Has the EU General Protection Data Regulation (GDPR) been a success?

By Pablo Quero Cisneros, Business Management student at University of Essex

Introduction

The GDPR has not been a success, but something is blowing in the wind. Back in January 2012 the European Commission already acknowledge the need for a reform on the existing data protection directive of 1995 (European Data Protection Supervisor, 2016). Technology and data processing had progressed at a pace that regulation could not keep up with, threatening its citizen’s rights. This state of unrest was supported by key events such as Snowden’s revelations of mass surveillance (Blake, 2015; Smith, 2016; Rossi, 2018; Coyne, 2019), and the Cambridge Analytica scandal regarding the access of personal information without consent (Isaak and Hanna, 2018; Schneble, Elger and Shaw, 2018). Europe’s response came in the shape of the GDPR (GPDR.eu, 2020), which promised to bring a breath of fresh air to the stale privacy scene. Given the scope and dependencies of the regulation, there is no simple or unique way of assessing its success (or lack of it). Hence, this essay explores the subject from three perspectives: institutional, corporate, and social; and propose solutions and recommendations for the future.

Institutional

Measuring the wind from an institutional direction, GDPR has been rather successful. This regulation considered the technical and legal challenges and placed its citizens rights in the centre standing its ground against the aggressive lobbying from the Big Tech (Rossi, 2018; Coyne, 2019). Some examples include a broad range of specific privacy rights for EU residents, the enforcement of such privacy rights overseas, and the new substantial fine scheme. Europe has historically been at the vanguard of privacy law (European Data Protection Supervisor, 2016), and the GDPR consolidated this position by becoming the new ‘gold standard’ (Buttarelli, 2016; Albrecht, 2017) by providing a robust and compelling array of rights to its residents. This regulation encouraged other governments and institutions to adopt similar regulations similar in content and structure and setting the foundations of modern privacy. Moreover, this regulation influenced and helped shape novel privacy regulations around the globe such as the CCPA (Voss, 2021), LGPD (Erickson, 2019), and many more.

However, the enforcement of the GDPR has not been flawless. Organizations demanded assistance and clarification from regulators since the law did not provide enough practical guidance. Moreover, Regulators were underfunded and understaffed (Vergnolle, 2021), limiting their capability to effectively enforce the regulation. Furthermore, regulators have not been as punitive as originally expected. The breath-taking headlines that announced hundreds of millions in fines for some of the largest data breaches, these were ultimately decimated after appeal (BBC, 2020; Lawyer Monthly, 2020).

Corporate

For corporates, the GDPR was a drastic wind change, considered by many as a failure and a barrier preventing them from reaching their financial goals. The feeble regulatory climate existing before the GDPR allowed organizations to adopt and leverage new data processing technologies with minimum oversight and responsibility for the last couple of decades. New technologies such as big data, artificial intelligence, or cloud computing sculpted the data processing landscape the same way the wind erodes natural landscapes: small but permanent changes compounded over time. An ambitious regulation like the GDPR demanded an elevated level of commitment, resources and change that only few organizations were able to execute (Freitas and Mira da Silva, 2018). Unlike accounting, taxes or employment law, privacy and data protection is a relatively new discipline that has not been considered during the design and implementation of the three business pillars: people, process and technology. This added an extra layer of complexity since most organizations were not ready to undertake the required transformational changes. In practice, most organizations failed to effectively implement the new data privacy regulation (Almeida Teixeira, Mira da Silva and Pereira, 2019). Roles were not properly aligned with the new responsibilities, in most instances limiting their efforts to appointing a new data protection officer. Policies and procedures such as records of processing activities, data maps, or data transfer agreements were generated or updated according to the new requirements as a one-off exercise, rather than a continuous and ongoing programme and soon becoming outdated. Finally, existing systems such as web tracking technology, data lakes or communication platforms lacked privacy by design, forcing organizations to incur in costly, complex and lengthy projects to update and remediate their ecosystems. Non-surprisingly, a large percentage of European organizations were not compliant years after the regulation was approved (Consultancy.uk, 2019; Wolford, 2019).

