More than a year ago, the EU approved the most stringent online privacy regulation yet—the GDPR or General Data Protection Regulation. The GDPR seeks to protect the data of EU citizens and restrict how businesses can access information. However, as other EU regulations, the GDPR is still slowly been adopted by member states and thus has not had an immediate, game-changing impact. But one thing is guaranteed: both the Cambridge Analytica scandal in the US and the GDPR’s implementation in the EU have shifted the meaning of data privacy, from something not to think about to a right to be claimed.
In 2016, the EU Parliament approved what was bound to make the EU the leading international voice on online regulation. Last year, the GDPR was finally enforced. The new legislation replaced the previous Data Protection Directive 95/46/EC passed in 1995. The Internet had substantially changed since the 90s; the EU had to change with it. In the early 90s, users did not pour all their personal information online—they were wary of scams,—nor companies did business by selling that data. Now, they do.
The argument was simple. Anyone browsing through pages on the Internet, asking questions on Google, or sharing their political opinions on Facebook would think their activities remained private. But in reality, every single page they went through, and every tech platform they used was recording that information, storing it without the user’s explicit knowledge or informed authorization, and selling it for advertising. Shortly before the EU enforced the GDPR, news broke that the data analytics firm Cambridge Analytica had used millions of Facebook profiles to influence American voters in the 2016 presidential election. Soon, a movement called #DeleteFacebook started trending on Twitter. Many followed suit. According to a survey by Pew Research Center, 26% of the respondents deleted the Facebook app from the cellphone. Tech companies were profiting off the intimate data individuals shared online. The GDPR in the EU was meant to control it.
Through the GDPR, the EU aims to unify data privacy laws—the GDPR is a binding regulation, which member states must adopt—and give individuals control over their own data. It defines businesses that use personal information as ‘data controllers’ and makes them responsible for installing measures to protect personal information, such as anonymization. Under the GDPR, companies must also report data breaches within 72 hours, disclose any attempt to collect data, inform the individual of how the company will use the information, and get his/her explicit and informed consent to process personal data. If ‘data controllers’ do not comply, the GDPR contemplates fines up to 4% of a company’s global revenue or 20 million euros—a lot of money.
Although a year has gone by, it is still too early to evaluate the consequences of the GDPR’s implementation. We can say that the GDPR has not dramatically changed the users’ experience. All those efforts to give users control over the information shared have not revolutionized the Internet, but they have increased the number of times users click to choose “I agree.” Instead of going browsing ignorantly, now users click several consent boxes and browse informed (?).
For companies, the GDPR has meant thousands of euros invested in compliance departments and a rising worry over the possible fines. But in one year, there haven’t been that many. Some countries are still trying to embed the GDPR into the national laws; others have fined companies for data privacy issues but not under the GDPR. It was the tech behemoth Google that was fined the largest amount by Paris—50 million euros—for data privacy breaches.
However, not the fines nor the control of information have been the most significant success of this one-year-old law. Its signature has been awareness. On the one hand, under the GDPR, companies have to report all data breaches. For example, the UK Information Commissioner’s Office announced in December 2018 that they had received more than 8,000 reports of data breaches. At the other side of the pond, where GDPR does not apply but still has a small impact, Facebook announced it would prioritize private messaging over public sharing, a response to the data scandals the company has had to navigate (read Say goodbye to Facebook’s public agora.) On the other hand, individuals are now aware of the importance of their data, with some deleting social media and all having to consent to share their information. The GDPR contemplates the right to revoke that consent at any point.
In the United States, legislation has yet to be passed to protect data privacy, political candidates and elected officials have proposed antitrust regulation against the major tech companies, and now the US Justice Department has just started an antitrust investigation into Google. It is yet to see whether any of these proposals bear fruit. But what’s clear is that companies cannot use personal data and remained unsupervised—the State at both sides of the Atlantic has just begun its fight against the tech giants.
For additional information on GDPR, watch the following Wall Street Journal video.