A Look Back at GDPR: Did it Accomplish its Goals?
Since the General Data Protection Regulation (GDPR) was created in mid-April 2016, the EU had hopes of creating an internet where the privacy of its users is more valued by making businesses implement an opt-in framework for their tracking cookies. In addition to establishing these goals, the GDPR has also inspired things like the California Consumer Privacy Act (CCPA), which basically copies its tenets and implements it into state law.
It’s no doubt that this EU law had effects across the globe, but did it achieve its goals?
To answer this question, we need a clean and objective perspective on what the GDPR does from a technical perspective and contrast the “in theory” implications with the “in practice” realities.
The Good
To be entirely fair to GDPR in our assessment, we need to start with some good news about the law. It’s been a few years, and many websites have had plenty of time to adjust to their framework.
In essence, most of the tracking consent dialogues visible whenever you visit a website result from this legislation. But that’s not all it did. In summary:
- It created an opt-in mentality towards being traced on the internet, allowing people to personalize the amount of information they’re willing to give a particular service provider or company.
- Data protection has become more standardized, even outside the EU. Several other countries are either considering similar legislation or have already passed it.
- Efforts towards compliance also lead to thoughts on finding other ways to secure customer data.
- Firms are generally held more accountable for misuse of data.
In general, companies are looking into their own data “hygiene” and plugging holes in how they manage their customers’ information. GDPR has created an environment where companies are bound to act to benefit their customers’ privacy, albeit with incentives that might stretch the definition of a sound regulatory framework.
The Bad
Though the GDPR’s intentions may be consumer-centric, some of its effects, especially since the enforcement period, make it extraordinarily difficult to give the regulation any plaudits.
In summary:
- The EU cannot decide how GDPR should be enforced. According to the Centre for Information Policy Leadership’s May report for the regulation, “[it] aimed to harmonize data protection rules across Europe… [However], while the GDPR does provide for a single set of rules to a degree, it fell short of its harmonization aim.” The CIPL’s report cites national interpretation of the law and differing priorities among data protection authorities (DPAs) as the culprits. In short, the law is very ambiguous on how it should be enforced.
- In addition to ambiguous enforcement, some fines were imposed on establishments without involving the DPAs managing those organizations. This completely contradicts the One Stop Shop policy that the GDPR envisioned.
- Although it was designed to be future-proof, both artificial intelligence and blockchain technology make it very difficult to tell how this regulation could be enforced in certain contexts in the future.
- A concept known as “opt-in fatigue” is starting to appear in the grand scheme. Forbes Technology Council cites Silvio Tavares of CardLinx, saying that “another unintended impact [of GDPR] is ‘check the box’ fatigue where opt-in consent language is frequently presented on websites and apps consumers don’t read the consents and just check the box.” This leads to a situation where consumers allow themselves to be tracked willingly. GDPR accomplishes nothing but becomes another barrier to growth for businesses that don’t do much to protect individual privacy rights but wave dialogues in consumers’ faces.
- The rules apply to small businesses, forcing them to go head-over-heels for compliance with a regulation that most prospective customers never really cared about.
- Certain sites from other parts of the world are now blocking access from the EU, resulting in a soft “binary curtain” that removes parts of the internet entirely from EU citizens.
- All these problems exist, yet other countries outside the EU are considering adopting the same strategy.
Perhaps the worst of these in-practice GDPR outcomes is that overreach from specific organizations can lead to situations where an individual or company is fined for simple mistakes or oversights that are essentially harmless or not really within the onus of the company.
Let’s take an example from our own ever-helpful GDPR fine tracker. An unknown company in Hungary was fined on the 11th of December 2019 for not deleting a former employee’s private emails. The Hungarian National Authority issued a fine of €1,500 for Data Protection and the Freedom of Information under Article 6 of the GDPR. However, one could argue that employees shouldn’t be using their work emails to send personal information in the first place. Regardless, the onus “de jure” here was not on the employee who misused their work email but on the organization that managed the system.
Ten days later, a pharmaceutical distributor known as Doorstep Dispensaree was fined €320,000 for allowing some documents to get wet under the guise of violating Article 32 of the regulation.
The Ugly
While the consequences above may leave a sour taste in the mouths of any tech enthusiast, all of them are essentially addressable. There are, however, other unintended incentives created by the GDPR that it cannot hope to address.
- Although cybersecurity is generally a higher priority for businesses since GDPR has become effective, some enterprising hackers hope to take advantage of this law to extort organizations. A hacker can find a loophole in a firm’s data protection and extort money from it, asking for a sum smaller than the potential fines it would otherwise have to pay. Companies will inevitably take the path of least resistance and pay the ransom and then fix the issue the hacker found, rather than reporting the hacker to authorities and paying the money for a full fine. Expect the cyber extortion market to expand in this direction. It has already begun taking baby steps there.
- Some more malicious websites could fake consent dialogues to consumers, resuming data collection without the consumer’s knowledge. Trust in new GDPR measures and complacency will make most people continue without batting an eyelash. This results in something worse than the old way of doing things: It provides more incentives for smaller sites to become more nefarious and elusive. After all, enforcing these data regulations on every site run in the EU (and outside of it) is not feasible.
- Innovation will be stifled in certain tech industry areas. In particular, some blockchain projects may not come to fruition due to data protection regulations in the EU. On the other hand, those who come to fruition may have to anonymize their creation for fear of GDPR’s reprisals. We may see a lot of new Satoshi Nakamotos pop up because of this.
The Alternative
Like everything people learn throughout their lives, almost all good behavior and critical thinking come from education. Rather than using GDPR as a stopgap against malicious privacy practices, it would have been much better to provide education to people that outlines precisely how dangerous the internet can be and what they can do to empower themselves against breaches in privacy.
Rather than babysitting consumers by policing the websites they access, it’s easier, cheaper, more feasible, more consumer-friendly, and at the same time more business-friendly to work on informing the consumers of tomorrow of all the dangers they can come across in their teenage years.
People will not suddenly become wary and prudent about the internet because of some regulations. On the other hand, there’s the hope of this happening if they are “mentally armed” enough to make informed decisions. A good number of people don’t even know what cookies are! Let’s start there, shall we?