Europe’s General Data Protection Regulation (GDPR) was designed to harmonise the rules governing data protection across the EU, giving rights to individuals around how their data is collected, stored and erased, and providing in-country regulators with the means to punish those companies caught lacking. And, as the EU celebrates a landmark policy’s second birthday, if imitation is the sincerest form of flattery then the lawmakers responsible for the GDPR should be blushing.
Similar data protection laws are in the process of being, or have recently been, passed in Brazil, Japan, Thailand, India and the state of California in the US – all following the EU’s lead. With post-Brexit Britain choosing to subsume the regulation virtually intact into UK law, the GDPR has effectively become the default data protection regulation for many countries around the world.
During the decade of drafting that gave birth to the GDPR, some company executives looking on disparaged the nascent regulations as a piece of restrictive and anti-competitive law that would hold back European businesses. But fortunately for the law’s advocates, its launch coincided with the scandal over Cambridge Analytica’s misuse of Facebook users’ data. The very public hearings involving Facebook’s leadership in Congress and the closing down of Cambridge Analytica galvanised many tech leaders, such as Apple’s Tim Cook and Microsoft’s top lawyer Brad Smith, to publicly come out in favour of the GDPR or similar regulation. And although it wasn’t 100% clear at the time whether Mark Zuckerberg was in support of tech company regulation, he has since come out in support of new rules that ‘may hurt Facebook’s business in the near term… but it will be better for everyone, including [Facebook], over the long term.’
At the heart of GDPR are seven key principles designed to protect individuals’ rights surrounding data. But as is usually the case, actions speak louder than words. For most people, this action presented itself as the now enforced emails from retailers and websites asking their customers to grant/renew their permission to be included on email distribution lists. But for those tasked with reviewing data collection policies, from high street banks and Silicon Roundabout start-ups to NHS trusts and Twitter, it has meant significant due process, obligations and potentially significant fines for wrongdoing.
When Facebook was found to be misusing users’ personal information in the Cambridge Analytica scandal, it was fined the maximum penalty of £500,000 under the Data Protection Act 1998. Had Facebook been bound by the GDPR at the time, the Information Commissioner’s Office (ICO) – the UK data watchdog – could have imposed maximum fines of €20m, or 4 per cent of global turnover. Based on Facebook’s 2017 revenues, this could have meant a fine of up to $1.6bn.
Since the introduction of the GDPR, regulators have imposed hundreds of fines totalling more than €114 million, the largest of these being a record €50 million fine. However, as detractors pointed out at the time, some of the fines seem small compared to organisations’ revenues and global scale. In the UK, two significant fines have been brought, the first against British Airways (£183m) and the second against hotel group Marriott International (£99m). In each case, the ICO found that poor, easily rectifiable, security arrangements gave hackers access to customer information. Though these are the largest UK fines to be issued under GDPR laws to date, they are yet to be levied. The ICO has twice granted extensions so that companies have additional time to conduct further investigations and seek the views of other EU GDPR authorities.
You only need to look at the headlines most days to know that more fines are on the horizon, but action takes time to complete and cases can drag on for years (not to mention those penalties delayed because of COVID-19). The prospect of lengthy investigations and the ensuing appeals process is particularly daunting for many European nations that do not have the resources to rigorously uphold data protection regimes. The UK’s ICO has admitted to being overwhelmed by a flood of companies self-reporting violations. And a 2019 survey found 21 regulators from 30 EU countries believed that “resources are not enough” to fulfil their responsibilities. For context, and as the New York Times pointed out, Luxembourg – responsible for regulating Amazon – had a budget of €5.7 million last year. That equates to roughly 10 minutes of Amazon sales revenue. But as explained by Helen Dixon, Ireland’s data protection commissioner, regulators have leverage beyond investigations and fines. For instance, ‘Facebook delayed the release of its dating app…after the Irish authorities raised questions about its data collection’.
Against a backdrop of mild cynicism around the punitive nature of the fines that countries are currently bringing, there is however a growing consensus that GDPR shows promise. For one thing, even if the fines themselves are rarely levied in favour of collaborative improvements, for some it is the reputational damage that is the most significant chastener. And with massive cybersecurity attacks regularly garnering widespread attention in the national and trade press and eroding customer trust in the process, the long-term damage of this is difficult to ignore.
In the coming weeks, the EU will be releasing an investigation into its own activities over the last two years. Its findings will no doubt be measured, but its authors may also be heartened by the EU’s pioneering role in bringing about a global-shift in perceptions and enforcement of data regulations. In the UK, consultants have been brought in to assess the ability of the ICO to hold the tech giants to account. But while introspection is important, and will likely find flaws and foibles, EU legislators have reasons to be proud of their creation as we approach its second birthday.