Monday marks two years since the introduction of the General Data Protection Regulation, Europe’s wide ranging data processing regulations. Billed as a strong deterrent with penalties potentially in the billions, GDPR was widely expected to help citizens wrestle back their data from the companies which have for years harvested, traded and monetised it, often with little regard to privacy and security.
For industry, GDPR signalled a fundamental change in the way it treated personal information, mandating an unprecedented level of data governance and transparency – arguably a more sustainable way of building customer relationships.
But questions remain as to whether either has been achieved, with experts arguing the legislation, and the bodies responsible for enforcing it, are still finding their feet as they battle companies with a vested interest in slowing GDPR’s ultimate impact.
So far the landmark regulation has had mixed enforcement. Outside of one 50 million euro fine for Google from French data regulators, tech and advertising giants have largely escaped significant financial penalties.
Telcos, utilities, national post organisations, real estate companies, insurance firms and Google (twice) are among the most heavily fined organisations. While hospitals, government representatives, Youtubers and welfare organisations have received the more modest penalties.
According to analysis of GDPR fines by European privacy advocates, there have been 273 finalised fines issued so far for a total of €153,525,487, ranging from Google’s €50 million penalty to a €90 fine to a Hungarian hospital for unlawfully charging patients a copy fee to access their information.
But for tech giants these fines are the cost of doing business rather than an incentive to take data protection compliance seriously, according to one Cambridge Analytica Whistleblower.
The reason overall enforcement has been lighter than many expected is because of the complex nature of the regulations and under-resourced regulators often left to rely on whistleblowers, according to Vince Mitchell, a professor of marketing at the University of Sydney.
“When you start [GDPR] investigations that are lengthy and complex, and difficult to prove culpability, the person power required to do that is actually quite a lot,” Mitchell told Which-50.
While the legislation is in place, European governments have failed to adequately resource their data regulators, making meaningful enforcement difficult, according to Brave, an internet browser company which markets itself as a privacy focused alternative to market leader Google Chrome.
Frustrated by a lack of action against tech giants, Brave last month lodged complaints with 27 EU Member States for under-resourcing their national data protection watchdogs, citing its own report which chronicles a lack of expertise and funding across Europe’s privacy and data agencies.
Many share the concern about regulators’ resources but Brave’s research thoroughly outlined the chronic problem. According to its report, only five of Europe’s 28 national GDPR enforcers have more than 10 “tech specialists” and half of the enforcers have “small” budgets – less than €5 million.
Brave singled out the dwindling resources of Ireland’s data authority in particular because it is primarily responsible for GDPR action against Google and Facebook (the tech giants base their operations there to take advantage of generous tax settings).
“GDPR enforcers must be able to properly investigate ‘big tech’, and act without fear of vexatious appeals,” said Brave’s Chief Policy and Industry Relations Office Dr Johnny Ryan.
“But the national governments of European countries have not given them the resources to do so. The European Commission must intervene.”
According to USYD’s Mitchell, Europe’s GDPR enforcement challenge is similar to the one faced by Australia’s financial regulators, where they are routinely mismatched with financial giant’s legal firepower.
“There’s a mismatch, there’s an asymmetry between the people who are prosecuting and the people who were actually doing the business. So that’s not an uncommon thing.”
But it’s particularly problematic with GDPR, Mitchell says, because of the regulations early stage and the scarcity of deep knowledge about how data collection and processing works.
“Without proper resourcing, the legislation [GDPR] – I’m not quite quite saying it’s not worth the paper it’s written on because it is and it is being effective – but it can never reach its full potential.”
Mitchell says he’s disappointed in the lack of enforcement so far and that many companies have, despite publicly welcoming the regulation, not embraced its spirit. But he still sees the regulation as a critical mechanism to improving data practices.
Gartner analyst Bernard Woo told Which-50 one area where GDPR has had a significant impact is behavioural advertising, pointing to the rise in investigations around the world into programmatic advertising, the notoriously opaque automated process of buying and selling online ads based on consumer data.
“In some ways, [GDPR] was the final piece of the puzzle that led organisations such as Google to move away from the practice of using third party cookies to generate individual profiles used to support the programmatic advertising.”
