General Data Protection Regulation one year on: what has it done?

Posted on Jun 1, 2019 by Glyn Moody

A year ago, arguably the most important event in the recent history of privacy occurred: the EU’s General Data Protection Regulation (GDPR) started to be enforced. To mark that anniversary Privacy News Online will look at what the GDPR has achieved in its first 12 months, and what is likely to happen next.

The GDPR is a long, complex text, usefully summarized in a short guide from Access Now. The European Data Protection Board, which works to ensure the consistent application of data protection rules throughout the European Union, and encourages cooperation between the EU’s national data protection authorities, has released some statistics about the GDPR’s first year. There have been over 144,000 queries and complaints, and over 89,000 data breaches have been logged, of which 63% have been closed and 37% are still underway. The vast majority of these queries and complaints are minor, with few if any broader implications. Major GDPR fines, too, have been limited. However, as Privacy News Online has previously reported, there have already been some very significant GDPR moves that will shape the regulatory environment in the EU and beyond.

For example, just six minutes after the enforcement of GDPR began on 25 May last year, the Austrian data protection authority received the first complaint under the new law, from the privacy expert Max Schrems. It concerned the use of “forced consent” by Google and Facebook. This refers to the practice of offering two basic choices to users of an online service: agree to be tracked for the purposes of serving up ads, or be thrown off the service. That case is still being considered, but clearly could have a major impact on how online services operate.

In September, a formal complaint was submitted to the data protection authorities in the UK and in Ireland, asking them to investigate the use of real-time bidding systems by Google and other ad-tech companies. The complaint was recently widened to include four more countries. Real-time bidding lies at the heart of today’s automated advertising systems, so a ruling against Google and the other ad-tech companies would have massive repercussions.

At the end of 2018, the UK-based digital rights group Privacy International filed GDPR complaints against data brokers (Acxiom, Oracle), ad-tech companies (Criteo, Quantcast, Tapad), and credit referencing agencies (Equifax, Experian) with data protection authorities in France, Ireland, and the UK. Again, a victory here would force a radical change in the way people advertise. The same month, seven consumer organizations from across Europe filed GDPR complaints against Google with their national data protection authorities. They accuse Google of “using deceptive design and misleading information, which results in users accepting to be constantly tracked”.

In February of this year, the first big GDPR fine arrived, as a result of the Max Schrems complaint. Google was ordered to pay 50 million euros by the French data protection authorities. At the same time, Schrems filed another eight complaints against top online streaming services: Amazon Prime, Apple Music, DAZN, Flimmit, Netflix, SoundCloud, Spotify and YouTube. At issue is the new “right to access” granted by the GDPR.

Recently, the local German data protection authority in Bavaria issued an important ruling against Facebook. Kristin Benedikt, head of the Internet division at the Bavarian Data Protection Authority, explained the problem to the German online site Netzpolitik:

When an online pharmacy or an online sex shop shares their customer list with Facebook, we cannot rule out that this reveals sensitive data. The same applies when someone visits the online shop of a political party or subscribes one of their newsletters. In all of these instances custom audiences reveal granular insights. Facebook adds this information to existing profiles and continues to use it, without notifying users or giving them a chance to object.

Moreover, Benedikt believes the ruling also applies to two arguably even more important aspects of Facebook: Lookalike Audience and the Facebook Pixel. Lookalike Audience allows advertisers to reach people with similar Facebook profiles to those in their own databases. The Facebook Pixel is an invisible single-pixel that is placed on a Web page to track visitors to that and other sites, and thus build up detailed profiles by consolidating information about them on Facebook’s main database. Benedikt said:

In our opinion usage of the pixel method also requires user consent in order to be permissible. Data processing under the pixel method is particularly extensive, tracking users across different websites and devices. This also applies to non-Facebook users. For users visiting a website tracking is neither expectable nor recognizable. Only those who are technically sophisticated can detect data processing in the background. This is neither transparent nor does the user have a real choice here.

Although this is a local German decision, it is likely that other EU authorities will look at the issue and rule in a similar way if cases are brought in their jurisdictions. If confirmed, it would drastically affect Facebook’s business in the EU.

A little-noticed GDPR ruling in Poland could also have a major impact. It concerns the European digital marketing company Bisnode, which gathers information about people from a wide variety of sources. The Polish data protection agency ruled that it could not re-use information in this way without individually contacting everyone concerned. Bisnode argued that this would be an disproportionate burden on the company, since it would cost millions of euros to carry out. A local newspaper report on the case suggests that the company will appeal against the 220,000 euro fine, and delete records of people that it cannot easily contact. If upheld, this ruling would make the practice of data-scraping much more expensive in the EU.

The introduction of the GDPR has had other, rather unexpected, applications. For example, Prince Harry’s lawyers invoked the GDPR to argue that a helicopter taking pictures inside his home had invaded his privacy. Meanwhile, in Romania, the GDPR was used for a less welcome purpose: to demand information about sources from an investigative journalist. That’s certainly not what those who drew up the GDPR had in mind, but it’s inevitable that people will try to abuse new powers when they become available.

As the above indicates, there have been many interesting developments in the world of the GDPR during its first twelve months, with rulings that have been made, and others still under consideration. Next week’s post will explore what is likely to happen in the GDPR’s second year.

Featured image by Pete Linforth.

VPN Service