When, after four years of deliberation, the European Parliament finally approved the European Union’s General Data Protection Regulation (GDPR) in April 2016, the European Commission declared that the new rules would “ensure that the fundamental right to personal data protection is guaranteed for all.” The wide-reaching law was seen as a salve for consumers seeking greater privacy protections for their data: it gave internet-users the right to access data gathered about them online, required businesses to obtain affirmative consent before acquiring data about subjects, and mandated notifications within 72 hours of a data breach. The advocacy nonprofit Human Rights Watch has called GDPR “one of the strongest and most comprehensive attempts globally to regulate the collection and use of personal data.”
The law went into effect on May 25, 2018, but a year later, European regulators are facing obstacles to full implementation and enforcement, such as a backlog of unenforced violations and unmet resource needs. Corporations have also found new ways to continue collecting large amounts of data amidst the new regulations.
These outcomes after one year have raised questions about GDPR’s longterm viability: Can the law meet consumers’ rapidly evolving needs? Will it live up to its transformational promise? And what lessons has the US learned that will impact its own data privacy landscape?
Before GDPR was passed, the EU statute that regulated data privacy the most was the European Data Protection Directive 95/26/EC, which was first passed in 1995. In the two decades that followed, EU member states passed diverse, sometimes conflicting privacy laws, which made EU-wide enforcement difficult. In addition, the ways users interacted with the internet completely transformed, methods of data collection became more sophisticated, and the number of data breaches rose dramatically. GDPR was intended to address these problems. In 2012, the European Commission proposed a reform of EU data protection laws, which ultimately resulted from in the GDPR. The regulation’s stated purpose is to, “harmonize data privacy laws across Europe,” “protect and empower all EU citizens’ data privacy,” and “reshape the way organizations across the region approach data privacy.” Lawmakers allowed a two-year transition period, with enforcement scheduled to begin in May 2018.
One month before GDPR went into effect, the Ponemon Institute reported that only 52% of companies expected to be GDPR-compliant by the May deadline. A further 40% expected to come into compliance after that date, and only 10% said they were already in compliance.
When enforcement began, the majority of European regulators (public agencies within each of the EU member states responsible for enforcing GDPR) said they would need budget increases of 30 to -50% to meet the GDPR’s implementation and enforcement demands.
However, by February 2019, almost none had received the amount they requested. For some, budgets increased minimally or not at all. Other regulators stressed the need for expanded human resources departments to respond to the growing tide of data breach notifications flooding their inboxes. For at least nine regulators, HR departments had not expanded at all. Countries like Croatia, Greece, and Latvia still needed budget increases of 100% or more. Latvia said that it needed to increase its regulatory budget by 257% to meet the staffing demands of GDPR. Italy, Slovakia, and Romania needed to increase the size of their HR departments by 76%, 106%, and 142%, respectively, to address the backlog of complaints.
Despite these concerns, the European Commission concluded in its February 2019 report that GDPR had succeeded “quite well” in harmonizing regulations across the EU.
From May 2018 to February 2019, there were over 200,000 cases of GDPR enforcement. Of those, 94,622 were complaints and 64,684 were data breach notifications. As of February 2019, 48% of cases were either ongoing or moving through the appeals process. In May 2019, security firm ImmuniWeb published the results of a study that tested the 100 most-visited websites in EU member countries. It found that over 50% were still in violation of at least one GDPR policy. More than 78% were practicing insecure handling of cookies and/or sensitive data. “We can see laudable efforts aimed to improve web application security and adhere to GDPR requirements amid European companies,” said Ilia Kolochenko, ImmuniWeb CEO and founder, about the study. “However, there is a long road before the majority of organizations start … providing users with the privacy and security they truly deserve.”
Implementing and complying with GDPR has been costly for both companies and European regulators. It has also resulted in relatively few fines. Although fines have been issued in 11 countries, almost all fines have been less than €1 million, or about 1.3M USD – with one notable exception. In January 2019, Google was fined €50 million (56M USD) for violating GDPR rules in France, where it failed to disclose to users how the company collected data from its sites, including its principle search engine, and its applications Google Maps and YouTube. It was also fined for failing to disclose how these data were used for targeted advertising. As a result, Google’s fine constituted the bulk of the total €56 million (63M USD) collected in the first year of GDPR enforcement.
US and global harmonization efforts
In the wake of GDPR, governments around the world have drafted legislation to create privacy protections commensurate with the law. One notable response came in August 2018, when Brazil passed its General Data Privacy Law. The law‘s provisions resemble many of GDPR’s, and it threatens fines of up to two percent of a company’s yearly global revenue for violations (GDPR allows fines of up to 4% in certain circumstances.)
In the US, the most significant data privacy legislation since GDPR has been the California Consumer Privacy Act (CCPA). Like GDPR, it establishes sweeping consumer privacy protections, but with key differences. Where GDPR allows for fines of up to 4% of a company’s yearly revenue or $25 million, the CCPA mandates up to $7,500 per violation. Further, where GDPR requires consumers to opt in to data collection, CCPA requires that companies give consumers the right to opt out, but does not demand consent to begin collecting data. Despite these differences, CCPA is now the most comprehensive consumer privacy law of any US state, sparking other states and members of Congress to consider similar provisions. By May 2019, 13 states had introduced legislation that mirrored parts of CCPA, and Nevada had enacted a law that included CCPA-inspired provisions.
In May 2019, the Senate Commerce Committee and House Energy and Commerce Committee held hearings on consumer privacy. Topics included the economic benefits of data collection, the need for additional funding for the FTC, and the merits of a federal consumer privacy law. Conceptually, such a federal law has bipartisan support, though disagreements between Republicans and Democrats persist regarding how best to regulate big tech companies like Google and Facebook. Members of Congress also diverge on whether a federal law ought to resemble GDPR, CCPA, or something else entirely. Though it is not clear how likely – or how soon – the US could draft a federal privacy law, momentum is growing.
Many considered the first year of GDPR as its trial run. The year saw landmark shifts in the global landscape of data privacy, and in the wake of GDPR, countries all over the world have responded with data privacy laws of their own. In the US, federal and state legislators are grappling with how to respond to the privacy model laid out by the European law.
In Europe, regulators are still refining their approach to enforcing GDPR. A shortage of resources and evolving workarounds by companies have proved challenging, but there are signs that GDPR enforcement will become more rigorous. On the anniversary of the law’s passage, the head of France’s data protection authority said, “If [France] was relatively tolerant over the last year, a transition year, we consider that it’s now up to companies to be compliant in terms of data protection. … So we will not hesitate to impose sanctions, carefully and in a proportionate manner.” The coming years could reveal whether the law’s original goal – to provide comprehensive protections for consumers’ data privacy – is in reach. Regardless, the evolution of GDPR enforcement in Europe, and harmonization efforts in the US and around the world, will remain key to understanding the future of consumer data privacy.