GDPR Three Years Later: What We’ve Learned and What’s Ahead of Us

Updated: 14 June 2021
Updated: 14 June 2021

Fact-checked by

The General Data Protection Regulation (GDPR) of the EU came into effect three years ago and changed the online world for good.

Businesses that were using personal data with almost no limitations now had to pay attention to what they do with users’ personal information. It followed a few lucrative years for online businesses who were earning loads of money by simply making data-based decisions by using personal data often without the knowledge of users.

The GDPR brought constraints to that use, so the outcry by the businesses came at no surprise.
It had to happen, though.

Cases such as the scandal with Facebook and Cambridge Analytica and the number of data security failures by Equifax drew the public’s attention to online data privacy. Media caused hysteria, legislators passed laws, and we were brought to a new reality of online privacy.

Three years later, the situation seems different.

GDPR After 3 Years

What We Have Seen So Far

What we’ve seen so far is that:

Obviously, there is still a long way to go. Some of the challenges for the near and mid-term future include:

  • New EU-US agreement on data transfers
  • Schrems tackling the “cookie banner terror”
  • Passing the new ePrivacy Regulation, expected to bring some clarifications
  • Some big economies are expected to pass their own GDPR-like laws, but not the US
  • In the US, though, they consider some novel consent such as property rights on personal data
  • Blockchains will be quite challenging in terms of privacy

Companion guides:

How websites interfere with your online privacy
How to transfer data from the EU to the US
GDPR compliance for businesses
How the sale of personal data works
How to interpret a website’s privacy policy

GDPR Started a Wave of Passing of Similar Laws

25 May 2018 was just the beginning. When GDPR came into force, businesses from all around the world were wondering how they were going to meet the high requirements, claiming that the GDPR was not going to work.

But it did. And eventually, it caused a wave of introductions of new data protection laws all around the world.

Whenever some country introduces a new data protection law or updates the existing one, it always mirrors the provisions of the GDPR. It is not always as strict or as demanding, but it is similar.

These countries include countries-candidate for membership in the EU, United Kingdom, Israel, Australia, Brazil and most countries in South America, Egypt, Kenya, Dubai (the Dubai International Finance Center only), Thailand, and others.

The US Still Restrains

GDPR was passed, among other things, to tackle the Googles and Facebooks of the world. Meanwhile, the tech giants’ homeland still restrains from passing GDPR-like legislation.

The United States is the only well-developed country without a comprehensive data protection law in place. US citizens are simply not as protected as EU citizens, Canadians, Brazilians, and others who enjoy the benefits of GDPR-like protection.

While the European Union tends to regulate everything everywhere, the US government often takes the opposite approach. As a result, data protection in the US is still very weak compared to other parts of the world.

Despite the calls for a federal data protection law, the data protection legal landscape in the US is still a big mess. Only three have data protection laws – California, Virginia, and Nevada, while the rest have only data breach laws.

From those three, the Nevada law is quite obscure compared to the GDPR, the CCPA of California does not apply to all businesses, and the Virginia CDPA will come into force in 2023 and is not comprehensive either.

The US is still lagging behind in terms of consumer protection when it comes to data. Most of the attempts for introduction of new laws have failed.

At the same time, the US is home to data brokers who supply politicians with large amounts of data they use in political campaigns.

And That Makes Things Harder for Everyone

The US does not provide data protection on a level equal to the GDPR, therefore the data transfers from Europe to the states is quite complicated.

Transfers used to be regulated by the Privacy Shield. That was an agreement between the US and the EU, according to which personal data of EU users could have been transferred freely to a list of compliant US companies registered with the Shield.

Max Shrems, the leader of the NOYB (None of Your Business), an NGO working on the field of data privacy, knocked the agreement down. He initiated a procedure at the Court of Justice of the European Union and got a decision according to which personal data transfers from the EU to the US are unlawful under the GDPR because the data may be exposed to US authorities at any time due to the nature of US laws.

This court decision is known as Schrems II. The Schrems I decision brought down the Safe Harbor, the data transfers agreement that preceded the Privacy Shield.

Nowadays, three years after the GDPR introduction, the EU and the US negotiate a new deal. The constraints set by the Schrems II decision, though, will be hard to get by.

Hefty Fines Have Become Usual

Back in 2018, the GDPR was known as the Boogeyman due to the huge fines it prescribed. 4% of the annual turnover or 20 Million EURO – whichever is greater, was unseen.

But very soon it has become usual.

The national data protection bodies of the EU countries do not hesitate to issue hefty fines. The largest include 50 Million EUR. This doesn’t mean that companies go out of business, since this is not the intention of the law.

The GDPR aimed to tackle the tech giants, so it prescribed huge penalties. Nevertheless, many fines for small businesses are in the four digits.

The authorities do not hesitate to issue such fines. They have become usual. It is not surprising when brands such as Google, Marriott, H&M, and other big companies get fined for violations. However, it seems that these fines do not scare small businesses too much.

However, this doesn’t solve the non-compliance issues in general, because…

Many Businesses Are Not Compliant Yet

Small businesses, in many cases, are not compliant with the GDPR yet. Although tech giants can violate online privacy laws on a massive scale, small businesses seem to violate data subject rights more often.

There are multiple reasons that lead to this:

  • Small businesses simply do not have the resources for compliance. Particularly businesses that are just starting out, businesses with scrappy budgets on the verge to go out of business, one-man businesses, etc.
  • They just try to get by. Many think that DPA won’t come after them because they are too busy with big companies. And they may be just right. Many DPAs are understuffed and lack resources to go after each and every GDPR violator. There are only 27 DPAs in the EU, while there are billions of online businesses worldwide that need to comply with the law. Numbers clearly imply that it is simply not possible for authorities to catch every business that violates the law, unless users take action against them. And, that doesn’t happen as often because users lack awareness about their rights, or maybe love the convenience coming from the share of personal data with an online business.

