The EU’s General Data Protection Regulation (GDPR) came into effect three years ago and changed the online world for good.
Businesses using personal data with almost no limitations now have to pay attention to what they do with users’ personal information. It followed a few lucrative years for online businesses earning loads of money by simply making data-based decisions using personal data, often without users’ knowledge.
The GDPR brought constraints to that use, so the outcry by the businesses came as no surprise.
It had to happen, though.
Cases such as the scandal with Facebook and Cambridge Analytica and the number of data security failures by Equifax drew the public’s attention to online data privacy. Media caused hysteria, legislators passed laws, and we were brought to a new reality of online privacy.
Three years later, the situation seems different.
What we’ve seen so far is that:
There is still a long way to go. Some of the challenges for the near and mid-term future include:
25 May 2018 was just the beginning. When GDPR came into force, businesses worldwide wondered how they would meet the high requirements, claiming that the GDPR would not work.
But it did. And eventually, it caused a wave of introductions of new data protection laws all around the world.
Whenever some country introduces a new data protection law or updates the existing one, it always mirrors the provisions of the GDPR. It is not always as strict or demanding, but it is similar.
These countries include countries-candidate for membership in the EU, the United Kingdom, Israel, Australia, Brazil, and most countries in South America, Egypt, Kenya, Dubai (the Dubai International Finance Center only), Thailand, and others.
GDPR was passed, among other things, to tackle the Googles and Facebooks of the world. Meanwhile, the tech giants’ homeland still restrains from passing GDPR-like legislation.
The United States is the only well-developed country without a comprehensive data protection law. US citizens are not as protected as EU citizens, Canadians, Brazilians, and others who enjoy the benefits of GDPR-like protection.
While the European Union tends to regulate everything everywhere, the US government often takes the opposite approach. As a result, data protection in the US is still very weak compared to other parts of the world.
Despite the calls for a federal data protection law, the data protection legal landscape in the US is still a big mess. Only three have data protection laws – California, Virginia, and Nevada, while the rest have only data breach laws.
From those three, the Nevada law is quite obscure compared to the GDPR, the CCPA of California does not apply to all businesses, and the Virginia CDPA will come into force in 2023 and is not comprehensive either.
The US is still lagging in terms of consumer protection when it comes to data. Most of the attempts to the introduction of new laws have failed.
At the same time, the US is home to data brokers who supply politicians with large amounts of data they use in political campaigns.
The US does not provide data protection on a level equal to the GDPR. Therefore the data transfers from Europe to the states are quite complicated.
Transfers used to be regulated by the Privacy Shield. That was an agreement between the US and the EU, according to which personal data of EU users could have been transferred freely to a list of compliant US companies registered with the Shield.
Max Shrems, the leader of the NOYB (None of Your Business), an NGO working in the field of data privacy, knocked the agreement down. He initiated a procedure at the Court of Justice of the European Union. He decided that personal data transfers from the EU to the US are unlawful under the GDPR because the data may be exposed to US authorities at any time due to the nature of US laws.
This court decision is known as Schrems II. The Schrems I decision brought down the Safe Harbor, the data transfers agreement that preceded the Privacy Shield.
Three years after the GDPR introduction, the EU and the US are negotiating a new deal. The constraints set by the Schrems II decision will be hard to get by.
Back in 2018, the GDPR was known as the Boogeyman due to the huge fines it prescribed. 4% of the annual turnover of 20 Million EURO – whichever is greater, was unseen.
But very soon, it has become usual.
The national data protection bodies of the EU countries do not hesitate to issue hefty GDPR fines. The largest include 50 Million EUR. This doesn’t mean companies go out of business since this is not the law’s intention.
The GDPR aimed to tackle the tech giants, so it prescribed huge penalties. Nevertheless, many fines for small businesses are in the four digits.
Unsurprisingly, brands such as Google, Marriott, H&M, and other big companies get fined for violations. The authorities do not hesitate to issue such fines. They have become usual. However, these fines do not scare small businesses too much.
