It's been exactly three years since the EU's General Data Protection Regulation became effective. As a privacy reporter, I think I wrote "What if" stories about life under Europe's sweeping new privacy rule every week from 2016 until its official birthday, May 25, 2018. I remember the sheer panic. Companies terrified of getting slapped with a fine — up to four percent of global turnover — were logging on to privacy chat rooms and attending webinars in record number. It felt like Y2K, like on May 25, everything was going to change. The "gold standard of privacy law" was about to shake up the world.
Three years later, like Y2K, reality doesn't quite align with the expectations.
If you've been paying attention, there's been much criticism over the lack of GDPR enforcement. Sure, there have been headline-making fines, but the number of cases far outweigh the number of decisions DPAs have made. Critics also say the monetary penalties have been too low.
Most companies will tell you the cost of complying with the GDPR's strict provisions on things like consent management and data protection impact assessments have been too burdensome.
What do you think? Has the GDPR lived up to its hype?
For a sampling of reactions, I texted three of my friends in the privacy industry, each of them from a different sector.
I thought my friend Gabe, a DC-based attorney representing big companies regulated by the GDPR, said it well.
He said the GDPR exceeded expectations in its impact on consumer privacy awareness (just read any major newspaper, they've got a privacy reporter on staff). It's forced bigger businesses to clean up their data practices to avoid fines and headlines.
It hasn't stopped bad actors altogether, it hasn't halted tracking and surveilling users online, and it's arguably harder to start a data-driven business in the EU now. Sure, there's some work to do.
But possibly its most significant impact is that we're talking not about "if" we should regulate data governance but "how" we can best regulate it. That's a conversation we here in the U.S. can't even have yet; there's no law to talk about which to speak.
Enjoy reading, and I'll see you next week!
- Human rights court: UK spy agency violated right to privacy
Remember Edward Snowden's whistleblowing saga in 2013? The grand chamber of the European court of human rights has finally ruled the U.K. spy agency's methods for "bulk interception of online communications violated the right to privacy," and the regime for collection of data was unlawful, The Guardian reports. The ruling confirms a lower court's 2018 judgment. However, GCHQ changed its surveillance practices in 2016 with the passage of the Investigatory Powers Act.
2. Politician who championed the GDPR calls for its reform
This week, one of the EU General Data Protection Regulation's lead politicians has said the law needs revising. In sync with its third anniversary this week, Parliamentarian Viviane Reding, former vice president of the European Commission, said the regulation's enforcement has been uneven. Reding, who lead the GDPR effort through the Commission, said enforcement "against systematic stealing of data for commercial or political purposes is somehow not so strong." Instead, privacy regulators have focused on "the local football club."
3. State Senate to vote on New York Privacy Act
New York lawmakers will soon vote on a bill to give consumers more control over their personal data, Spectrum News reports. Senators will vote on the New York Privacy Act, requiring businesses to get consent before sharing consumers' personal data to a third party, the report states. It would also give consumers the right to opt-out of having their data sold and the right to request that a company delete their data.
4. How does Virginia's privacy law compare to California's?
Virginia's Consumer Data Protection Act grants Virginia consumers rights over their data. It requires companies covered by the law to comply with rules on the data they collect, how it's treated and protected and with whom it's shared. It contains specific provisions on sensitive data, data used for targeting and data sales. This piece compares CDPA to California's two privacy laws, the California Consumer Privacy Act and the more recent California Privacy Rights Act.
5. EU antitrust regulators creeping in on privacy authorities' terrain
The EU antitrust and privacy authorities are getting competitive over the regulation of major tech companies. Where privacy authorities worry about how companies that collect large amounts of personal data are treating it, antitrust authorities worry about the fact they've collected so much at all. The idea is that the companies with the most data have the most market power. And when one company acquires another, the data trove -- and the powerful insights it provides -- can be enormous.
6. WhatsApp changes approach, won't punish users