Social

Looking at where the social direction is blowing, internet users are still disadvantaged when trying to protect their privacy online. While it is true that newly ‘compliant’ privacy policies have become more readable than they used to be, a study found that the average policy takes 18 minutes to read and college-level reading ability (Litman-Navarro, 2019). As a result, users tend to not read or slightly scan through them before blindly and uninformedly accepting any demands and risks (Steinfeld, 2016). A similar imbalance can be found when trying to disable browsing tracking technology (cookies). Disabling them completely make most websites unusable, disabling on an ad-hoc basis is frustrating. The regulation clearly states that users must explicitly give consent for this kind of tracking (such as by ticking a box); but in practice it is not that simple. Organizations have mastered the art of nudging consumers into certain behaviours (Hoyt, 2009) and they apply these techniques to induce their visitors into accepting their cookies through the use of user experience shenanigans that makes it tedious, unintuitive and time consuming (Bermejo Fernandez et al., 2021). The author wonders how lawful it is to mask this consent under the legitimate interest justification, forcing users to ‘disable’ cookies as well as ‘object’ legitimate interest tracking. And all this is assuming these websites are compliant, despite studies showing that most of them were still not years after the regulation was in effect (Degeling et al., 2019). This allows companies to profile their users, making it hard for them to avoid hyper-targeted advertisements and even becoming addicted to their platforms (Chaffey and Smith, 2013; Orlowski, 2020). Finally, data breaches have continued to grow in frequency and size for the last decade (IBM, 2020; Sobers, 2020; Verizon, 2021). This is probably the most significant measure to assess the effectiveness of a privacy regulation, and the results are not very comforting. Over 9,7 billion records have been breached since 2013 (Sobers, 2020), that is more records than people in the world, and this number keeps growing daily. It seems almost impossible to have a spam/scam free email address or telephone number these days, these contact details will eventually be exposed or sold for marketing or malicious purposes.

GDPR Forecast

However, despite the arguments shared above, it could be argued that the GDPR is not a failure, instead the problem comes from the expectations. GDPR successfully set the theoretical foundations for privacy in modern societies but expecting an effective implementation in such a short span was never realistic. Everyone has been working to adopt and get used to the new regulation, with limited success thus far. Nonetheless, like tailwinds, efforts are pushing in the right direction, and the author is positive that success is possible. However, in order to achieve this, institutions, corporates, and individuals must continue to make efforts and seek unity and collaboration rather than blaming each other. Institutions must continue to provide guidance and create forums to help organizations share best practices, as well as inform and educate individuals on their rights and potential risks. Corporates must continue to invest in their privacy programmes and blend privacy in their organizational fabric as ongoing and priority initiatives. In addition, corporates must also embrace privacy and take it into account during design stages as well as adopting privacy enabling technologies such as anonymization, data loss prevention and encryption (Wang and Kobsa, 2008; Heurix et al., 2015). Moreover, society must continue to demand high privacy standards, rewarding and appraising privacy-sensitive organizations and actively participating in the privacy movement.

Conclusion

Privacy rights are essential for the prosperity of democratic societies. However, after five years of being enforced, the GDPR has not yet been a success. The privacy hurricane that the European Commission promised ended up being a breeze in practice. Wind is the result of changes in the atmospheric pressure in the environment; and similarly, we need to reactivate the winds of privacy change into the right direction by applying pressure and efforts in the right elements. As discussed throughout this piece, there are several practical limitations at all levels that prevents us from celebrating the successful implementation of the GDPR at present. Everyone needs to keep working together to make this happen sooner rather than later. The success of GDPR is imperative, it must happen. Therefore, the author proposes an alternative question for further consideration: “When will the GDPR be considered a success?”

