By Omer Tene, Vice President and Chief Knowledge Officer at the International Association of Privacy Professionals.
Over the last couple of weeks, policymakers, regulators and industry took count of the first year of application of the GDPR, General Data Protection Regulation. Without a question, GDPR has had an enormous impact on policymaking and compliance professionals around the globe. It has spawned legislative activity not only in Brazil and India but also in the United States.
It has motivated the appointment of hundreds of thousands of data protection officers (DPOs) and catalyzed an industry of privacy program management and data protection compliance tools. But did GDPR achieve its stated purposes, that is, enhance privacy protection for Europeans and harmonize and simplify laws across the block’s 28 Member States? The answer is unclear and the jury is still out on GDPR’s success.
A Year On After The GDPR
Ahead of the regulation’s one year anniversary, regulators reported the first 12 months featured a frenzy of compliance activity: hundreds of thousands of complaints, tens of thousands of data breach notifications, and hundreds of thousands of registrations of DPOs.
But surely, complaints and notifications for their own sake are not the ultimate goals of data protection laws. So, importantly, we must explore whether GDPR has effected a change in organizational data practices. Has it advanced privacy rights for individuals in Europe compared with those in the U.S. and the rest of the world? And does it, in fact, level the playing field for organizations across Europe, harmonizing not just data protection on the books but also on the ground?
Reasonable minds can differ but first indicators give pause. First, critics still wonder about GDPR’s effect on underlying corporate data practices and, consequently, on individuals’ privacy. For consumers, the hallmark of the regulation has been an avalanche of privacy notices, banners and emails. But is less data collected about individuals? And are individuals feeling greater trust in the digital economy? Do companies place fewer cookies? Do they send less marketing emails?
Do users opt out more of online and mobile tracking? Have data brokers curtailed their activities in Europe? Critics who have railed against what they dubbed “surveillance capitalism” claim that as long as programmatic advertising and real-time bidding fuel the Internet economy, GDPR falls short of its promise. Other observers point out that GDPR is much more nuanced, with provisions permitting “legitimate interest” based processing and broad carve outs for data research.
Second, the GDPR may have had a disparate impact on different businesses. Although worded with some of the largest, US-based technology firms in mind, GDPR also applies to a broad swath of European based small and medium-sized enterprises (SMEs). This takes a toll on smaller businesses across the continent. Moreover, with limits on data sharing among companies, GDPR could tip the scale of the competitive landscape in favour of the very companies it meant to rein in.
These companies – known in the market as formidable “first parties” – already control all the data they need. More economic analysis is needed to study the effect of GDPR on European competition, entrepreneurship and innovation.
Third, the GDPR includes explicit legislative derogations allowing Member States to diverge on issues ranging from the age of consent to the definition of sensitive data. Inconsistent interpretations by national and state supervisory authorities could increase pressure on the nascent one-stop-shop mechanism and the role of the European Data Protection Board.
Some regulators, like Ireland’s Data Protection Commissioner, the French CNIL, or the UK Information Commissioner, have been prolific in launching high impact investigations and are reportedly on the cusp of concluding major enforcement actions. Other DPAs have been more muted. It remains to be seen whether GDPR will, in fact, deliver on its promise of harmonization or result once again in European fragmentation with potentially conflicting laws.
Many other issues remain unresolved. For example, while GDPR introduces extensive long-arm jurisdiction, very few non-EU companies appointed EU representatives, as required to enable enforcement under the law. Moreover, after a year of frantic preparations, where companies focused on documenting data flows, setting forth policies and contracting with vendors, it is time to advance to the next stage of implementation, which includes actually managing data through privacy technology tools.
As we look forward to the next years of GDPR implementation, policymakers, researchers and practitioners will assess the success of the regulatory framework according to its ability to advance these privacy, harmonization and macroeconomic goals.
If you would like to have your company featured in the Irish Tech News Business Showcase, get in contact with us at [email protected] or on Twitter: @SimonCocking
More about Irish Tech News
Irish Tech News are Ireland’s No. 1 Online Tech Publication and often Ireland’s No.1 Tech Podcast too.
You can find hundreds of fantastic previous episodes and subscribe using whatever platform you like via our Anchor.fm page here: https://anchor.fm/irish-tech-news
If you’d like to be featured in an upcoming Podcast email us at [email protected] now to discuss.
Irish Tech News have a range of services available to help promote your business. Why not drop us a line at [email protected] now to find out more about how we can help you reach our audience.
You can also find and follow us on Twitter, LinkedIn, Facebook, Instagram, TikTok and Snapchat.