However, this doesn’t solve the non-compliance issues in general because…
Small businesses, in many cases, are not compliant with the GDPR yet. Although tech giants can violate online privacy laws on a massive scale, small companies often violate subject data rights.
Multiple reasons lead to this:
As a result, tech giants easily comply with the GDPR when they want, while small businesses often cannot carry the burden of compliance. Or they don’t want to bother because the policeman is too busy with big companies.
Awareness around data privacy may be arising, but no one knows for sure.
On the one hand, we see privacy issues discussed in mass media more often.
At the same time, the aforementioned Max Shrems and his NOYB are now after businesses that do not meet the cookie banner requirements.
On the other hand, most businesses are not compliant, which means they have never been challenged by a user who wanted to exercise their data subject rights.
So, are people more aware of their data privacy rights and try to protect themselves? Or do they react to outrage created by the mass media against tech giants?
No one can say for sure. Only time will tell what’s the truth.
Privacy by design is a framework for embedding data protection in products and services.
Before the GDPR, it was largely an unknown term. Nowadays, many developers consider data protection while building a product or service.
Privacy is now a feature of many products. For others, privacy is the product itself. In both cases, GDPR had a huge positive influence on embedding online data privacy into the products or services.
Three years into the implementation of the GDPR show that the online world has changed a lot.
But, this is not the end.
Some trends continue to grow, while some new ones appear on the horizon.
Many countries have passed new laws, but many others have not done it yet. This includes big economies such as the United States, India, and Indonesia.
India is in the process of passing a new law. Indonesia may introduce a new one soon as well. Both are expected to rely on the principles present in the GDPR.
Canada is preparing a new federal data protection law as well. This one is expected to put companies at the risk of even bigger fines than those in the GDPR. At the same time, some Canadian provinces ponder passing provincial online privacy laws to protect their citizens.
On top of that, the EU is about to update its privacy laws by passing the ePrivacy Regulation. If passed at all, it is expected to bring clarification on the use of metadata, IoT-related communication, privacy around messaging apps, etc.
Despite the calls for passing a law like the GDPR on a federal level in the US, it seems that it won’t happen anytime soon.
Politicians from some US states have continuous attempts to bring online privacy discussions into legislation bodies on a state level, but very few states have passed any data protection law. Even those introduced are far from the comprehensiveness of the GDPR.
Andrew Yang, a candidate in the US Democratic primary elections 2020, brought the idea of personal data as an asset. Yang’s idea was to grant data subjects the right to receive money in return for sharing their personal data.
This idea has not been included in law yet, although there is something like that in the CCPA. In some of the recent updates, the CCPA regulated the financial incentives for users who share personal data for that purpose. This pertains mostly to loyalty programs, though, so data is not an asset in California yet.
A new data transfer agreement between the European Union and the United States is more than necessary. Without such an agreement, data transfers are tricky and make it easy to slide into violation of the GDPR.
Schrems is after small and medium businesses now. The action against the so-called “cookie banner terror” aims to make companies respect GDPR cookie banner rules.
They have employed an automated system that could create up to 10.000 complaints daily. The complaints will be sent to companies; if they do not comply within a month, NOYB will send complaints to data protection authorities.
It is reasonable to expect that such actions could make businesses consider their GDPR compliance one more time.
When legislators had been writing the GDPR, they hadn’t thought of blockchains. Although the GDPR is tech-agnostic, it has some points of conflict with blockchains, such as:
Blockchains are a space of their own. Their development and alignment with the GDPR will also be exciting.
GDPR is here to stay. Its influence has been mostly positive. It burdens small businesses, but protecting personal data is more important.
GDPR has set the global standard for data protection. With so many countries mirroring its provisions, a GDPR-compliant business can easily be globally compliant with pretty much all the existing data privacy laws worldwide. If you comply with the GDPR, you comply with them all.
Unless your business is in the crypto space, that’s where real challenges lie. Blockchains bring an exciting future but a lot of headaches for EU legislators.
All we can do in the meantime is sit back and wait for the developments.