REFERENCES
  • Albrecht, J. P. (2017) ‘How the GDPR Will Change the World’, European Data Protection Law Review, 2(3), pp. 287–289. Available from: https://heinonline.org/HOL/Page?handle=hein.journals/edpl2&id=313&div=&collection= (Accessed: 29 April 2022).
  • Almeida Teixeira, G., Mira da Silva, M. and Pereira, R. (2019) ‘The critical success factors of GDPR implementation: a systematic literature review’, Digital Policy, Regulation and Governance, pp. 402–418. Available from: https://www.emerald.com/insight/content/doi/10.1108/DPRG-01-2019-0007/full/html (Accessed: 28 April 2022).
  • BBC (2020) ‘British Airways fined £20m over data breach - BBC News’, BBC. Available from: https://www.bbc.co.uk/news/technology-54568784 (Accessed: 29 April 2022).
  • Bermejo Fernandez, C., Chatzopoulos, D., Papadopoulos, D. and Hui, P. (2021) ‘This Website Uses Nudging: MTurk Workers’ Behaviour on Cookie Consent Notices’, Proceedings of the ACM on Human-Computer Interaction, 5(CSCW2), pp. 1–22. Available from: https://doi.org/10.1145/3476087 (Accessed: 28 November 2021).
  • Blake, M. C. (2015) The Snowden Effect : The Conflict in a Free Society , Who Values Privacy Versus Who Values Security ? Bemidji State University. Available from: https://www.bemidjistate.edu/academics/departments/political-science/wp-content/uploads/sites/40/2015/10/Matthew-Blake-Senior-Thesis-2015-b.pdf (Accessed: 15 November 2020).
  • Buttarelli, G. (2016) ‘The EU GDPR as a clarion call for a new global digital gold standard’, International Data Privacy Law. Oxford Academic, pp. 77–78. Available from: https://academic.oup.com/idpl/article/6/2/77/2404469 (Accessed: 29 April 2022).
  • Chaffey, D. and Smith, P. (2013) eMarketing Excellence: Planning and optimizing your digital marketing. 4th edn. Routledge.
  • Consultancy.uk (2019) 30% of European businesses still not GDPR compliant, Consultancy.UK. Available from: https://www.consultancy.uk/news/21951/30-of-european-businesses-still-not-gdpr-compliant (Accessed: 29 April 2022).
  • Coyne, H. (2019) ‘The Untold Story of Edward Snowden’s Impact on the GDPR’, The Cyber Defense Review, 4(2), pp. 65–80. Available from: https://www.jstor.org/stable/26843893.
  • Degeling, M., Utz, C., Lentzsch, C., Hosseini, H., Schaub, F. and Holz, T. (2019) ‘We Value Your Privacy ... Now Take Some Cookies: Measuring the GDPR’s Impact on Web Privacy’, in. Available from: https://dx.doi.org/10.14722/ndss.2019.23378.
  • Erickson, A. (2019) ‘Comparative Analysis of the EU’s GDPR and Brazil’s LGPD: Enforcement Challenges with the LGPD’, Brooklyn Journal of International Law, 44(2), p. 859. Available from: https://heinonline.org/HOL/Page?handle=hein.journals/bjil44&id=873&div=&collection= (Accessed: 29 April 2022).
  • European Data Protection Supervisor (2016) The History of the General Data Protection Regulation - European Data Protection Supervisor, EDPS. Available from: https://edps.europa.eu/data-protection/data-protection/legislation/history-general-data-protection-regulation_en (Accessed: 29 April 2022).
  • Freitas, M. da C. and Mira da Silva, M. (2018) ‘GDPR Compliance in SMEs: There is much to be done’, Journal of Information Systems Engineering & Management, 3(4), pp. 1–7. Available from: http://www.jisem-journal.com/article/gdpr-compliance-in-smes-there-is-much-to-be-done-3941.
  • GPDR.eu (2020) General Data Protection Regulation (GDPR) Compliance Guidelines, Gpdr.Eu. Available from: https://gdpr.eu/ (Accessed: 29 April 2022).
  • Heurix, J., Zimmermann, P., Neubauer, T. and Fenz, S. (2015) ‘A taxonomy for privacy enhancing technologies’, Computers and Security, 53, pp. 1–17. Available from: http://dx.doi.org/10.1016/j.cose.2015.05.002 (Accessed: 6 May 2022).
