The GDPR: A Year On
Just over a year ago, on May 25, 2018, the EU’s GDPR came into full effect. It’s the date that all businesses were meant to be compliant with new data protection and privacy laws. It was made into law on April 14, 2016, to expand on existing data-protection laws within the EU, and to maintain fair transfer of data outside EU and EEA countries – though this hasn’t always been the case. There’ve been over 200,000 investigations since the GDPR was rolled out, with more than 65,000 of them confirmed.
There’s long been a flagrant use of personal data by organizations. The way it was managed and used before the regulation, not just in the EU, was underhanded and the data itself was often unprotected. In the case of the Cambridge Analytica scandal, Facebook allowed the company to collect and use the personal data of 87 million users, all under the pretense of academic purposes. It was actually for a ready-to-buy bundle of profiles pooled together for political targeting and electoral influence. This sort of egregious activity shouldn’t have been allowed to happen, let alone with the profiles, locations and political leanings of millions of non-consenting people.
The GDPR’s chief aim is for businesses to take better governance and more accountability of personal data so this can’t happen. For the consumer, it gives them more control over who has their data and how they use it; more clarity with the companies they consent to. If a European company had a data breach, for example, not reporting it to an authority or taking measures to protect the data would result in potentially substantial fines for the business. At the very least, companies will have been made to address their posture on security, and whether more could be done to protect user data and prevent breaches.
What Makes a Company Compliant and the Consumer Content?
For a company to be compliant with GDPR, they must assess the user data they have and ensure its use is permitted. Ultimately, that means getting the consent of every user. Under the regulation, it’s their right to opt-in – meaning all contacts must give their permission to share their data. The onus is on the business to be able to prove that consent was actually given. That means no soft opt-ins. The use of disclaimers as tacit or implied consent is no longer sufficient – now it requires total permission, in the form of signing a consent form, clicking an ‘opt-in’ button or link, responding to an email request or through several other methods.
Users also maintain the right to opt-out or be forgotten, though this needs to be much easier than it has been previously. Some companies would use the snide method of hiding the unsubscribe feature in some hard-to-reach nook on their site. This often led to jumping through hoops or even giving up in some cases. Opting out should be as easy as opting in. Businesses should also consider how long they’ve had a user on file, how responsive they’ve been in that period, and whether further consent should be acquired before contacting them with information about promotions or new services.
Another stipulation of the GDPR is that an organization must report breaches of personal data, and within 72 hours where possible. Not doing the duty or attempting to cover up any failures now comes with a tangible punishment. Transparency with the supervisory body could mean avoiding hefty fines and preventing a further breach. For the users themselves, knowledge of the breach gives them time to protect their accounts and change their passwords and bank information.
Enforcement and Penalties
Of the 64,000 investigations that were upheld, around EUR 56 million (approx. $63 mil) has been garnered so far in fines, most of it from a notice France’s national data protection authority, CNIL, issued Google. For what they deemed to be a lack of transparency about how it uses data for personalized ads, Google was footed with a EUR 50 million bill, which it’s fighting.
There are few countries like Slovakia that are yet to issue a fine. Austria has only issued minor fines ranging from EUR 300 to around 5000, and offenses come with one free pass. Countries like Spain and Portugal have hit firms with fines in the hundreds of thousands, as has Poland.
The UK’s ICO had to deal with thousands of investigations but didn’t uphold any rulings until just after a year of the GDPR. Now, it intends to hit hotel chain Marriott International, Inc with more than GBR 99 million in fees for a massive breach of more than 339 million global guest records. It also intends to sue British Airways for a massive GBR 183.39 million due to compromising the information of 500,000 passengers. Like other large organizations, both Marriot and BA are appealing.
The worst seems yet to come for US tech giants. Facebook, Google, and Apple are all fighting several legal battles with the GDPR’s enforcer, the Irish Data Protection Commission. The GDPR fines can range from EUR 20 million to four-percent of a company’s global fiscal turnover for the previous year, which could prove costly. Though Google makes the same amount it was fined by France in about three hours, they might feel the blow with this one. The company faces more than a $5 billion fine based on their 2018 revenue. Facebook, having already paid a minor $644,000 for their involvement in the Cambridge Analytica scandal, could be charged over $2 billion for a data breach on the Facebook and Instagram platforms. Apple is facing three battles with the IDPC at a potential cost of $2.5 billion.
The difference with these companies and why the reparation costs could be so high is that they’re essentially infused with our lives. The fallout from data breaches or the mishandling of personal data with companies like Apple and Google, whom we already place too much trust in with our privacy, can be far more severe.
Some organizations are struggling to hit compliancy and are paying the full price for it. In all fairness, with such a new system, hitting between the goal posts probably isn’t all that easy when they’re still being ironed out. But as it stands, it’s only really major organizations taking the brunt of the focus – the ones that hold important, personal data on, in some cases, millions of people. The GDPR is here to stay, though, and it seems to be setting an example to nations worldwide.
Shortly before the GDPR’s rollout, on January 3, 2018, California introduced CCPA, the California Consumer Privacy Act. It’s a bill that, like the GDPR, established greater privacy and consumer rights. Six other states, including Washington, have also rolled out their own GDPR-style data-protection acts, and there’s a push to put this into federal legislation. Countries like Australia, Thailand and the Philippines also have their own.
The Takeaway Message
Regulation is essential when it involves personal data. It’s never good to see governments weighing in on issues relating to internet freedom – like the EU’s most recent copyright directive, or Ajit Pai’s net neutrality law which, thankfully, was buried in 2018 – but this is legislation that gives users more control of their own data. Sadly, companies were able to take advantage with data this long partly because of ignorance or lack of understanding on how they would use it and what we were signing over in the first place. Now’s a perfect time for users to become educated. The GDPR acts as a great framework for businesses but it is for users too. Understanding why a company wants your personal data and what they intend to use it for should become common practice when using new websites and committing to new services.