Woo says GDPR has helped change the relationship organisations have with consumers, incentivising them to rely on first party data rather than sourcing that information elsewhere.
“At first glance, GDPR might seem to be an obstacle in that regard. Yet what GDPR has done is provide a framework within which organisations if they take the right steps – for example, towards transparency – find themselves with valuable first-party data from their customers as part of a trusting relationship which they can then use to personalise the experience.”
As for the lack of enforcement so far, Woo says two years is still a relatively short period of time and regulators need to mature too.
“During the first year, many of the regulators were in ‘reaction’ mode, focused on the handling of a significant volume of consumer complaints. In the second year, as regulators added staff and normalised a balance between receipt and processing of complaints, we have seen them take proactive and coordinated steps with respect to enforcement.”
Woo says it is only in the last year that regulators have begun to standardise their model for issuing fines taking the lead from Germany and the UK.
“And we should keep an eye on the Irish regulator which indicated in its 2019 annual report, published February 2020, that it had 21 active investigations into the processing activities of global technology companies.”
Is GDPR working?
A lack of enforcement is not necessarily a bad thing and GDPR has paved the way for an increasing amount of data regulation around the world.
“The intent of the GDPR is for organisations to respect individuals’ privacy and process their data in a transparent manner that builds trust into that relationship,” Woo says.
“Are we there yet? No. Have we made progress? Absolutely.”
According to the Gartner analyst, privacy is increasingly a standalone function within organisations, rather than being a portion of someone’s responsibilities.
“There is still quite a bit of room for maturity in operations, but organisations have definitely understood the need to focus on privacy in their day-to-day operations. A lot can be attributed to the GDPR and the wave of like-minded legislation being adopted in many parts of the world, for example, California’s CCPA, Brazil’s LGPD, Thailand’s PDPA.”
The University of Sydney’s Mitchell argues GDPR is a “great blueprint” but we have yet to see it “properly implemented” because of both the complexity of the regulation and the resistance of some companies.
“You might think two years is long enough, in order to have an impact. In certain areas it should be, [but] in this area – because it’s so difficult and so complex – actually it’s quite reasonable that it’s going to take a few more years before we see [an impact].
Mitchell says tech and advertising giants are “frustrating the process” and adding to the complexity because they have a vested interest in preventing tougher data processing and global standards which ultimately harm their ability to profit off data.
And they’ve found resistance allies in smaller companies, Mitchell says, which see GDPR as a costly compliance burden. “It’s quite costly to put in the systems, particularly for SMEs, to make sure that they comply with all the criteria that GDPR requires.”
Gai Le Roy, CEO of IAB Australia, the leading industry group representing online advertising companies, says the European regulation has made organisations focus more on the value of data and privacy. But she too notes the challenges in its interpretation and enforcement.
“As there are 28 different national supervisory authorities and Data Protection Authorities, many with different interpretations of GDPR, it has led to major challenges for businesses to enable an EU wide implementation.”
Le Roy says her IAB counterparts in Europe have developed new transparency and consent frameworks for its members to help with compliance obligations and a second version addresses the variance in national regulators GDPR interpretations.
“It’s fair to say that GDPR has been successful in helping industry focus on fairness and transparency in relation to data, but it is still early days in terms of creating great compliant user experiences. And we’re a long way away from it being easy for companies to address a range of fragmented regulation around the globe.”
The Australian Effect
The European regulation applies to data processing carried out by organisations operating within the EU but also applies to organisations outside the EU that offer goods or services to individuals in the EU.
The provisions mean organisations based in different markets, including Australia, took a range of approaches.
According to Le Roy, some Australian organisations adopted GDPR as their global standard for all consumers while others updated them only for their European consumers. Others saw the requirements as prohibitive and simply blocked content for European consumers. While another cohort, Le Roy explained, have little interaction with European consumers and have applied a “wait and see” approach.
With European regulators gearing up for more multimillion dollar fines this year, and local regulators signaling 2020 will be a “significant year for privacy reform in Australia”, they may not have to wait much longer.