  • Hoyt, G. M. (2009) ‘Nudge: Improving Decisions About Health, Wealth, and Happiness’, International Review of Economics Education, 8(1), pp. 158–159. Available from: https://linkinghub.elsevier.com/retrieve/pii/S1477388015300736 (Accessed: 4 July 2021).
  • IBM (2020) Cost of a Data Breach Report 2020, IBM Security. Available from: https://www.ibm.com/downloads/cas/ZBZLY7KL (Accessed: 6 May 2022).
  • Isaak, J. and Hanna, M. J. (2018) ‘User Data Privacy: Facebook, Cambridge Analytica, and Privacy Protection’, Computer, 51(8), pp. 56–59. Available from: https://ieeexplore.ieee.org/document/8436400/ (Accessed: 20 June 2021).
  • Lawyer Monthly (2020) ‘Marriott International GDPR Fine: What Did We Learn?’, Lawyer Monthly. Available from: https://www.lawyer-monthly.com/2020/11/18-4-million-marriott-international-gdpr-fine-announced-by-ipo-what-did-we-learn/ (Accessed: 29 April 2022).
  • Litman-Navarro, K. (2019) ‘We read 150 privacy policies. They were an incomprehensible disaster’, The New York Times. Available from: https://www.nytimes.com/interactive/2019/06/12/opinion/facebook-google-privacy-policies.html (Accessed: 28 November 2021).
  • Orlowski, J. (2020) The Social Dilemma. US: Netflix. Available from: https://www.netflix.com/title/81254224.
  • Rossi, A. (2018) ‘How the Snowden Revelations Saved the EU General Data Protection Regulation’, International Spectator, 53(4), pp. 95–111. Available from: https://www.tandfonline.com/doi/abs/10.1080/03932729.2018.1532705 (Accessed: 29 April 2022).
  • Schneble, C. O., Elger, B. S. and Shaw, D. (2018) ‘The Cambridge Analytica affair and Internet‐mediated research’, EMBO reports, 19(8). Available from: https://onlinelibrary.wiley.com/doi/10.15252/embr.201846579 (Accessed: 29 April 2022).
  • Smith, C. (2016) ‘The Snowden effect: Three years after Edward Snowden’s mass-surveillance leaks, does the public care how they are watched?’, Index on Censorship, 45(3), pp. 48–50. Available from: http://journals.sagepub.com/doi/10.1177/0306422016670343 (Accessed: 15 November 2020).
  • Sobers, R. (2020) The World in Data Breaches, Varonis. Available from: https://www.varonis.com/blog/the-world-in-data-breaches (Accessed: 6 May 2022).
  • Steinfeld, N. (2016) ‘“i agree to the terms and conditions”: (How) do users read privacy policies online? An eye-tracking experiment’, Computers in Human Behavior, 55, pp. 992–1000. doi: 10.1016/j.chb.2015.09.038.
  • Vergnolle, S. (2021) ‘Enforcement of the DSA and the DMA-What did we learn from the GDPR?’, Max Planck Institute for Innovation and Competition, 21–25, pp. 103–108. Available from: https://hal.archives-ouvertes.fr/hal-03605110/document (Accessed: 6 May 2022).
  • Verizon (2021) Data Breach Investigations Report 2021. Available from: https://enterprise.verizon.com/content/verizonenterprise/us/en/index/resources/reports/2021-dbir-executive-brief.pdf (Accessed: 6 May 2022).
  • Voss, W. G. (2021) ‘The CCPA and the GDPR are not the Same: Why You Should Understand Both’, CPI Anti-Trust Chronicle, pp. 1–8.
  • Wang, Y. and Kobsa, A. (2008) ‘Privacy-enhancing technologies’, in Handbook of Research on Social and Organizational Liabilities in Information Security. IGI Global, pp. 203–227. Available from: https://www.igi-global.com/chapter/privacy-enhancing-technologies/21343 (Accessed: 6 May 2022).
  • Wolford, B. (2019) Millions of small businesses aren’t GDPR compliant, our survey finds, GDPR.eu. Available from: https://gdpr.eu/2019-small-business-survey/ (Accessed: 29 April 2022).