The story of the now-1-year-old GDPR is interesting in and of itself, but it is perhaps most compelling in terms of what it portends for the future of data privacy--and of companies' and the U.S. government's willingness and ability to protect customer data.
The General Data Protection Regulation--or GDPR, as it’s more commonly known--is a regulation in European Union (EU) law for governing management and egress of personal data for citizens of the European Economic Area (EEA). This area encompasses all EU countries that are signatories of the regulation, as well as citizens of Iceland, Liechtenstein and Norway. Under the regulation, entities that collect and process personal data for citizens of the signatory countries must conform to certain stewardship practices and comply with what is really a “bill of rights” for personal control of data. The GDPR was passed in 2016 and went into effect last May 25.
The European Data Protection Board, advisory board for the GDPR, has released information about some of the effects of GDPR through the end of 2018.
There were about 95,000 complaints filed under the GDPR during that time period. Of those, 60,000 were lodged between May 25 and November 2018. In December of that year, there was a nearly 60% increase from the accumulated total of the first eight months the regulation was in effect, adding another 35,000 complaints in that month alone. Likely reasons for the spike include data breaches involving Facebook, Quora, Google+ and Signet Jewelers (parent company to Jared and Kay Jewelers.)
Nine months after GDPR went into effect there were more than 41,000 reported data breaches. Under the regulation, data compliance officers have 72 hours to report breaches.
Out of those 95,000 complaints lodged in 2018 came 255 investigations. From those investigations, the European Data Protection Board highlighted three cases resulting in fines: a sports betting cafe was fined €5,280 (approximately $6,000) for unlawful video surveillance, and an unidentified “social network operator” incurred a €20,000 fine (approx $26,000) for failing to secure user data. The bulk of the assessed fines, however, were levied against Google, whose lack of consent for targeted ads resulted in a staggering €50 million fine, roughly $56 million. Under the GDPR, fines can be assessed up to 4% of global revenue as stated in the previous fiscal year, or €20 million per occurrence (whichever is greater.) While complaints can be filed for a host of reasons under the regulation, the most common in 2018 were for telemarketing, promotional emails and CCTV surveillance.
In the Google case, the French Data Protection Authority, known by the acronym CNIL, ruled that the search company had provided users with inadequate information and had made it exceedingly difficult to obtain the necessary valid consent for ad personalization. One of the tactics stated by CNIL was cumbersome terms and conditions that stretched across multiple pages. CNIL concluded Google breached the GDPR in two ways:
- Failing to meet transparency and information requirements
- Failing to obtain a legal basis for processing personal data
GDPR was something of a superstar in 2018. Searches on the regulation hit Beyoncé and Kardashian territory periodically throughout the year. In the United States, individual states began either exploring their own version of the GDPR or, in the case of California, enacting their own regulations (the California Consumer Privacy Act, or CCPA.) Other states that either enacted or strengthened existing data governance laws similar to the GDPR include Alabama, Arizona, Colorado, Iowa, Louisiana, Nebraska, Oregon, South Carolina, South Dakota, Vermont and Virginia. At this point, there is also a growing number of companies operating outside the EU that are ceasing operations with the EEA rather than taking on expensive changes to their business applications and practices and becoming subject to possible fines assessments.
Current GDPR Activity
GDPR prosecutions continue, as do the filing of complaints and investigations. Each member country has its own listing of court cases in progress, so it’s a bit difficult to quantify just how many investigations and cases are active. In my research for this article I did come across information from the Irish Data Protection Commission (DPC) on open cases. As of January 1, the DPC stated, it had several open cases in relation to “Multinational Tech Company” compliance with the GDPR within the Irish border:
- Facebook Ireland, Ltd.: six open cases Facebook Inc.
- Facebook Ireland, Ltd. (Instagram)
- LinkedIn Ireland Unlimited Company
- WhatsApp Ireland, Ltd.: two open cases
- Apple Distribution International: two open cases
- Twitter: two open cases
One can draw the conclusion, looking at the list from just one of the EEA, that social media behemoths are the main target for GDPR investigation. That is far from the truth, but it’s not surprising that early investigations are focused on the most obvious of targets: You fish where the fish live, after all. Since many of the first complaints regarding GDPR were aimed at these same social media technology firms (specifically, Facebook and Google, along with two of Facebook’s subsidiaries, Instagram and WhatsApp), it’s unsurprising that those entities find themselves embroiled in the fallout. According to Fieldfisher, a European law firm: “These early complaints concern the issue of ‘forced consent’. The complaints allege that these companies fell short of the GDPR requirement for consent to be ‘freely given’ and not made conditional upon, or bundled with, consent for the provision of a service by:
- Asking users to either consent to their terms of service or delete their account, and blocking them from using their account until they provide consent (in the case of Facebook, Instagram and WhatsApp); and
- Asking owners of new smartphones to consent to processing of their personal data using the Android operating system and, if consent is not given, barring those users from using the device (in the case of Google).”
How to Protect Customer Data in the Long Term
Where do we go from here? I still expect that we’re going to see a further spread of state-specific privacy laws here in the United States. I foresee a tipping point coming where the ability for tech companies to navigate all of these various regulations and conforming to shifting “most-restrictive” rules across the lot becomes untenable, forcing the hand of legislators on Capitol Hill to devise a national data privacy regulation to supercede states’ law.
One can sympathize with tech companies finding themselves in a never-ending cycle of constantly reviewing and revising their abilities to meet these shifting goal posts. However, if these entities would do the utmost to protect personal data--instead of just what is easiest to implement but still keeps within the current "letter of the law"--the cycle could be broken. Doing privacy "right" the first time may have the most front-loaded costs, but in the long run it will be cheaper for the company and less disruptive to innovation--and will result in far less context switching by staff.
This advice goes for all companies, not just tech giants, but they are certainly a bellwether of things to come.