GDPR was supposed to offer consistency and clarity, acting as a pillar of the EU’s Digital Single Market. The reality is quite different, writes Steven Roberts
Few laws in recent years have received as much attention as the General Data Protection Regulation (GDPR). In an increasingly digitised economy, it promised improved data privacy rights for Europe’s citizens and a consistent experience for businesses operating across the territory. The potential for large fines of up to €20 million or 4% in global turnover made for eye catching headlines, with Irish and multinational firms introducing new training programmes and data processes to ensure they were compliant. Last month marked the second anniversary of the regulation. It is therefore timely to consider what its impact has been during its first two years.
One clear result of GDPR’s high profile is increased consumer awareness of their data protection rights. This is reflected in the Data Protection Commission’s most recent annual report. A total of 7,215 complaints were received last year, a 75% increase on 2018 figures. Data breach reporting, meanwhile, saw a 71% increase for the same period.
This indicates growing concerns about how companies obtain and use personal data. Citizens are more conscious of the trade-off involved when using digital and social media platforms. The term ‘surveillance capitalism’ has become increasingly popular. Companies that fail to recognise this trend risk jeopardising their reputation and the trust consumers place in them. Building an effective data privacy culture is now a vital part of any brand.
Advertising technology is coming under particular scrutiny. Supervisory authorities in Britain and France have given notice they are deeply unhappy with the lack of clarity in how individuals’ data is obtained and shared with multiple parties. The system’s complexity and opaqueness make it extremely difficult to meet the GDPR’s requirement for transparency.
GDPR was promoted as a panacea for businesses trading within Europe. A fundamental pillar of the Digital Single Market, it promised consistency and clarity. Local and regional interpretations would be removed. The reality is somewhat different. Variances still exist across EU member states.
One clear example relates to website cookies, the small text files used to store information on your PC or mobile. The French, German, UK and Spanish authorities have differing interpretations of the lawful bases for processing, data retention periods and what constitutes consent on the part of the user.
The Data Protection Commission (DPC) released its own guidance document in April, giving companies a six-month grace period within which to comply. For businesses operating across a number of EU countries, significant resources are still needed to ensure their activities align with local best practice.
In addition, countries outside Europe have introduced new data laws. In the USA, the California Consumer Privacy Act came into effect this year, while lobbying is ongoing for legislation at federal level. A number of US states and districts have also introduced privacy bills, leading to an increasingly complex patchwork of laws. It is likely this global trend will continue over the coming decade.
Relatively few fines were issued in the first year of GDPR. This has changed substantially over the past 12 months. Britain’s Information Commissioner’s Office announced last summer its intention to fine British Airways and Marriott International €205 million and €110 million respectively, relating to large data breaches.
Earlier this year, Sweden issued a €7 million fine to Google for not complying with the GDPR’s right-to-be-forgotten. Ireland’s DPC has faced criticism internationally for its perceived slowness in issuing fines, particularly given the number of large, data-intensive technology companies based in Ireland. This changed recently, with the Commission fining Tusla €75,000 for wrongful disclosures of children’s personal data. It advised that a second fine for the agency is also pending.
International transfers of data continue to be problematic under GDPR. The Regulation envisages a range of options available to businesses. Examples include binding corporate rules, codes of conduct and certification schemes. The latter two are works in progress. A question mark remains over the continued viability of standard contractual clauses, the most commonly used mechanism, particularly for small and medium-sized businesses. Brexit, meanwhile, creates further problems for Irish businesses. The UK will at that point be deemed a ‘third country’ under GDPR; it will then have to seek an adequacy decision from the EU, something that could take up to 18 months to achieve.
Artificial intelligence (AI), machine learning and big data hold much promise for economic growth over the coming decade. The Government is due to launch a national artificial intelligence (AI) strategy later this year, a key component in the EU’s goal of achieving a Digital Single Market.
However, these new technologies pose substantial problems from a GDPR perspective. It can be difficult to provide clear, unambiguous information in advance to individuals as to how these technologies will process their data and the outcomes that will result. The Regulation’s principle-based approach provides some flexibility. A key challenge for lawmakers will be balancing AI’s economic potential with citizens’ increased expectations for data privacy, transparency and trust.
The GDPR has achieved a substantial increase in Irish and EU citizens’ awareness of their data protection rights. Alongside this is growing concern at how personal data is traded for access to digital and social media services. It can be argued that businesses are now paying more than lip service to building an accountable data privacy culture. However, significant headwinds remain. At a global level, compliance professionals must deal with increasing complexity as countries introduce new data laws. Within Europe, consistency and clarity remain an aspiration as local interpretations continue to exist at member state level.
Steven Roberts is Head of Marketing for Griffith College, non-executive director of The Discovery Programme, and a certified data protection officer. He is the author of the forthcoming book ‘Data Protection for Marketers: A Practical Guide’, which is due for publication by Orpen Press in 2021. The opinions expressed are the author’s. They are not intended as a substitute for seeking professional legal advice.