Since the General Data Protection Regulation (GDPR) was created in mid-April 2016, the EU had hopes of creating an internet where the privacy of its users is more valued by making businesses implement an opt-in framework for their tracking cookies. In addition to establishing these goals, the GDPR has also inspired things like the California Consumer Privacy Act (CCPA), which basically copies its tenets and implements it into state law.
It’s no doubt to anyone that this EU law had effects across the globe, but did it achieve its goals?
To answer this question, we need a clean and objective perspective on what the GDPR does from a technical perspective and contrast the “in theory” implications with the “in practice” realities.
To be entirely fair to GDPR in our assessment, we need to start out with some good news about the law. It’s been a few years, and many websites have had plenty of time to adjust to its framework.
In essence, most of the tracking consent dialogues visible whenever you visit a website are the result of this legislation. But that’s not all it did. In summary:
- It created an opt-in mentality towards being traced on the internet, which allows people to personalize the amount of information they’re willing to give a particular service provider or company.
- Data protection starts to look more standardized, even outside the EU. Several other countries are either considering similar legislation or have already passed it.
- Efforts towards compliance are also leading to thoughts on finding other ways to secure customer data.
- Firms are generally held more accountable for misuse of data.
In general, companies are starting to look into their own data “hygiene” and plugging up holes in how they manage their customers’ information. GDPR has created an environment where companies are bound to act to the benefit of their customers’ privacy, albeit with incentives that might stretch the definition of a good regulatory framework.
Though the GDPR’s intentions may be consumer-centric, some of the effects it has had especially since the enforcement period make it extraordinarily difficult to give the regulation any plaudits.
- The EU isn’t able to make up its mind on how GDPR should be enforced. According to the Centre for Information Policy Leadership’s May report for the regulation, “[it] aimed to harmonize data protection rules across Europe… [However], while the GDPR does provide for a single set of rules to a degree, it fell short of its harmonization aim.” The CIPL’s report cites national interpretation of the law and differing priorities among data protection authorities (DPAs) as the culprits. In short, the law is very ambiguous on how it should be enforced.
- In addition to ambiguous enforcement, some fines were imposed on establishments without even involving the DPAs in charge of managing those organizations. This completely contradicts the One Stop Shop policy that the GDPR envisioned.
- Although it was designed to be future-proof, but both artificial intelligence and blockchain technology are making it very difficult to tell how this regulation could be enforced in certain contexts in the future.
- A concept known as “opt-in fatigue”, is starting to appear in the grand scheme of things. Forbes Technology Council cites Silvio Tavares of CardLinx, saying that “another unintended impact [of GDPR] is ‘check the box’ fatigue where opt-in consent language is presented so frequently on websites and apps that consumers don’t read the consents and just check the box.” This leads to a situation where consumers allow themselves to be tracked willingly and GDPR accomplishes nothing else than becoming another barrier to growth for businesses that doesn’t do much else to protect individual privacy rights but wave dialogues in consumers’ faces.
- The rules apply for small businesses as well, forcing them to go head-over-heels for compliance to a regulation that the majority of their prospective customers never really cared much about.
- Certain sites from other parts of the world are now blocking access from the EU, resulting in a soft “binary curtain” that removes parts of the internet entirely from EU citizens.
- All of these problems exist, and yet other countries outside the EU are thinking about adopting the same strategy.
Perhaps the worst of these in-practice GDPR outcomes is the fact that overreach from certain organizations can lead to situations where an individual or company is fined for simple mistakes or oversights that are essentially harmless or not really within the onus of the company.
Let’s take an example from our own ever-helpful GDPR fine tracker. An unknown company in Hungary was fined on the 11th of December 2019 for not deleting a former employee’s private emails. The fine of €1,500 was issued by the Hungarian National Authority for Data Protection and the Freedom of Information, under the auspices of Article 6 of the GDPR. However, one could argue that employees shouldn’t be using their work emails to send personal information in the first place. Regardless, the onus “de jure” here was not on the employee who misused their work email, but on the organization who managed the system.
Ten days later, a pharmaceutical distributor known as Doorstep Dispensaree was fined €320,000 for allowing some documents to get wet under the guise of violating Article 32 of the regulation.
While the consequences above may leave a sour taste in the mouths of any tech enthusiast, all of them are essentially addressable. There are, however, other unintended incentives created by the GDPR that it cannot hope to address.
- Although cybersecurity is generally a higher priority for businesses since GDPR has come into effect, there are enterprising hackers out there who hope to take advantage of this law to extort organizations. A hacker can find a loophole in a firm’s data protection and extort money off of it, asking for a sum smaller than the potential fines it would otherwise have to pay. Companies will inevitably take the path of least resistance and pay the ransom and then fixing the issue the hacker found, rather than reporting the hacker to authorities and ponying up the money for a full fine. Expect the cyber extortion market to expand in this direction. It has already begun taking baby steps there.
- Some more malicious websites could just put up fake consent dialogues to consumers, resuming data collection without the consumer’s knowledge. Trust in new GDPR measures and complacency will make most people continue on without batting an eyelash. This results in something worse than the old way of doing things: It provides more incentives for smaller sites to become more nefarious and elusive. After all, enforcing all of these data regulations on every site run in the EU (and outside of it) is not feasible.
- Innovation will be stifled in certain areas of the tech industry. In particular, some blockchain projects may not come to fruition due to data protection regulations in the EU. On the other hand, those that do come to fruition may have to anonymize their creation for fear of GDPR’s reprisals. We may see a lot of new Satoshi Nakamotos pop up because of this.
As with everything people learn throughout their lives, almost all good behavior and critical thinking comes through education. Rather than using GDPR as a stopgap against malicious privacy practices, it would have been much better to provide education to people that outlines exactly how dangerous the internet can be and what they can do to empower themselves against breaches in privacy.
Rather than babysitting consumers by policing the websites they access, it’s easier, cheaper, more feasible, more consumer-friendly, and at the same time more business-friendly to simply work on informing the consumers of tomorrow of all the dangers they can come across in their teenage years.
People are not going to suddenly become wary and prudent about the internet because of some regulation. On the other hand, there’s hope of this happening if they are “mentally armed” enough to make informed decisions. A good number of people don’t even know what cookies are! Let’s start there, shall we?