As a result, tech giants easily comply with the GDPR when they want, while small businesses often cannot carry the burden of compliance. Or they just don’t want to bother because the policeman is too busy with big companies.

Awareness Around Data Privacy May Be Arising

Awareness around data privacy may be arising, but no one knows for sure.

On one hand, we see privacy issues discussed in mass media more often.

We also saw people quitting Whatsapp due to data privacy, as well as a big debate whether Apple was right to require developers to be more transparent.

At the same time, the aforementioned Max Shrems and his NOYB are now after businesses that do not meet the cookie banner requirements.

On the other hand, most businesses are not compliant, which means that they have never been challenged by a user who wanted to exercise their data subject rights.

So, are people more aware of their data privacy rights and try to protect themselves? Or do they just react to outrage created by the mass media against tech giants?

No one can say for sure. Only time will tell what’s the truth.

Yet, Privacy by Design Becomes a Standard

Privacy by design is a framework for embedding data protection in products and services.

Before the GDPR, it was largely an unknown term. Nowadays many developers consider data protection while building the product or the service.

Privacy is now a feature of many products. For others, privacy is the product itself. In both cases, GDPR had a huge positive influence into embedding the online data privacy into the products or services.

What Comes Next?

Three years into the implementation of the GDPR show that the online world has changed a lot.

But, this is not the end.

Some of the trends continue to grow, while some new ones appear on the horizon.

The Wave of New Privacy Laws Will Continue

Many countries have passed new laws, but many others have not done it yet. This includes some big economies such as the United States, India, and Indonesia.

India is in the process of passing a new law. Indonesia may introduce a new one soon as well. Both are expected to rely on the principles present in the GDPR.

Canada prepares a new federal data protection law as well. This one is expected to put companies under the risk of even bigger fines than those in the GDPR. At the same time, some Canadian provinces ponder passing provincial online privacy laws to protect their citizens.

On top of that, the EU is about to update its own privacy laws by passing the ePrivacy Regulation. If passed at all, it is expected to bring clarification on the use of metadata, IoT-related communication, privacy around messaging apps, etc.

US Won’t Pass a GDPR-Like Law

Despite the calls for passing a law like the GDPR on a federal level in the US, it seems that it won’t happen anytime soon.

Politicians from some US states have continuous attempts to bring online privacy discussions into legislation bodies on a state level, but very few states have passed any data protection law. Even those that have been introduced are far from the comprehensiveness of the GDPR.

But New Ideas Come From the US

Andrew Yang, a candidate in the US Democrates’ primary elections 2020, brought the idea of personal data as an asset. Yang’s idea was to grant data subjects the right to receive money in return for sharing their personal data.

This idea has not been included in a law yet, although there is something like that in the CCPA. In some of the recent updates, the CCPA regulated the financial incentives for users who share personal data for that purpose. This pertains mostly to loyalty programs, though, so data is not an asset in California yet.

New EU-US Data Transfers Agreement Is Necessary

A new data transfers agreement between the European Union and the United States is more than necessary. In the absence of such agreement, data transfers are tricky and make it easy to slide into violation of the GDPR.

More Businesses May Become Compliant

Schrems is after small and medium businesses now. The action against the so-called “cookie banner terror” aims to make companies respect GDPR cookie banner rules.

They have employed an automated system that could create up to 10.000 complaints daily. The complaints will be sent to companies, and if they do not comply within a month, NOYB will send complaints to data protection authorities.

It is reasonable to expect that actions like this could make businesses consider their GDPR compliance one more time.

Blockchains Pose a Huge Challenge

When legislators had been writing the GDPR, they obviously hadn’t thought of blockchains. Although the GDPR is tech-agnostic, it has some points of conflict with blockchains, such as:

  • The right to be forgotten, which is impossible on the blockchain
  • Applicability of the territorial scope of the GDPR, since nodes can be everywhere
  • Who is the data controller (are the nodes data controllers?)

Blockchains are a space of its own. Their development is exciting, and the alignment with the GDPR will be exciting as well.

Conclusions

GDPR is here to stay. Its influence has been mostly positive. It poses some burden to small businesses, but the protection of personal data is more important than that.

GDPR has set the global standard for data protection. With so many countries mirroring its provisions, a GDPR-compliant business can easily be globally compliant with pretty much all the existent data privacy laws worldwide. If you comply with the GDPR, you comply with them all.

Unless your business is in the crypto space. That’s where real challenges lie. Blockchains bring an exciting future, but a lot of headaches for EU legislators as well.

All we can do in the meantime is sit back and wait for the developments.

Written by: Petar Todorovski

Connect with the author:

Data privacy expert

Legal Advisor for IT Regulation - Ministry for Information Society and Administration of Macedonia

Petar Todorovski is interested in just about anything where law and technology intersect. His work includes legal consultation for companies, drafting IT-related legislation for the Macedonian government, and designing legal tech apps for a data protection management platform.

He has experience in data protection, cybersecurity, trust services, digital transformation of public services, access to justice, and writing for the internet.

He is a big advocate of automation, user-centered design, and the use of plain language in the legal industry.

Petar takes a break from law and tech by having a Crossfit workout, enjoying the outdoors, and reading smart people’s blogs.

Leave a Reply

Your email address will not be published.