The official EU Commission report to mark two years of data protection regulation, leaked over the weekend, shows it has been a burden to the wrong target: small and medium-sized companies
By:
Eric De Grasse
Chief Technology Officer
23 June 2020 (Paris, France) – Europe’s “flagship data rules” … the General Data Protection Regulation (GDPR) … are proving difficult to implement two years after coming into effect, says the European Commission. It has placed a particular burden on small and medium-sized companies and those developing new technologies, and has been inconsistently applied and enforced, and has faced a myriad of problems. The official report … to be released tomorrow but leaked over the weekend to selected press … will come as no surprise to our regular readers. We have been on top of the GDPR story since the drafting process began 5+ years ago, having attended scores of public hearings and spoken to scores of insiders involved in the legislative process.
The official report is part of a legal obligation for the Commission to give an update on the progress of the data rules’ implementation.
One of the biggest “shocks” to the Commission: the lack of clarity over how the rules relate to emerging technologies which has meant regulators have struggled to apply them in fields such as artificial intelligence, blockchain and the internet of things – those last three categories hardly even considered when the drafting process was well in hand. My favorite quote from the draft (which is undergoing an extensive rewrite today):
“Clearly there will be many challenges ahead in clarifying how to apply the GDPR principles to specific technologies. Many stakeholders report that the application of the GDPR is challenging especially for small and medium-sized enterprises (SMEs) in technologies we had not considered.”
Fair enough. Things like artificial intelligence and the internet of things are just so … new 🙂
When the bloc’s rules were introduced in 2018 to give online users more control over their data, most commentators said they would be burdensome for large technology companies such as Google, which was perfect. Since then, however, most privacy groups have argued that the rules do not go any where far enough in protecting individuals’ information given all the work-arounds Big Tech developed to skirt the GDPR. In Google’s case, publishers complained that what happened is the arrangement makes them do all the work to comply while leaving Google in a great position to still benefit from their users’ data.
Worse, the Commission found there was total confusion over how the rules were applied at individual country level due to “open and vague interpretation”. The Commission highlighted the “lack of a consistent approach” between how data protection authorities in different member states interpreted parts of the GDPR that allowed for some flexibility, using as an example the minimum age that children were allowed to consent for social media companies to handle their data. Some countries have set the minimum age at 16, others at 13, 14 or 15. Officials said that this did not constitute an infringement of the privacy rules “because the rules are open to interpretation”, but such discrepancies need to be “harmonised”.
Separately, EU regulators reported to the Commission they were employing “rapid and tough action” to enforce the rules since their introduction. The Commission noted there were 785 administrative fines between May 2018 and November 2019, including “the largest fine ever”, a €50m fine against Google in France because of the way the company obtained consent from users.
NOTE: as my colleague, Gregory Bufithis, pointed out “I think that the largest fine ever nonsense needs some perspective. Just take AdWords alone. It brings Google €111 million in revenue per day. That €50m fine must have been a shock”.
It is interesting to note the Commission glosses over the fact the EU has handed out only two fines to Silicon Valley tech giants — the first to the local subsidiary of Facebook in Germany, for €51,000 and that Google fine. And it was the Big Tech “bad boys” that GDPR was aiming for. Meanwhile, Ireland dithers over its investigation of Google and Twitter, The Netherlands is still investigating Netflix, while Luxembourg’s privacy authority, which has jurisdiction over Amazon and Paypal among others, has yet to issue a single enforcement notice. Since May 2018, European privacy watchdogs have levied just under €150 million in fines in total over GDPR violations.
In the past Vera Jourova, the EU’s vice-president in charge of values and transparency, has said GDPR will lead to more “harmonised rules across the single market”. But now, says the Commission report, that is failing. The report says:
“We will now need to actively monitor how member states implement the GDPR in their national legislation to ensure a ‘one continent, one law’ principle. And we need to relieve the burden we have imposed on SMEs but still employ vigorous enforcement.”
I’ll wait for further comment on the Commission report until its official release tomorrow to see what the final version says. But a few points:
1. The GDPR has been more difficult and costly to implement because of too much mythology and not enough understanding of how to apply a principles-based law. My UK mates have told me there were scores of similar issues when the UK Anti Bribery Act came into being.
2. You can’t cookie cut it into your businesses policies and procedures without understanding the what, why and how you use personal data. It is a difficult process and while hundreds “data privacy vendors” hawk GDPR solutions, none of them will work until you begin the “data walk” and really understand your data. Actually implementing a compliant GDPR program will probably mean zero re: data privacy but might very well realize efficiencies and improved effectiveness in handling your data that might not have otherwise been identified.
3. The concept of a “modern, revamped” GDPR was first broached in 1998 and it took 20 years before the legislation was enacted. The only problem was the regulators did not take on board a few things: life, technology and popular behaviors had changed in those twenty years. As I have noted in the last several years covering the development of the new GDPR, there was an almost complete lack of tech people. They brought almost nobody into the process who had technology intelligence … “this is how this shit works, boys and girls, and this is how your rules are going to play out” … which meant GDPR was doomed. Well, that plus a cadre of brilliant Big Tech lawyers and lobbyists. As my colleague, Gregory Bufithis, noted in his report last month “The GDPR turns 2 years old today” :
The fundamental problem was always the collection of data, not its control. Europe introduced the GDPR aimed at curbing abuses of customer data. But the legislation misdiagnosed the problems. It should have tackled the collection of data, not its protection once collected. As I reported several years ago, when the GDPR drafting first began, the focus was on limiting collection but Big Tech lobbyists and lawyers turned that premise 180 degrees and “control” became the operative word. That has always been Big Tech’s mantra: don’t ask permission. Just do it, and then just apologise later if it goes bad. Zuckerberg is the poster boy for that mantra.
So when control is the “north star” then lawmakers aren’t left with much to work with. It’s not clear that more control and more choices are actually going to help us. What is the end game we’re actually hoping for with control? If data processing is so dangerous that we need these complicated controls, maybe we should just not allow the processing at all? How about that idea?
I’ll have more later in the week after the Commission report is issued.