Last month marked the one-year anniversary of the European Union's General Data Privacy Regulation, or GDPR. Since then, California and New York State have created similar bills aimed at protecting the privacy of their citizens. Nevada has recently enacted a narrow privacy law. Meanwhile, privacy is dead.
Long Live Privacy!
While privacy legislation seems like common sense in the surveillance economy, where unimaginatively intrusive data tracking and compiling is commonplace, even the GDPR's strongest proponents say the launch of the EU's much vaunted privacy protections was pretty rocky. While California has passed similar strict legislation, it does not take effect until 2020, and as regulations required for its implementation are being promulgated, there is enormous pressure being brought to bear by various business and industry lobbying groups to water it down. New York's Privacy Act might up the ante for no-can-do in the realm of who-are-you with even more stringent prohibitions than put in place by California's Consumer Privacy Act (CCPA).
At this anniversary time, it's worth looking at what has and hasn't worked in Europe.
The Good, the Bad, or the Woefully Ineffective?
Looking at the numbers released by the EU, familiarity with the law itself has been one of its greatest successes: Sixty-seven percent of Europeans have heard of the GDPR, and there were 144,376 queries and complaints reported in its first year. Add to these impressive figures the 89,271 data breach notifications issued, and it's clear that despite its flaws, the law successfully addresses a set of problems that a more scattershot approach (with multiple statutes enacted by different EU member states) was unable to achieve.
Where the GDPR comes up short is enforcement: While the law includes fines for the mishandling of data for up to 4 percent of a company's annual global revenue, the actual numbers so far have been underwhelming. Far from preventative, they almost encourage bad cybersecurity. Take Google. The company was fined €50 million (roughly $57 million) for lack of consent on advertisements--not a big number for them--and this fine comprised the bulk of the €56 million of fines levied in total.
Needless to say, for Google a fine of this nature would be an acceptable cost of doing business in the EU.
It is anticipated that heavier fines will be placed on companies under the GDPR going forward, Facebook most likely being the poster child, but the message so far is clear: Fines need to hurt if the goal is the deterrence of poor data practices.
The Biggest Issue
By far the largest flaw in the GDPR has been a lack of clarity caused by poor communication.
Even though 67 percent of Europeans have heard of the GDPR, only 20 percent know which public authority is responsible for it. Misinformation combined with the requirement for 72-hour breach notification set off a deluge to the U.K. data privacy regulator in 2018. One-third of those calls involved incidents well below the GDPR's threshold. Misconceptions about what exactly was required under the law were so widespread that the Irish Data Protection Commission actually blogged about whether taking pictures of one's children at a school event is permissible. (It is.)
Corporations have also struggled with what many perceive as the law's ambiguity. Under the GDPR, "companies processing large amounts of special categories of personal data" are required to hire a data protection officer, or DPO, to ensure compliance. The problem is that the law doesn't specifically define what "large amounts" are, and although the DPO is required to have "expert knowledge of data protection law," there is no set definition for what qualifies as an expert, either. It's a great idea to have someone at large corporations ensuring the careful and lawful handling of customer data, but the implementation is ill-defined by the GDPR, which could make a DPO's job awkward or downright impossible.
The kinds of confusion caused by the GDPR seem contagious, and that's just the nature of the beast. There are many stakeholders in the privacy racket, and they are often vigorously at odds with one another.
The privacy laws in the U.S. will be more of the same. The best innovation when it comes to the GDPR was that it created one law instead of a patchwork that might change the moment you crossed a border. While New York and California should be applauded for taking steps to protect the privacy and data of their citizens, having multiple sets of requirements for websites and businesses alike (as we have witnessed with more than 50 U.S. jurisdictions' having individual and not necessarily complementary breach notification laws) will necessarily lead to widespread difficulty in their implementation and accessibility.
Perhaps the most important takeaway for any state wishing to mirror the data protections of the GDPR is that in order to be privacy-friendly and consumer-friendly, the application of the law itself should at least try to be user-friendly, too. Too many differences run the risk of any and all of these laws' being accept gnats to be clicked away when we visit our favorite websites--and that is a giant fail.
Laws are supposed to solve problems, and keep others from happening. When it comes to privacy, we have a long way to go.