Almost one year of #GDPR: Has the new EU privacy legislation changed anything?

| April 25, 2019

It has been almost a year now since the new EU privacy legislation came into force on May 25, 2018. Since then, both businesses and individuals have had the chance to revisit how they handle personal data. How much has changed during this time?

The Wide Reach of the New EU Privacy Rules

The new set of rules is known as the GDPR, which is short for General Data Protection Regulation. Replacing the previous 1995 Data Protection Directive, the GDPR aimed to establish personal data protection as a fundamental human right, as well as enhancing and harmonizing data protection rules and safeguards across the EU area. One of its most controversial aspects, and the one that sent enterprises worldwide into a frenzy in the weeks leading up to its enforcement, was its territorial scope. According to the GDPR, it applies not only to EU-based companies but to any organization that provides goods and services to individuals based in the EU or monitors their activities. This effectively meant that US companies had to also prepare for the new rules, otherwise they were liable to pay hefty fines. Failing to comply with GDPR requirements could result in the imposition of fines up to €20,000,000 or 4% of an entity’s total worldwide revenue.

Against this setting, and as the deadline drew closer, customers were bombarded by emails and notifications from companies urging them to give their consent to keep receiving communications and promotions. Although the sheer volume was overwhelming for most, it provided an impetus for an interesting debate that was long overdue: consumers’ agency when it comes to their online privacy. It would be no overstatement to say that most people had no idea how much of their personal data and online activities were tracked, and the advent of the GDPR shed some light into that. Research shows that from April to July 2018, from the month leading up to the GDPR’s enforcement date up to a couple of months afterwards, news pages gradually abandoned third-party cookies and domains. In Italy, third-party cookies decreased by 19%, while the same figure rose to 32% in France, 33% in Spain and a whopping 45% in the UK. Meanwhile, third-party domains were abandoned by 16% of respondents in France, as well as 13% in the UK and 12% in Spain.

Hefty Fines Imposed Under the GDPR

On the occasion of Data Protection Day, which is celebrated every year on January 28th, the EU Commission released an infographic with key takeaways from the months since the GDPR was implemented. It seems that the new rules have been widely endorsed, as individuals and companies make use of its provisions. Over 95,000 complaints were lodged with Data Protection Authorities (DPAs) under the GDPR rules until last January, most of them pertaining to telemarketing, promotional emails and CCTV surveillance. On the other end of the spectrum, it seems that organizations are warming up to their new obligations under the flagship privacy legislation. Until January 2019, roughly 41,500 notifications regarding data breaches were received by national DPAs. Under the GDPR, companies have 72 hours after they discover a breach within which to report the incident to the competent DPA. Fear of the fines provided for in the Regulation seems to have worked. The EU Commission also provides details of the three cases where fines were actually imposed – with a few more cases still pending.

According to the infographics, a sports betting café in Austria received a €5,280 fine for video surveillance, while a social network operator in Germany was fined €20,000 for lack of appropriate data protection safeguards. In perhaps the most noteworthy case, tech and online services giant Google was fined a staggering €50 million by the French DPA for lack of transparency and failure to secure consent on personalized ads. The decision, which was widely reported in the news, was reached after two NGOs which focus on privacy on the web lodged complaints with French watchdog CNIL. While it won’t translate to financial ruin for Google by any means, as the company’s value is estimated in the trillions, it is expected to have an impact on the way they approach privacy issues and potentially make Silicon Valley industry leaders revisit their business model. After all, the recent woes of social media platform Facebook, which faced tremendous backlash because of its controversial way of sharing user personal data with third-party analytics firms, also indicate that change is long overdue.

And it seems that the GDPR just might provide the inspiration for that, in part thanks to the publicity it received. According to the Commission infographic, in 2018, the GDPR was mentioned more times than Mark Zuckerberg himself on global media, while in May 2018 it surpassed both Beyoncé and Kim Kardashian in Google searches.

Tags: , , , , , ,

Category: A Frontpage, Business, Data, Data protection, Digital economy, Digital Single Market, Digital Society, Digital technology