I have written several recent opinion pieces to reflect on the fourth anniversary of the European General Data Protection Regulations (GDPR). I wanted to summarise them here for the readers of Elnion.
Much of the commentary from me and others has been somewhat negative, pointing out what has not worked – and there is plenty that has not. However, we should remember that prior to GDPR there was limited general awareness of the importance of privacy, little recognition by organisations that they needed to take it seriously and an assumption by many that privacy was simply too complicated or intangible to be regulated at all.
The Good
With this hindsight in mind, it is obvious that we have come a long way and that there is now broad awareness of privacy, organisations are almost all now taking it seriously and that GDPR has not only been in force for four years now, but it has spawned many other privacy regulations elsewhere – from CCPA in California and POPI in South Africa, to LGPD in Brazil and countless further regulations in other nations or US states. This is no small achievement.
Unfortunately, GDPR has come in for much criticism. This has either been a reaction to the cost and inconvenience of compliance, or it has been frustration at the way that it has been applied or enforced.
“Inhibiting innovation: All pain, no gain”
Bill Mew (from Four years on: What have we learned from GDPR? in accounting Web)
Many commentators, myself included, have railed against the cost and inconvenience of GDPR compliance. My personal mantra has always been to seek to strike the right balance between meaningful protection (digital ethics, privacy and cybersecurity) and the maximisation of economic and social value (cloud, digital transformation and innovation).
It can be argued however that we currently have the worst of both worlds – there is little in the way of meaningful protection, given the lack of enforcement (which I will come on to). And at the same time, we are inhibiting innovation, with many startups opting either to base themselves outside the EU in order to avoid the overhead that GDPR represents or struggling to thrive within the EU while at a disadvantage to overseas rivals.
To a great extent, such complaints can be overstated. ALL organisations that value their customers and their own reputation, should not only have adequate data management processes in place, but should also have an organisation-wide culture of respecting both privacy and cyber hygiene (and with it cybersecurity). It is only those organisations that lack a ‘privsec’ culture that incur what they would see as ‘extra’ cost when it comes to compliance. That is not to say that the burden could not be eased for start-ups to help foster innovation – under the clear emphasis that they should be getting their act together anyway, because the rules will apply to them fully at some point if they succeed in growing at all.
The Bad
“Regulation without enforcement is not just pointless, it’s counterproductive” and “Fines add cost but are a lagging indicator of misfortune rather than misbehaviour”
Bill Mew (both quotes again from my article in accounting web)
GDPR’s greatest failing has not been down to the regulations themselves, but to their enforcement. As I explain in detail in my articles for Accounting Web and for Commvault, most of the responsibility for regulating the tech giants has fallen to the Irish regulator – the Irish Data Protection Commission (DPC). This is because most of the large tech firms, attracted by the country’s low corporation taxes, have chosen to base their European headquarters in Ireland.
Reluctant to rock the boat, the Irish DPC has almost entirely failed to enforce GDPR on firms like Google and Facebook that not only have business models focused on exploiting data, but that have also been accused of being among the most flagrant abusers of people’s privacy. Whatever the merits of such accusations, it is the DPC’s job to investigate and where necessary to take action.
Even in major instances where the highest European courts have ruled against such firms, as was the case almost two years ago for Facebook in the SchremsII trial, the Irish DPC has yet to enforce such rulings. Indeed such is the DPC’s failure to enforce GDPR that it has even been sanctioned by the European Parliament – in a vote of 541 to 1.
It is notable that in the latest European regulation on content moderation, there has been a move towards central enforcement, to avoid the scenario where a local enforcement organisation such as the Irish DPC is ineffective.
The Irish DPC’s complaint that it is under-resourced rings hollow. It may well have a far lower budget than Facebook or Google spend on their lobbying or legal activities, but this has not prevented other local Data Protections Authorities (DPAs) ruling against these giants.
Indeed such has been the success that Facebook has had in holding off enforcement, even of the SchremsII ruling, that some firms now see an actual business case for non-compliance. Indeed the Irish DPC has been accused not only of being complicit, but even of also being potentially corrupt in the way that is has failed to act.
The Ugly
While changes to the regulations themselves to encourage innovation or to the enforcement regime to hold BigTech to account are actions that the EU could take to improve GDPR, there is one major issue that is beyond its control entirely – the schism between the EU and US.
There is an the ideological gulf that exists between the EU’s prioritization of privacy as a human right and the US’s prioritization of surveillance for national security. It has already led to the demise of both Safe Harbor and Privacy Shield (note the SchremsII ruling) and will dog attempts to implement any replacement.
The recent announcement of a new transatlantic agreement lacked much in the way of substance or legal merit. It’s claim that it would be supported by Presendential executive orders is of great concern as these are easily reversed and have little legal foundation. Introducing real measures for adequate judicial supervision in the US would require legislation. Unfortunately, complete gridlock in Congress has made it impossible to introduce any federal privacy law. Adding the need for additional measures to keep the EU happy would make any such legislation even more difficult to pass.
We shan’t be holding our breaths for any federal privacy law, let alone one that might resolve the concerns on this side of the Atlantic.
The most that we can probably do is seek as much harmony as possible on either side of the Atlantic divide, with as much alignment as possible between the EU and UK versions of GDPR and with regulation at the federal level in the US at some point in the future to align the proliferation of state by state privacy laws.
I am an optimist – hence my ability to recognise the ‘Good’ where many others have not. I also believe that the ‘Bad’ can be addressed eventually if the Irish DPC can be forced to act (or failing that can be bypassed). I have less confidence that the ‘Ugly’ will be addressed any time soon.