Data Privacy & Compliance
4 Years Ago, the GDPR Changed Everything. Now What?

Last updateD on

April 27, 2022
Countly Team
Share

The EU’s General Data Protection Regulation is approaching its 4th year anniversary since it was implemented in May 2018. Since its inception, it has been hailed as a groundbreaking framework for making users’ rights on the Internet a human right. Its impact in many other markets has been undeniable and it truly has affected how the world of the Internet works, even outside EU borders. As fantastic as it all sounds, the GDPR hasn’t convinced everyone of its usefulness and critics say that a tougher reform might be needed in the near future. Will this be the case?

The need and the road to GDPR

First, a bit of context.

The GDPR was the result of previous works of legislation and rulings, notably the EU’s Data Protection Directive from 1995. But ultimately a reform was needed to implement easier cooperation between EU members and a more comprehensive mandate over the fragmented laws of each member state.

After a long drafting process, the GDPR was passed in April 2016. The ruling however acknowledged that its implementation might take time, therefore only taking effect in May 2018.

At that point, not all organizations were prepared for the implementation, especially smaller ones (a quick search for the keywords “GDPR+memes” will prove that). This struggle was one of the biggest challenges: big tech companies were expected to be able to afford the change, while smaller companies might have it harder.

Nonetheless, the GDPR did come into effect, and, ready or not, the Internet had to adapt or face fines of up to 20 million Euros or 4% of global turnover.

GDPR ripples across the world of law and the world of software

The coming into existence of the GDPR was remarkable in many ways.

As we know, the scope of the GDPR is limited to the collection, transfer, and processing of EU citizens’ data. But the framework was such a massive landmark that many countries and Internet-based organizations started processes to adapt their own rules along the lines of what the GDPR said.

On the private side, it makes sense: if your company is not based in the EU (yet) but might at any point come across user data from an EU citizen, then better to just implement data privacy policies that will not jeopardize future operations.

Meanwhile, from a governmental point of view, the GDPR was truly a before-and-after in how countries see data privacy: over 100 countries today have legal frameworks modeled after the GDPR, with the EU becoming a beacon on the subject matter (this in itself has sparked a debate over the so-called Brussels effect or how unilateral EU rules end up being an instrument of globalization). All of a sudden, rulings regarding data privacy emerged in all shapes and forms, including in South Africa, Turkey, Kenya, and US states like California and Vermont, to name a few. That said, more and more countries are planning or are in the process of enacting their own similar measures.

However, one will think “with such an enormous influence around the world, surely the GDPR has protected the EU citizens’ data as expected, right?”.

Well…

Big Tech crack-down

The GDPR empowered each EU member state to delegate policing to a national data protection agency (DPA). They are the ones responsible for ensuring compliance and imposing fines. GDPR critics reported however that their sanctions can only do as much: accessnow for instance reported that in 2019, DPAs budgets were incredibly low compared to the income of some of the Big Tech companies they are supposed to control (namely, Facebook, Google, and Microsoft in Ireland; and Amazon and PayPal in Luxembourg). In the case of Ireland and Luxembourg particularly, it’s very hard for the local authorities to enforce GDPR properly, especially if/when there is a backlog of procedures.

However, this backlog is being slowly solved and is actually starting to hit tech giants more severely. For example, the CNIL (France’s DPA) fined, on last December 31st, both Facebook and Google 60 and 150 million Euros respectively over their cookies policies.

Also, several EU countries effectively banned Google Analytics so far in 2022, with more possibly to follow during the coming months.

Power and responsibility

Is this the end of Big Tech in GDPR territory? Of course not. But it underscores two things:

  • It took some time for the EU to understand the impact of the GDPR and action on it. So we could say that it’s been a bit of a rocky road for the data of some EU citizens so far.
  • Big Tech did not adapt to the GDPR as quickly as expected. And now that some practices are being corrected, organizations that depended on Big Tech and that adapted part of their operations when the GDPR came into effect, are scrambling to adapt to the rest, such as those organizations using Google Analytics.

Hopefully, the rulings by DPAs are a step in the right direction to effectively protect data privacy. But maybe, if the effects are not sustainable in the long term and user data keeps being at risk, a change might be needed again.

Regardless of who the organization is, Big Tech or not, the GDPR demonstrated that a globalized approach to respecting the human right to privacy is possible (and can still be perfected a lot). It also showed that not choosing a vendor from the Big Tech can be an advantage, for example, when it comes to choosing a GDPR-compliant product analytics provider. If you are caught in this conundrum, solving it starts by knowing how to migrate your analytics strategy to a solution that will never put you, your users’ data, and your finances at risk.

taGS
GDPR
Privacy

Subscribe to our newsletter

Join +10,000 of your peers and receive top-notch data-related content right in your inbox.

Posts that our readers love

Product Analytics
February 26, 2021

The Key Metrics That Fintech Product Managers Can’t Live Without

You too can discover which data-driven metrics to look for, where to find them, and how to convince your team of their importance.
Data Privacy & Compliance
April 13, 2022

GDPR prevails: Google Analytics running into trouble in the EU?

France and Austria have ruled against Google Analytics, with more EU members to follow. Is it time to rethink product analytics strategi
Customer Experience
July 15, 2021

The Dark Truth Behind Session Recording

Basing your product analytics strategy on screen recordings may backfire and end up costing you money or worse - your users’ trust.