Further, there is a widespread perception that the GDPR has not changed corporate practices but instead added a layer of bureaucracy that is especially onerous to smaller enterprises.
Because the regulation leans toward a self-policing, self-reporting model, companies have been focusing on adding personnel. In order to achieve compliance rather than actually changing what they do and why. For example, Facebook has not changed its business model. Rather, they have hired more lawyers to defend their model and adopted language.
That makes it easier to obtain consent. Disregarding the fact that most Facebook users have little choice. But to consent, if they want to communicate with friends and family. Similarly, Google has not changed its business model around search or YouTube. But, instead, it has added language so that people better understand why they receive customized results.
And also, why the service will be inferior if they don’t opt-in and provide their personal information for customization. Combine this with poor board-level awareness and superficial efforts at compliance. It’s no wonder that the GDPR instigated new bureaucracy and not a culture change for corporate practices.
Industry Competition & Consolidation:
Author and data rights advocate Cory Doctorow argues that the complexity and costs of implementation are driving industry consolidation. The current regulatory model, Doctorow says, favors American giants who have figured out how to make the system work.
Others have similarly argued that larger companies are able to game the system by giving the appearance of compliance by changing user interfaces, for example, but not their practice.
While the GDPR’s self-reporting model has some upsides, it must be coupled with stronger enforcement mechanisms. Antitrust actions do acknowledge the power dynamics at play. In particular, those between data and technology giants. And the GDPR’s impact on competition are strong first steps.
While the GDPR’s promised fine structure had everyone’s attention initially, some flaws and inconsistencies are emerging. For example, Knuddels.de, a German chat site, was fined a modest €20,000 for a self-reported data breach. While the Portuguese Hospital do Barreiro was fined €400,000 for a seeming lack of regard for security around access to patient records.
Furthermore, most price tags pose little threat to cash-rich companies likely to face the largest fines. A single fine accounted for 89 percent of the total €56 million in fines issued.
And even this €50 million fine levied against Google is far from the maximum allowable fine of €3.7 billion. After all, which would be four percent of Google’s entire global revenue.
Desired Changes Discussion:
On a positive note, some organizations are now openly discussing the changes needed to reduce the data they require or to be less intrusive. And there have been hints (pretty explicit ones from France, Germany, and Ireland) that this grace period is now coming to an end.
Ireland — which hosts the EU headquarters of every major digital player — has 19 statutory inquiries in progress right now against big tech. Across the European Union, a ramping up of staffing in data protection agencies is underway.
Recently, the UK Information Commission Office (ICO) has fined British Airways £183.39 million for a major data breach resulting from poor security. Roughly four times the amount the largest previous fine under GDPR (CNIL’s €50 million against Google). Commissioner Denham’s accompanying statement that personal data loss is “more than an inconvenience.”
As the EU GDPR Compliance moves into its third year, the role of fines in changing corporate behavior will undoubtedly come back into the spotlight.
What is the Step Forward for EU GDPR Compliance?
Arguably, the EU GDPR Compliance made a greater impact on national and international governance. For sure, than it did on citizen data or industry practice. Countries around the world are now debating or passing new privacy legislation. As well as entertaining greater regulatory action against growing global technology giants.
The EU GDPR Compliance has been regarded as a new standard that many countries are aspiring to align with. While this does not mean that the GDPR is the ultimate regulatory goal, it has presented a target. Or rather, a milestone that other countries are now moving towards.
A global conversation on data protection and privacy is expanding, and the impact on non-EU countries is in evident. This is true both inside and outside Europe (Kenya, Switzerland, Norway, Iceland, Liechtenstein) just but to name a few.
Filling the Data Breaches with EU GDPR Compliance
The GDPR’s most commonly reproduced characteristics are likely its provisions around data breaches, data subject rights, and accountability. Its omnibus-law approach to data protection across all industries and contexts is also proving popular. As countries engage in widespread upgrades of their laws to reflect the challenges posed by the digital economy.
In part, this approach reflects the European Union’s linkage of the adoption of its privacy standards with its free trade agreements, through “adequacy decisions.” Countries such as New Zealand, Israel, Argentina, Japan, Colombia, South Korea and Bermuda have sought to mirror the GDPR’s standards in their own reforms.
A fragmented system of data governance is still apparent. Although the framework’s explicit goal was a unification of disparate existing legislation. Embedding the GDPR into national law and creating agencies to execute it has not happened uniformly across Europe.
Countries EU GDPR Compliance Encroachment
Not only are there variations in approach to enforcement, but a number of member states have been late in adopting legislation. For example, many countries haven’t issued a single fine yet.
Especially, necessary to roll out the GDPR. Or have interpreted the guidelines on derogations (rules specific to that country), exceptions and restrictions quite differently.
A small number of nations have actually adopted measures that contradict the EU GDPR Compliance. For example, Romania lifted restrictions on the processing of personal data by political parties.
As the EU Justice Commissioner Vĕra Jourová observes, implementation has been especially weak. In states that didn’t take concerns about their citizens’ data rights very seriously in the first place.
EU GDPR Compliance by Outside Countries
Outside of Europe, the EU GDPR Compliance faces more challenges still.
However, several recent high court decisions have added momentum to a more pan-European approach. Recently, Facebook saw the Irish Supreme Court dismiss its attempt to quash the referral of questions around US-EU data transfers to the Court of Justice for the European Union for a determination.
Cross-border processing of cases by EU supervisory authorities is also on the rise. And the continuing evolution of mechanisms for cooperation. Such as procedures for mutual assistance, joint operations and the “one-stop-shop.”
The EU GDPR Compliance is an ambitious and pioneering attempt. To create a comprehensive, unified standard for digital privacy and data protection. The problems it addresses are complex, and as an enforcement mechanism, it will continue to mature over time.
Right now, its mandate is primarily educational. Demanding transparency in the name of keeping citizens informed about the use of their data. And it has been pretty successful at shining a spotlight on shady practices. That only tech experts and academics were widely familiar with before its implementation.
Secondarily, the EU GDPR Compliance can be a useful tool for policing and curbing the worst excesses and exploitation. Such as dark patterns, data mining and so on. However, it is important to note that for all its virtues, the GDPR does little to question existing models.
Read more about the recent Facebook Data Breach and Yahoo Security Breach.
The emerging unintended side effects are wholly foreseeable consequences. Of treating data as a commodity rather than as a collective good. Whilst, the GDPR could certainly boost the power of big tech. Or even reinforce the concerning data use practices that inspired the GDPR to begin with.
Three years in, it seems as if the EU GDPR Compliance has failed. Especially, to mitigate the de facto monopoly technology giants have on the collection and use of data. Bureaucratic control will never be as effective as a mobilized and vigilant citizenry.
That uses democratic voices to demand new rules and a different society. That citizenry is beginning to demand — and deserves — better governance of technology. As well as, data collection and automated decision making.
However, if you’ll require more guidance pertaining to this or more of our blog topics, please Contact Us. You can also share your questions, suggestions, additional links, etc. in the comments box below this blog post.
And you can also read and learn more about;