General Data Protection Regulation one year on: what next?

Posted on Jun 7, 2019 by Glyn Moody

A previous post discussed what has happened in the world of the GDPR during its first year. Although only a few rulings have been handed down, there are many legal complaints working their way through the system that could have important implications for the EU. And far beyond, too, as more countries consider bringing in privacy laws drawing directly on the GDPR’s ideas. Despite that growing influence, a number of commentators have taken a very negative view of the GDPR’s first year. Representative of these is an article on CNBC, which summarizes the frustrations some people feel with the GDPR:

Among some consumers, GDPR is perhaps best known as a bothersome series of rapid-fire, pop-up privacy notices. Those astronomical fines have failed to materialize. The law has created new bureaucracies within corporations, and with those, tension and confusion. And it’s unclear if the EU data authority that oversees the law is adequately staffed to handle its demands.

Those are valid points, and it is worth considering them in turn. The pop-up privacy notices are indeed annoying. But as this blog noted in the previous article, the French authorities have already fined Google 50 million euros for its use of “forced consent”, whereby visitors either accept the pop-up privacy notice, or can’t use the site. If other data protection authorities impose their own fines, the practice will soon die out in the EU. Another case working its way through the top EU court looks at a related question, that of pre-ticked checkboxes. One of the top EU court’s advisers has recommended that the Court of Justice of the European Union (CJEU) should rule that pre-ticked options are not valid. The CJEU is not obliged to follow the advice, but generally does.

These are both examples of the data protection authorities seeking to improve the way that visitors to sites grant or refuse permission for their personal data to be gathered. It’s not right yet, but it is unreasonable to expect that the first comprehensive digital privacy law in the world would be able to sort out complex problems instantly. As happens elsewhere, in the EU the basic principles are laid down in the main law, and then cases brought to courts in the region gradually define the exact contours of the legislation. That is now happening.

Similarly, the fact that huge fines have not yet been levied – under the GDPR, a company can be fined 4% of its global turnover – is a feature, not a bug. It would be irresponsible for the data protection authorities to impose big penalties immediately. Companies need to be given time to get things right. The law is new and complex, and it takes much work to understand and properly implement. Moreover, if big fines are imposed without a grace period for companies to sort out problems it is more likely that they will be overturned on appeal as being unfair. In some EU member states, the local authorities have issued few fines under the GDPR, if any, either because they are still setting up their departments, or because they have not passed the relevant national legislation. That will change soon.

Moreover, the French data protection authority has said that the period of “relative tolerance” is now over, and that it would soon be auditing “well-known companies” to check for compliance. In the German region of Brandenburg, a similar approach has been adopted. The Data Rainbox site reported that the local data protection authorities felt that a “conversion phase” would be more effective than the immediate imposition of fines. However, the region’s data protection officer Dagmar Hartge said that the region would “make use of them in the future”.

Similarly, the data protection authorities in the UK and Ireland have indicated that they will be stepping up their enforcement of the GDPR. Ireland is a particularly important player in the GDPR world, because most of the world’s largest online companies have their EU headquarters there. In its annual report on the first year of the GDPR, the Irish Data Protection Commission (DPC) wrote:

in 2018 the DPC opened inquiries into data-processing activities of Facebook, Apple, Twitter, LinkedIn, WhatsApp and Instagram, looking at issues ranging from large-scale data breaches to legal bases for processing to transparent presentation to users. All these inquiries should reach the decision and adjudication stage later this year, and it’s our intention that the analysis and conclusions in the context of those inquiries will provide precedents for better implementation of the principles of the GDPR across key aspects of internet and ad tech services.

The head of the DPC says there are 19 statutory inquiries into big tech companies, out of 54 preliminary investigations that her office is conducting. That’s a massive amount of work for one data protection authority, and does indeed raise questions about whether the EU bodies tasked with enforcing the GDPR have enough staff. The answer is almost certainly that they don’t, but they are staffing up:

Following a major recruitment campaign in 2018, 30 new staff had joined the DPC by the end of December, with a further 20 coming on board in January 2019, so that the DPC has grown to 135 staff. We will recruit an additional 30 staff this year in order to meet the demands of the tasks assigned under the GDPR.

There is one other important criticism of the GDPR. As Politico says, there is evidence that the very largest Internet companies are learning to live with, or even game, the GDPR system, while smaller companies struggle with the bureaucracy.

Complaints about the latter don’t have much weight – all regulations lead to some bureaucracy, and naturally companies don’t like it. But that’s just the price they pay for operating in these markets. The issue of the bigger players is more serious. But the problem is not the GDPR, but the microtargeted advertising that Facebook and Google routinely use on a massive scale. That’s something this blog has warned about before. Fortunately, it, too, is the subject of a GDPR complaint that asks the authorities to rule that real-time bidding is itself an infraction of the GDPR.

In other words, it’s likely the problems that many see as showing the GDPR as something of a failure can all be solved. But it takes time for the authorities and courts to rule on these matters – rightly so, since the rulings could well re-shape just about every aspect of today’s online business ecosystem. Nobody wants that rushed, so perhaps people should be more patient.

Featured image by Pete Linforth.