By Jack Carvel, Qubit
It’s been more than one year since
the General Data Protection Regulation (GDPR) came into force, so it’s a good
time to reflect on the legislation and evaluate whether it has lived up to its
promise — and what it was designed to do: to protect the data privacy of citizens in the EU and
give them more control over how and when their data is being used. The GDPR
also addresses the export of personal data outside of the EU and therefore
affects American brands and any company doing business with individuals residing
in the EU.
Europe isn’t new to the efforts to protect their citizens’ private data.
The GDPR supersedes the Data Protection Directive adopted in 1995,
which regulates the processing of personal data within the EU. The Directive
was considered an important component of EU privacy and human rights law.
Relying on the same principles, the GDPR is very much an extension of the
Directive. While the GDPR was an evolution and improvement on the 1995 Directive,
did it fulfill its promise?
Let’s start with some assumptions
made prior to the implementation of GDPR and what’s happened since:
Unquestionably, there is continued
reliance on third-party data. Many (including myself) thought the GDPR would
essentially eliminate the selling and reselling of third-party data. This would mean that data brokers that heavily profit off of third-party data — and there
are many — would also disappear. We see now that didn’t happen and may not
unless enforcement of third-party data is
better regulated. The fact is, enforcement has been lackluster in this area and
consumers are still not aware that their data is being sold by vendors that
profit off of it. Whether enforcement isn’t up to par because regulators have
their hands full or because these large data management companies are “too big
to fail,” we may never know. What we do know is there is a lack of transparency
and consumers currently have no idea how many of these data management
platforms are trafficking their data at this point.
Fines have been lackluster to say
the least. With the threat of fines looming, there was a hectic scramble to
prepare for the GDPR in the lead-up to its implementation. It wouldn’t be an
overstatement to say that a lot of people thought there would be a focus on
enforcement in general, especially for companies that either didn’t take the
steps needed to achieve compliance, or knowingly just ignored GDPR and let the
chips fall where they may. There have been some fines, one on Google for €50
million and another on Facebook for £500,000 by the
Information Commissioner’s Office in the wake of the Cambridge Analytica scandal, after allowing third-party
developers to access user information without consent. One could argue the fine
on Facebook was a slap on the wrist.
Many data breaches are going unchecked. The GDPR also has strict
guidelines on data breaches. Businesses must report any data breaches within 72
hours if they have a negative effect on consumer privacy. Businesses that violate this part of the
statute could be fined up to £20 million or up to 4% of profits from the
preceding financial year. However, according to personal data security
platform Digi.me, of the 11,468 self-reported data breaches handled by the ICO
between May 25, 2018 through March 2019, only 29 penalties were handed out and
none of them were under the GDPR, but rather the older Data Protection Act. In
total, 37,798 data-related concerns have been reported by consumers since the
start of GDPR. It seems there’s a long way to go in terms of investigations of
consumer complaints as well as enforcement of the GDPR.
There is also good news on GDPR
after its first year. One key aspect is the awareness on the part of consumers about how their data is being monetized
and used in all facets of marketing and advertising. And we are all much more
aware of how bad actors are misusing our information as well (see above
reference to Facebook/Cambridge Analytica).
Perhaps more importantly, GDPR has been an
inspiration for many consumer privacy laws around the world, most notably, the California Consumer Privacy Act (CCPA), due to go into
effect in January 2020. The purpose of the CCPA is to further Californians’
right to privacy by giving consumers an effective way to control their personal
information and how it is being used.
The CCPA may even be more stringent than the
GDPR. Brands that intend on continuing to do business with California’s 39
million residents will have to comply with the law or face the consequences,
including fines up to $750 per consumer or up to $7,500 per intentional
violation. When you’re talking about data breaches that affect millions, these
fines could be devastating to small or mid-sized companies.
Unlike the GDPR, which was very much an
evolution of the existing rules, the CCPA represents a fundamental shift in how
data is conceptualized and protected for the companies that are affected. As
such, in many cases it is unclear how these new rules will be interpreted and
enforced, but there is at least a major opportunity for the regulators to make
a real difference on the issue of citizens’ privacy rights.
One thing is for certain, we’ve
entered the age of consumer data privacy and both the GDPR and CCPA are steps
in the right direction. Brands that take steps to comply with both are showing
they respect the privacy of the consumers they owe their success to. And there
is no question that this is a good business decision.
Jack Carvel is General Counsel for Qubit. He is responsible for driving global legal strategy
alongside the C-suite team, acting as primary counsel for all commercial,
product, data protection, financial, litigation, employee, real estate and