elnion.com
No Result
View All Result
Friday, June 9, 2023
  • Login
  • Cloud
  • Data
  • Digital Enterprise
  • Telco & Mobile
  • Cyber Security
  • Infrastructure
  • Automation
  • Supply Chain
Subscribe
elnion.com
  • Cloud
  • Data
  • Digital Enterprise
  • Telco & Mobile
  • Cyber Security
  • Infrastructure
  • Automation
  • Supply Chain
No Result
View All Result
elnion.com
No Result
View All Result
Home Data Protection

GDPR at 4: the Good, the Bad and the Ugly

by Bill Mew
June 3, 2022
in Data Protection
0
159
SHARES
2k
VIEWS
Share on TwitterShare on LinkedInShare on Facebook

I have written several recent opinion pieces to reflect on the fourth anniversary of the European General Data Protection Regulations (GDPR). I wanted to summarise them here for the readers of Elnion.

Much of the commentary from me and others has been somewhat negative, pointing out what has not worked – and there is plenty that has not. However, we should remember that prior to GDPR there was limited general awareness of the importance of privacy, little recognition by organisations that they needed to take it seriously and an assumption by many that privacy was simply too complicated or intangible to be regulated at all.

The Good

With this hindsight in mind, it is obvious that we have come a long way and that there is now broad awareness of privacy, organisations are almost all now taking it seriously and that GDPR has not only been in force for four years now, but it has spawned many other privacy regulations elsewhere – from CCPA in California and POPI in South Africa, to LGPD in Brazil and countless further regulations in other nations or US states. This is no small achievement.

Unfortunately, GDPR has come in for much criticism. This has either been a reaction to the cost and inconvenience of compliance, or it has been frustration at the way that it has been applied or enforced.

“Inhibiting innovation: All pain, no gain”

Bill Mew (from Four years on: What have we learned from GDPR? in accounting Web)

Many commentators, myself included, have railed against the cost and inconvenience of GDPR compliance. My personal mantra has always been to seek to strike the right balance between meaningful protection (digital ethics, privacy and cybersecurity) and the maximisation of economic and social value (cloud, digital transformation and innovation). 

It can be argued however that we currently have the worst of both worlds – there is little in the way of meaningful protection, given the lack of enforcement (which I will come on to). And at the same time, we are inhibiting innovation, with many startups opting either to base themselves outside the EU in order to avoid the overhead that GDPR represents or struggling to thrive within the EU while at a disadvantage to overseas rivals.

To a great extent, such complaints can be overstated. ALL organisations that value their customers and their own reputation, should not only have adequate data management processes in place, but should also have an organisation-wide culture of respecting both privacy and cyber hygiene (and with it cybersecurity). It is only those organisations that lack a ‘privsec’ culture that incur what they would see as ‘extra’ cost when it comes to compliance. That is not to say that the burden could not be eased for start-ups to help foster innovation – under the clear emphasis that they should be getting their act together anyway, because the rules will apply to them fully at some point if they succeed in growing at all.

The Bad

“Regulation without enforcement is not just pointless, it’s counterproductive” and “Fines add cost but are a lagging indicator of misfortune rather than misbehaviour”

Bill Mew (both quotes again from my article in accounting web)

GDPR’s greatest failing has not been down to the regulations themselves, but to their enforcement. As I explain in detail in my articles for Accounting Web and for Commvault, most of the responsibility for regulating the tech giants has fallen to the Irish regulator – the Irish Data Protection Commission (DPC). This is because most of the large tech firms, attracted by the country’s low corporation taxes, have chosen to base their European headquarters in Ireland.

Four years on: What have we learned from #GDPR?

On GDPR's 4th anniversary @BillMew highlights its many failures and main success https://t.co/poxDo8Wyua @AccountingWEBuk@dhinchcliffe @rwang0 @robmay70 @NigelTozer @AkwyZ @TylerCohenWood @pettet50 @sarbjeetjohal @dez_blanchfield pic.twitter.com/hqVJkcMqbV

— Bill Mew #Tech4Good #Privacy #Cybersecurity 🇺🇦 (@BillMew) May 30, 2022

Reluctant to rock the boat, the Irish DPC has almost entirely failed to enforce GDPR on firms like Google and Facebook that not only have business models focused on exploiting data, but that have also been accused of being among the most flagrant abusers of people’s privacy. Whatever the merits of such accusations, it is the DPC’s job to investigate and where necessary to take action.

