The GDPR: one year on
25 May 2019 marks the one year anniversary since the European Union’s General Data Protection Regulation came into force. This blog laments the EU’s missed opportunity to get the fundamental right to data protection right for all.
Today (25 May) marks the first anniversary of the European Union’s General Data Protection Regulation (GDPR) coming into force. From news about Amazon’s Alexa listening to our private conversations to facial recognition cameras installed in airports and taxis, the year since has been a steady drip of revelations about the data collection practices of big tech firms and breaches that have exposed the personal information of millions of data subjects. Behind the scenes though, reaction to the GDPR has been quite different. Businesses have struggled to come to terms with their obligations under the new law, while others have failed to conduct proper balancing tests between competing rights. National data protection authorities have been overwhelmed with complaints, queries, investigations, and enforcement proceedings. Opaque guidance from the regulator has not exactly made implementation easy. Who would have thought a fundamental right could be so difficult, requiring everything from data protection officers and impact assessments to determine the effects of data processing?
At the heart of the GDPR are data subject rights – exercisable against data controllers who make decisions about the way our personal data is handled. Yet for most of us outside of the data protection filter bubble, the GDPR looks responsible for nothing more than a disruption to the user experience. First it was an inundation of “consent” emails to continue marketing communications. Now it is the annoyance associated with pop-up windows demanding users “accept to continue”. Ironically, both of these are not GDPR consent issues at all. The first issue relates more to the e-Privacy Directive. Furthermore, a company does not need consent to process personal data if it has a legitimate interest in marketing to its customers. Warnings over negligent GDPR advice have begun.
Yet data subjects rarely exercise their rights and the Regulation meant to “reign in Google and Facebook” has done nothing of the sort. In the run-up to 25 May, big tech doubled down, getting a fresh set of permissions for data processing. This empowered big tech into processing even more data and Google actually seems to have benefited from the GDPR the most. Although Facebook expects the US regulator, the Federal Trade Commission to fine them up to $5 billion for its data protection practices, it is safe to say that big tech has already internalized the costs of compliance. Last quarter, Facebook’s total revenue rose from $12.97 billion to $16.91 billion and Google reported first quarter revenue of $36.34 billion. When you are making that kind of money, it is safe to say that you can afford the GDPR’s regulatory burden.
However, while the GDPR might be reigning in social media and the societal harms associated with psychometric testing and targeted advertising, small businesses and sole traders that cannot afford data protection experts are now faced with the task of making correct decisions about compliance, under the threat of financial penalty. Subject access requests and right to be forgotten requests can, and often are, abused. Despite the GDPR’s consistency mechanism, data protection authorities are issuing conflicting guidance about everything from interpretation to application. Furthermore, no-one really knows the extent of the definition of personal data. If the Court of Justice of the European Union keeps expanding the definition of personal data, then all information could fall under its scope.
The Snowden revelations raised important questions about mass surveillance by intelligence agencies of our private communications. Closer to home, mass surveillance of our lifestyle choices is taking place in sewers through analysis of faecal matter. We are also asking important questions about how algorithms, artificial intelligence, and automatic decision-making will affect different aspects of our lives.
Determining the legally appropriate response for the myriad of data protection issues a small business will encounter could result in extensive calls to the data protection authorities or a privacy lawyer.
As compliance fatigue sets in, the GDPR runs the risk of turning into the new catch all excuse for not doing something, i.e. “We can’t do it ’cause GDPR.” Every day activities like bin collection and taking photographs in public places have been erroneously prohibited “because of GDPR”. A father frantically trying to find his daughter after an accident was denied information by over-zealous medics.
What exactly is empowering in a rule interpreted in such a manner that parents are prevented from taking pictures of their kid in a school play? The European Data Protection Board (EDPB) should provide the urgent clarity needed and broaden the scope of the household exemption. Rather than trying to fit the same rules for controlling Facebook and Google to everyday activities, the EU could have adopted a tiered approach in the GDPR’s regulatory design tied to simple principles, added sector-specific legislation, and limited harms by adding blacklisted practices. The GDPR is overly broad and affects everyone. Do you have any business contacts stored in your mobile phone? You might be a data controller. Have you registered with the data protection authority? You might be acting illegally. The GDPR doesn’t recognize the ways people actually interact with data, technology, and each other. The EDPB should have recognized it has a role in changing social norms, which can be a far more effective form of regulatory design than direct regulation.
The GDPR has helped people understand the importance of data protection and provided data subjects with increased protection. It forces data controllers to think about processing and getting the proper grounds before undertaking. As time passes, new data protection norms will develop and good practices will form. Expect more aggressive enforcement measures against big tech from national data protection authorities. Although heralded as a new privacy framework for data subjects; in reality, the GDPR is a bit of a disappointment. Applying it requires creative and, quite frankly, ludicrous interpretations. The complexity of the GDPR has and will continue to be its undoing. Some suggest that the Regulation is a living document and will constrain the unmitigated harms associated with everything from profiling to targeted advertising to price discrimination. We do have other laws capable of protecting people on the books already.
A year into GDPR and, so far, I am not impressed.