One of the defining moments for tech in 2018 was on May 25, when the EU implemented its General Data Protection Regulation — the ominous GDPR. The ambitious legislation is the toughest privacy and security law in the world and was meant to guarantee users better control over their over their personal data.But has it? For most people, both in the EU and outside, the ‘better control’ only took form in a myriad of annoying consent pop-ups on seemingly every single site they visited.
First things first though, what exactly is GDPR?
If you’re already an expert on GDPR, you can probably skip this section. But considering that
When the EU says it wants to give people better control over their personal data, it means it. All EU data subjects (legalese for EU citizens and residents who use computers and stuff) now have the right to have a say in how organizations handle their data, as they’re only ‘lending’ the data — your personal data should belong to you and nobody else.
So under GDPR, you have the right to:
- Information about how your personal data is processed
- Obtain access to the personal data held about you
- Ask for incorrect personal data to be corrected
- Request personal data to be erased (e.g. when its processing is unlawful)
- Object to your personal data being used for marketing purposes
- Request the restriction of the processing of your personal data in specific cases
- Right to data portability
- Request that decisions based on automated processing involving you or your data are made by natural persons, not only by computers
In order to enforce this, GDPR allows ‘data subjects’ to seek compensation for damages. But the biggest enforcement tool is the possible fine for violating GDPR: up to 4 percent of global revenue or €20 million, whichever is higher.
This staggering amount ensures that even tech Goliaths will be wary of GDPR, but its reach also plays a big part. The legislation actually applies to any company that handles personal data of EU citizens or residents — which is why GDPR was such a big deal in 2018.
GDPR puts a lot of responsibility on companies and how they handle people’s data. Those responsibilities include not using people’s personal data in any way, without proper authorization or reason. That can, for example, be an unambiguous consent, court order, or if processing is necessary to execute or prepare a contract with the person, e.g. background check before leasing them an apartment.
However, companies are also allowed to process a person’s data if there’s “legitimate interest” — which is just as vague as it sounds and is one of the major culprits for the confusion surrounding GDPR. We’ll probably see better definitions and guidelines for this in 2019, but it should refer to common sense usage.
Companies are also required to have appropriate data security, transparent data processing, and have to notify affected data subject within 72 hours or face penalties. This last obligation is great, but it hasn’t had much impact in 2018 as there’s been a ton of big data breaches, most of which didn’t notify affected users within the 72-hour period. Facebook waited more than two months to announce its latest data breach.
Wait, so if the rules aren’t followed, is GDPR worth anything? Well, let’s check in with the experts.
Not much enforcement in 2018
Raegan MacDonald is the Senior Policy Manager and EU Principal at Mozilla, a company
“While it is early, I haven’t yet seen that impact, although some progress is being made,” MacDonald told TNW. “Many companies have updated their privacy policies and created tools to give users more control, such as ways to request that their data be deleted.”
However, MacDonald is disappointed with how superficial this approach has been: “Many companies appear to be interpreting GDPR as narrowly as possible. I’m concerned that privacy is still by default put at risk without users understanding or having meaningful control.”
This is disappointing because one of the goals of GDPR was to encourage (or forcefully nudge) companies to implement privacy by design, but MacDonald is optimistic about the future: “We haven’t seen the big fines levied just yet. But I suspect that if 2018 is the year of implementation, 2019 will be the year of enforcement.”
She points out that there are nine EU member states that have yet to implement GDPR, and the new regulator — the European Data Protection Board — is still setting up shop, so it’s no wonder things are moving
“Starting in 2019, I expect this ‘grace period’ to end, where companies will either shape up or face serious fines by regulators. Laws are only as strong as their enforcement, and we are encouraged by the fact that many data protection authorities are starting to closely scrutinize the underwhelming implementation measures taken by some companies (and the thousands of complaints filed).”
There have been a number of high profile complaints lodged with data protection agencies (
It’s great that complaints are being filed to
“Mozilla strongly believes that users should be given meaningful control, not just tools buried in privacy notices or deep within settings menus. And ultimately, we need strong enforcement in Europe against those companies that aren’t genuinely delivering on the principles in the GDPR.”
Companies like Mozilla have started creating tools, like anti-tracking features in browsers, but more need to adopt GDPR’s mentality to truly deliver on people’s control over their data. What it seems to boil down to like MacDonald points out, is the need for better enforcement — so where are the regulators?
GDPR will be felt in 2019
GDPR has only been effective for a few months, but regulators have been far from idle.
The Irish DPC plays a pivotal role in the implementation and enforcement of GDPR as many of the worlds biggest tech companies have their EU headquarters in Ireland. That means that complaints filed against companies like Facebook, Twitter, Microsoft, LinkedIn, and soon Google are under the purview the DPC.
TNW spoke to Graham Doyle, Head of Communications with the Irish DPC, about GDPR’s first few months. For him, it’s obvious that GDPR has made people in general much more aware of the issue regarding personal data. A big indicator of that is the number of incidents reported
“We conducted a survey in early 2017 where we assessed the awareness levels of the GDPR among businesses in Ireland and found it to be between 30 and 40 percent,” Doyle told TNW. “However, when we redid the survey in May 2018, we were at around 90 percent awareness levels.”
GDPR clearly had an impact in 2018 as it made people think more about how their personal data is handled. Doyle is happy with this as the DPC spends considerable resources on awareness as it considers educating businesses and the public to be a key part of its role.
“We take a twin-pronged approach to upholding GDPR: enforcement and engaged supervision,” says Doyle. “Engaged supervision is where we engage with organizations, consult on personal data-related legislation, and with companies regarding their new products. Basically, when we engage with organizations, we try to assist them in getting it right from the beginning.”
This approach is understandable as it’s undeniably better for companies to get it right the first time — and prevent any personal data to be compromised — than to focus solely on punishing offenders. However, Doyle adds that the DPC also intends to fulfill its corrective role and the lack of enforcement in the first few months of GDPR shouldn’t be interpreted as inactiveness.
“The new toolkit that the GDPR has provided
When asked when we could be expecting investigations to come to an end, Doyle was clear: “We’ll certainly be concluding some of the bigger investigations in 2019.”
Original Source : The Next Web