Has the landmark law helped build a culture of privacy in organizations and have consumers become more wary of sharing their personal data?
“Relying on the government to protect your privacy is like asking a peeping Tom to install your window blinds” – John Perry Barlow, EFF (July 1992).
Any individual who has the slightest engagement in the privacy of their personal data online will likely be sympathetic to Barlow’s quote. It’s been 2 years since the implementation of the General Data Protection Regulation (GDPR), the EU’s data protection and privacy regulation which aimed to give control to individuals over their personal data and to simplify the requirements on businesses.
Are there fewer data breaches? Are companies taking privacy and consent more seriously? Do individuals engage in the protection of their personal information more? It’s difficult to answer the question of whether GDPR has been successful as we don’t know what would have been the state of play if the data protection regulation it succeeded were still in place.
Without doubt, though, the global privacy landscape changed with GDPR. The legislation placed the privacy conversation front and center in capitals and board rooms around the world. There are now in excess of 100 countries and states with individual privacy regulations, some more strict than others, and some of them, such as Argentina, Brazil, Chile, Japan, Kenya, South Korea and California, have clearly taken GDPR as a base model for their own legislation.
The growing number of regulations around the world demonstrates both the need and the willingness of governing bodies to step in, but with the growing number a complexity is created, something I discussed in a recent blogpost. The complexities of so many regulations probably mean that companies will look to harmonize their approach to privacy to comply with the majority and have a defensible position should they inadvertently breach a regulation.
Corporations, I am sure, have taken heed as regulators tasked with enforcing the GDPR started flexing their muscles and issuing fines or giving notice of intended fines. The first major fine, of €50 million (US$54 million), was issued in January 2019 to Google by the French data protection authority CNIL for showing insufficient control, consent and transparency over the use of personal data for behavioral advertising.
This was eclipsed by a mammoth £183 million (US$221 million) fine issued by the British Information Commissioner’s Office (ICO) against British Airways in July 2019 for poor security that resulted in a malicious attack that affected 380,000 website transactions. In comparison, Facebook was fined a mere £500,000 (US$605,000) by the ICO regarding the Cambridge Analytica scandal, which happened shortly before the implementation of GDPR and was the maximum fine at the time.
What’s the law got to do with it?
As a consumer, if you are in a country where privacy legislation has taken a similar approach to the GDPR, you will be used to seeing the numerous consent dialogues that companies are now required to display when collecting your personal data. The bold position of requiring opt-in consent set the bar for future legislation by other authorities; even if opt-out became the chosen route, the prominence of the message, which can probably, in part, be attributed to GDPR, at least gives the consumer the opportunity to make an informed decision.
There has also been a sea change in product and service development, and this too can probably, in part, be attributed to the GDPR. At the inception of a new product of service, privacy by design and default is now a relatively standard approach for any team to consider as projects come to fruition. Consumers now expect there to be a trusted relationship with a vendor and the vendor understands that this will bring long-term commercial success.
It seems impossible to write this blogpost without mentioning the current COVID-19 predicament with the numerous contact-tracing apps and location mapping data being provided to governments by telecom carriers. While privacy may have been put on hold in some cases, or at least modified to a point that in normal circumstances would be unacceptable, the visibility on personal information privacy that both the GDPR and the Cambridge Analytica scandal created have caused global scrutiny on the use of data to help solve the current pandemic. This scrutiny has seen governments backtrack on proposals and technology companies innovate new methods to ensure anonymity; there’s also a general consensus that a contact-tracing app needs to respect the user’s right to privacy.
The GDPR has legitimized privacy advocates across the globe having a voice and for their concerns to be considered and listened too. The big question, though, remains: ‘Have citizens become the owners of their personal data?’ I leave you with an inspired quote from the late Steve Jobs…
“Privacy means people know what they’re signing up for, in plain language, and repeatedly. I believe people are smart. Some people want to share more than other people do. Ask them.” – Steve Jobs