It’s hard to believe it’s already been five years since the European Union implemented the General Data Protection Regulation (GDPR), the most far-reaching data privacy protection law at the time. Data suggests that, as the years have passed, consumers have grown to like the law. However, tech companies still have some work to do, as evidenced by Meta’s recent $1.3 billion fine for violating the GDPR.
Before the GDPR went into effect on May 25, 2018, there was no single overarching data privacy law covering Europe. Different countries had different laws, making it difficult for companies to navigate the regulatory landscape. GDPR changed all that by clearly spelling out the requirements that companies (and other organizations) must follow before collecting and using people’s private data.
For starters, companies must gain consent from users to collect and use their data. GDPR required them to store the data securely, and notify people if security is breached. People (that is, European residents) also gained the right to request information on how their data is used from companies. They also gain some power to stop companies from using their data, the so-called (but misnamed) “right to be forgotten” provision.
Under GDPR, companies were required to swiftly respond to requests from people. There were also new restrictions on the movement of data across borders (although inter-European transfers were still allowed). Companies that failed to abide by GDPR rules faced fines equal to up to 4% of their annual revenue.
The law is credited with putting an end to some of the most egregious abuses of big data. Events such as Cambridge Analytica scandal made people skeptical of untamed data collection hoovering. With the Wild West days of big data over (at least in Europe), investments in data governance increased. Instead of making a quick and easy buck exploiting people’s private data, GDPR encouraged companies to demonstrate good data stewardship and thoughtful application of analytics and AI (or more thoughtful, anyway).
The new law quickly became the model for similar data privacy laws in other jurisdictions, including the state of California, where the California Consumer Privacy Act (CCPA) went into effect in January 2020. Other countries and states implemented laws similar to GDPR, although the United States still has not yet enacted a data privacy law at the national level.
After five years under GDPR, things appear to be settling down, and data professionals are figuring out how to navigate around the laws pillars of protection. According to a Piwik PRO survey of 300 marketing executives and decision makers, understanding of GDPR is on the upswing across Europe. The survey found that more than 80% of EU companies find a balance between effective marketing and privacy compliance possible to achieve, a figure almost 20% more than last year.
More than 70% of study participants say they perceive GDPR as being easy to understand, according to the Piwik PRO survey, while nearly 80% say that laws like GDPR are important, up 5% from a year ago. Nearly 60% of companies are using marketing software with servers based in Europe, and about 75% are considering replacing their big tech tools with European alternatives, the survey says.
The data sovereignty aspect of the GDPR recently got Facebook-parent Meta in trouble. On Monday, Meta was fined €1.2 billion ($1.2 billion) by the Irish Data Protection Commission for moving data on European residents to servers based in the US. That is the biggest GDPR fine to date, and comes on top of an $887 million fine assessed to Amazon in Luxembourg and a $267 million fine on Meta’s WhatsApp property, also in Ireland.
The Irish regulator also stated that Meta would no longer be allowed to shared data on Europeans with its business customers in the US under provisions of the Privacy Shield framework. EU and US officials are working on a replacement for that data-sharing framework, called the European Data Privacy Framework, but the officials have not yet finalized the deal and it has yet to go into effect.
While GDPR as a whole “changed the world for the better,” the data-sharing provision of GDPR are nearly unworkable, according to privacy expert Aaron Mendes, the CEO and co-founder of PrivacyHawk.
“International companies have had to set up dedicated cloud architecture within Europe, which requires them to have duplicates of their product and maintain two versions to comply,” Mendes says. “While the spirit of this component of GDPR is to protect people’s data from going overseas where it can be used without the oversight of the European Union, it has just turned out not to be a realistic regulation.”
While Meta’s data-sharing activities may have complied with the new framework, Mendes faults the social media giant for failing to abide by the letter of the law.
“In pursuing profit, rather than comply with or leave the EU, they appear to have intentionally violated this regulation. So they deserve what they got. And they can easily afford it,” he says. “Also, it is widely accepted that Meta has been one of the worst violators of consumer privacy in history over the last 20 years. They have a little regard for consumer privacy and typically do the bare minimum required by law or public sentiment.”
While the tech giants get the biggest fines, not all GDPR violators have deep pockets. Many smaller companies, including dentists, restaurants, and beauty salons, have run afoul of the data privacy law. European data regulators may just be warming up, as they issued a record €1.65 billion in fines last year, a 50% increase from 2021, according to a DLA Piper survey.
Reflections on GDPR Turning Three
2018 – GDPR and the Big Data Backlash