Even in major instances where the highest European courts have ruled against such firms, as was the case almost two years ago for Facebook in the SchremsII trial, the Irish DPC has yet to enforce such rulings. Indeed such is the DPC’s failure to enforce GDPR that it has even been sanctioned by the European Parliament – in a vote of 541 to 1.

#GDPR’s Fourth Anniversary: Time to Celebrate, Commiserate or Learn? https://t.co/ipBKJGKrtt#CommvaultInfluencer @Commvault #Privacy #CyberSecurity @dez_blanchfield @drjdrooghaag @robmay70 @NigelTozer @rwang0 @yuhelenyu @AkwyZ @TylerCohenWood @pettet50 @sarbjeetjohal @imoyse pic.twitter.com/j7JNlrfKRe

— Bill Mew #Tech4Good #Privacy #Cybersecurity 🇺🇦 (@BillMew) May 24, 2022

It is notable that in the latest European regulation on content moderation, there has been a move towards central enforcement, to avoid the scenario where a local enforcement organisation such as the Irish DPC is ineffective.

The Irish DPC’s complaint that it is under-resourced rings hollow. It may well have a far lower budget than Facebook or Google spend on their lobbying or legal activities, but this has not prevented other local Data Protections Authorities (DPAs) ruling against these giants.

Indeed such has been the success that Facebook has had in holding off enforcement, even of the SchremsII ruling, that some firms now see an actual business case for non-compliance. Indeed the Irish DPC has been accused not only of being complicit, but even of also being potentially corrupt in the way that is has failed to act.

The Ugly

While changes to the regulations themselves to encourage innovation or to the enforcement regime to hold BigTech to account are actions that the EU could take to improve GDPR, there is one major issue that is beyond its control entirely – the schism between the EU and US.

There is an the ideological gulf that exists between the EU’s prioritization of privacy as a human right and the US’s prioritization of surveillance for national security. It has already led to the demise of both Safe Harbor and Privacy Shield (note the SchremsII ruling) and will dog attempts to implement any replacement.

The recent announcement of a new transatlantic agreement lacked much in the way of substance or legal merit. It’s claim that it would be supported by Presendential executive orders is of great concern as these are easily reversed and have little legal foundation. Introducing real measures for adequate judicial supervision in the US would require legislation. Unfortunately, complete gridlock in Congress has made it impossible to introduce any federal privacy law. Adding the need for additional measures to keep the EU happy would make any such legislation even more difficult to pass.

We shan’t be holding our breaths for any federal privacy law, let alone one that might resolve the concerns on this side of the Atlantic.

#Privacy campaigners @maxschrems and @BillMew warn of legal challenge against #PrivacyShield enhancements#SchremsIII on the cards unless negotiators protect better oversight of US data access requests, @TheRegister https://t.co/VQBaNkxF81@dez_blanchfield @pettet50 @rwang0 @DT pic.twitter.com/CqP3BfhSfv

— Bill Mew #Tech4Good #Privacy #Cybersecurity 🇺🇦 (@BillMew) May 26, 2022

The most that we can probably do is seek as much harmony as possible on either side of the Atlantic divide, with as much alignment as possible between the EU and UK versions of GDPR and with regulation at the federal level in the US at some point in the future to align the proliferation of state by state privacy laws.

I am an optimist – hence my ability to recognise the ‘Good’ where many others have not. I also believe that the ‘Bad’ can be addressed eventually if the Irish DPC can be forced to act (or failing that can be bypassed). I have less confidence that the ‘Ugly’ will be addressed any time soon.

Tags: featured
No Result
View All Result

Recent Posts

  • The Cloud Native Convergence: A New Era of Data-Intensive Applications
  • The Impact of Customer-Driven Disruption To Digital Business
  • Harnessing Data to Drive Business Success
  • Executive Overview of Multi-access Edge Computing (MEC)
  • Digital Dexterity: What is it and why does it matter
elnion.com

© 2022 Elnion - A subsidiary of Sociaall Incorporated.

Navigate Site

  • Home
  • Privacy Policy
  • Contact Us

Follow Us

No Result
View All Result
  • Home
  • Cloud
  • Data
  • Digital Enterprise
  • Telco & Mobile
  • Cyber Security
  • Infrastructure
  • Automation
  • Supply Chain

© 2022 Elnion - A subsidiary of Sociaall Incorporated.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In