Since the General Data Protection Regulation (GDPR) was created in mid-April 2016, the EU had hopes of creating an internet where the privacy of its users is more valued by making businesses implement an opt-in framework for their tracking cookies. In addition to establishing these goals, the GDPR has also inspired things like the California Consumer Privacy Act (CCPA), which basically copies its tenets and implements it into state law.
It’s no doubt that this EU law had effects across the globe, but did it achieve its goals?
To answer this question, we need a clean and objective perspective on what the GDPR does from a technical perspective and contrast the “in theory” implications with the “in practice” realities.
To be entirely fair to GDPR in our assessment, we need to start with some good news about the law. It’s been a few years, and many websites have had plenty of time to adjust to their framework.
In essence, most of the tracking consent dialogues visible whenever you visit a website result from this legislation. But that’s not all it did. In summary:
In general, companies are looking into their own data “hygiene” and plugging holes in how they manage their customers’ information. GDPR has created an environment where companies are bound to act to benefit their customers’ privacy, albeit with incentives that might stretch the definition of a sound regulatory framework.
Though the GDPR’s intentions may be consumer-centric, some of its effects, especially since the enforcement period, make it extraordinarily difficult to give the regulation any plaudits.
Perhaps the worst of these in-practice GDPR outcomes is that overreach from specific organizations can lead to situations where an individual or company is fined for simple mistakes or oversights that are essentially harmless or not really within the onus of the company.
Let’s take an example from our own ever-helpful GDPR fine tracker. An unknown company in Hungary was fined on the 11th of December 2019 for not deleting a former employee’s private emails. The Hungarian National Authority issued a fine of €1,500 for Data Protection and the Freedom of Information under Article 6 of the GDPR. However, one could argue that employees shouldn’t be using their work emails to send personal information in the first place. Regardless, the onus “de jure” here was not on the employee who misused their work email but on the organization that managed the system.
Ten days later, a pharmaceutical distributor known as Doorstep Dispensaree was fined €320,000 for allowing some documents to get wet under the guise of violating Article 32 of the regulation.
While the consequences above may leave a sour taste in the mouths of any tech enthusiast, all of them are essentially addressable. There are, however, other unintended incentives created by the GDPR that it cannot hope to address.
Like everything people learn throughout their lives, almost all good behavior and critical thinking come from education. Rather than using GDPR as a stopgap against malicious privacy practices, it would have been much better to provide education to people that outlines precisely how dangerous the internet can be and what they can do to empower themselves against breaches in privacy.
Rather than babysitting consumers by policing the websites they access, it’s easier, cheaper, more feasible, more consumer-friendly, and at the same time more business-friendly to work on informing the consumers of tomorrow of all the dangers they can come across in their teenage years.
People will not suddenly become wary and prudent about the internet because of some regulations. On the other hand, there’s the hope of this happening if they are “mentally armed” enough to make informed decisions. A good number of people don’t even know what cookies are! Let’s start there, shall we?