The EU’s General Data Protection Regulation is approaching its 4th year anniversary since it was implemented in May 2018. Since its inception, it has been hailed as a groundbreaking framework for making users’ rights on the Internet a human right. Its impact in many other markets has been undeniable and it truly has affected how the world of the Internet works, even outside EU borders. As fantastic as it all sounds, the GDPR hasn’t convinced everyone of its usefulness and critics say that a tougher reform might be needed in the near future. Will this be the case?
First, a bit of context.
The GDPR was the result of previous works of legislation and rulings, notably the EU’s Data Protection Directive from 1995. But ultimately a reform was needed to implement easier cooperation between EU members and a more comprehensive mandate over the fragmented laws of each member state.
After a long drafting process, the GDPR was passed in April 2016. The ruling however acknowledged that its implementation might take time, therefore only taking effect in May 2018.
At that point, not all organizations were prepared for the implementation, especially smaller ones (a quick search for the keywords “GDPR+memes” will prove that). This struggle was one of the biggest challenges: big tech companies were expected to be able to afford the change, while smaller companies might have it harder.
Nonetheless, the GDPR did come into effect, and, ready or not, the Internet had to adapt or face fines of up to 20 million Euros or 4% of global turnover.
The coming into existence of the GDPR was remarkable in many ways.
As we know, the scope of the GDPR is limited to the collection, transfer, and processing of EU citizens’ data. But the framework was such a massive landmark that many countries and Internet-based organizations started processes to adapt their own rules along the lines of what the GDPR said.
On the private side, it makes sense: if your company is not based in the EU (yet) but might at any point come across user data from an EU citizen, then better to just implement data privacy policies that will not jeopardize future operations.
Meanwhile, from a governmental point of view, the GDPR was truly a before-and-after in how countries see data privacy: over 100 countries today have legal frameworks modeled after the GDPR, with the EU becoming a beacon on the subject matter (this in itself has sparked a debate over the so-called Brussels effect or how unilateral EU rules end up being an instrument of globalization). All of a sudden, rulings regarding data privacy emerged in all shapes and forms, including in South Africa, Turkey, Kenya, and US states like California and Vermont, to name a few. That said, more and more countries are planning or are in the process of enacting their own similar measures.
However, one will think “with such an enormous influence around the world, surely the GDPR has protected the EU citizens’ data as expected, right?”.
The GDPR empowered each EU member state to delegate policing to a national data protection agency (DPA). They are the ones responsible for ensuring compliance and imposing fines. GDPR critics reported however that their sanctions can only do as much: accessnow for instance reported that in 2019, DPAs budgets were incredibly low compared to the income of some of the Big Tech companies they are supposed to control (namely, Facebook, Google, and Microsoft in Ireland; and Amazon and PayPal in Luxembourg). In the case of Ireland and Luxembourg particularly, it’s very hard for the local authorities to enforce GDPR properly, especially if/when there is a backlog of procedures.
However, this backlog is being slowly solved and is actually starting to hit tech giants more severely. For example, the CNIL (France’s DPA) fined, on last December 31st, both Facebook and Google 60 and 150 million Euros respectively over their cookies policies.
Also, several EU countries effectively banned Google Analytics so far in 2022, with more possibly to follow during the coming months.
Is this the end of Big Tech in GDPR territory? Of course not. But it underscores two things:
Hopefully, the rulings by DPAs are a step in the right direction to effectively protect data privacy. But maybe, if the effects are not sustainable in the long term and user data keeps being at risk, a change might be needed again.
Regardless of who the organization is, Big Tech or not, the GDPR demonstrated that a globalized approach to respecting the human right to privacy is possible (and can still be perfected a lot). It also showed that not choosing a vendor from the Big Tech can be an advantage, for example, when it comes to choosing a GDPR-compliant product analytics provider. If you are caught in this conundrum, solving it starts by knowing how to migrate your analytics strategy to a solution that will never put you, your users’ data, and your finances at risk.