Has the EU General Protection Data Regulation (GDPR) been a success?
By Pablo Quero Cisneros, Business Management student at University of Essex
The GDPR has not been a success, but something is blowing in the wind. Back in January 2012 the European Commission already acknowledge the need for a reform on the existing data protection directive of 1995 (European Data Protection Supervisor, 2016). Technology and data processing had progressed at a pace that regulation could not keep up with, threatening its citizen’s rights. This state of unrest was supported by key events such as Snowden’s revelations of mass surveillance (Blake, 2015; Smith, 2016; Rossi, 2018; Coyne, 2019), and the Cambridge Analytica scandal regarding the access of personal information without consent (Isaak and Hanna, 2018; Schneble, Elger and Shaw, 2018). Europe’s response came in the shape of the GDPR (GPDR.eu, 2020), which promised to bring a breath of fresh air to the stale privacy scene. Given the scope and dependencies of the regulation, there is no simple or unique way of assessing its success (or lack of it). Hence, this essay explores the subject from three perspectives: institutional, corporate, and social; and propose solutions and recommendations for the future.
Measuring the wind from an institutional direction, GDPR has been rather successful. This regulation considered the technical and legal challenges and placed its citizens rights in the centre standing its ground against the aggressive lobbying from the Big Tech (Rossi, 2018; Coyne, 2019). Some examples include a broad range of specific privacy rights for EU residents, the enforcement of such privacy rights overseas, and the new substantial fine scheme. Europe has historically been at the vanguard of privacy law (European Data Protection Supervisor, 2016), and the GDPR consolidated this position by becoming the new ‘gold standard’ (Buttarelli, 2016; Albrecht, 2017) by providing a robust and compelling array of rights to its residents. This regulation encouraged other governments and institutions to adopt similar regulations similar in content and structure and setting the foundations of modern privacy. Moreover, this regulation influenced and helped shape novel privacy regulations around the globe such as the CCPA (Voss, 2021), LGPD (Erickson, 2019), and many more.
However, the enforcement of the GDPR has not been flawless. Organizations demanded assistance and clarification from regulators since the law did not provide enough practical guidance. Moreover, Regulators were underfunded and understaffed (Vergnolle, 2021), limiting their capability to effectively enforce the regulation. Furthermore, regulators have not been as punitive as originally expected. The breath-taking headlines that announced hundreds of millions in fines for some of the largest data breaches, these were ultimately decimated after appeal (BBC, 2020; Lawyer Monthly, 2020).
For corporates, the GDPR was a drastic wind change, considered by many as a failure and a barrier preventing them from reaching their financial goals. The feeble regulatory climate existing before the GDPR allowed organizations to adopt and leverage new data processing technologies with minimum oversight and responsibility for the last couple of decades. New technologies such as big data, artificial intelligence, or cloud computing sculpted the data processing landscape the same way the wind erodes natural landscapes: small but permanent changes compounded over time. An ambitious regulation like the GDPR demanded an elevated level of commitment, resources and change that only few organizations were able to execute (Freitas and Mira da Silva, 2018). Unlike accounting, taxes or employment law, privacy and data protection is a relatively new discipline that has not been considered during the design and implementation of the three business pillars: people, process and technology. This added an extra layer of complexity since most organizations were not ready to undertake the required transformational changes. In practice, most organizations failed to effectively implement the new data privacy regulation (Almeida Teixeira, Mira da Silva and Pereira, 2019). Roles were not properly aligned with the new responsibilities, in most instances limiting their efforts to appointing a new data protection officer. Policies and procedures such as records of processing activities, data maps, or data transfer agreements were generated or updated according to the new requirements as a one-off exercise, rather than a continuous and ongoing programme and soon becoming outdated. Finally, existing systems such as web tracking technology, data lakes or communication platforms lacked privacy by design, forcing organizations to incur in costly, complex and lengthy projects to update and remediate their ecosystems. Non-surprisingly, a large percentage of European organizations were not compliant years after the regulation was approved (Consultancy.uk, 2019; Wolford, 2019).
Looking at where the social direction is blowing, internet users are still disadvantaged when trying to protect their privacy online. While it is true that newly ‘compliant’ privacy policies have become more readable than they used to be, a study found that the average policy takes 18 minutes to read and college-level reading ability (Litman-Navarro, 2019). As a result, users tend to not read or slightly scan through them before blindly and uninformedly accepting any demands and risks (Steinfeld, 2016). A similar imbalance can be found when trying to disable browsing tracking technology (cookies). Disabling them completely make most websites unusable, disabling on an ad-hoc basis is frustrating. The regulation clearly states that users must explicitly give consent for this kind of tracking (such as by ticking a box); but in practice it is not that simple. Organizations have mastered the art of nudging consumers into certain behaviours (Hoyt, 2009) and they apply these techniques to induce their visitors into accepting their cookies through the use of user experience shenanigans that makes it tedious, unintuitive and time consuming (Bermejo Fernandez et al., 2021). The author wonders how lawful it is to mask this consent under the legitimate interest justification, forcing users to ‘disable’ cookies as well as ‘object’ legitimate interest tracking. And all this is assuming these websites are compliant, despite studies showing that most of them were still not years after the regulation was in effect (Degeling et al., 2019). This allows companies to profile their users, making it hard for them to avoid hyper-targeted advertisements and even becoming addicted to their platforms (Chaffey and Smith, 2013; Orlowski, 2020). Finally, data breaches have continued to grow in frequency and size for the last decade (IBM, 2020; Sobers, 2020; Verizon, 2021). This is probably the most significant measure to assess the effectiveness of a privacy regulation, and the results are not very comforting. Over 9,7 billion records have been breached since 2013 (Sobers, 2020), that is more records than people in the world, and this number keeps growing daily. It seems almost impossible to have a spam/scam free email address or telephone number these days, these contact details will eventually be exposed or sold for marketing or malicious purposes.
However, despite the arguments shared above, it could be argued that the GDPR is not a failure, instead the problem comes from the expectations. GDPR successfully set the theoretical foundations for privacy in modern societies but expecting an effective implementation in such a short span was never realistic. Everyone has been working to adopt and get used to the new regulation, with limited success thus far. Nonetheless, like tailwinds, efforts are pushing in the right direction, and the author is positive that success is possible. However, in order to achieve this, institutions, corporates, and individuals must continue to make efforts and seek unity and collaboration rather than blaming each other. Institutions must continue to provide guidance and create forums to help organizations share best practices, as well as inform and educate individuals on their rights and potential risks. Corporates must continue to invest in their privacy programmes and blend privacy in their organizational fabric as ongoing and priority initiatives. In addition, corporates must also embrace privacy and take it into account during design stages as well as adopting privacy enabling technologies such as anonymization, data loss prevention and encryption (Wang and Kobsa, 2008; Heurix et al., 2015). Moreover, society must continue to demand high privacy standards, rewarding and appraising privacy-sensitive organizations and actively participating in the privacy movement.
Privacy rights are essential for the prosperity of democratic societies. However, after five years of being enforced, the GDPR has not yet been a success. The privacy hurricane that the European Commission promised ended up being a breeze in practice. Wind is the result of changes in the atmospheric pressure in the environment; and similarly, we need to reactivate the winds of privacy change into the right direction by applying pressure and efforts in the right elements. As discussed throughout this piece, there are several practical limitations at all levels that prevents us from celebrating the successful implementation of the GDPR at present. Everyone needs to keep working together to make this happen sooner rather than later. The success of GDPR is imperative, it must happen. Therefore, the author proposes an alternative question for further consideration: “When will the GDPR be considered a success?”