5 Years of GDPR: Criticism Outweighs Positive ImpactPrivacy Practitioners Say the Law Needs Greater Protections for Citizens
Five years after the effective date of the General Data Protection Regulation, the European Union privacy law - hailed as a way to protect the privacy of citizens in an increasingly digital world - continues to be marred by criticism over its lack of effectiveness and uneven implementation.
GDPR, which went into effect on May 25, 2018, is among the world's toughest privacy rules. Major companies including Facebook and Google have been fined millions of euros for violations. The rule allows data protection authorities to levy fines of up to 4% of a company's global annual turnover. International law firm CMS estimates European data protection authorities have imposed GDPR fines totaling more than 2 billion euros so far.
Despite the large sum of penalties, privacy and civil rights organizations maintain that the law has failed to achieve the intended goal of safeguarding European citizens' data, especially from big tech companies.
"GDPR provides strong investigation and enforcement powers to protect people from the misuse of data that enables much of the digital world's problems," Johnny Ryan, senior lawyer at the Irish Council for Civil Liberties said. "It should be our shield against the digital era's problems. But that shield has yet to be taken up."
A recent report by the ICCL accuses the EU of "little substantial enforcement" against big tech companies.
Privacy watchdog NOYB, founded by Austrian privacy activist Max Schrems, said over 85% of the complaints registered by his organization await decisions from various European data protection agencies. Schrems was instrumental in striking down legal frameworks underpinning commercial data flow in 2015 and in 2020.
The five-year anniversary of GDPR comes just days after the Irish Data Protection Commission imposed a fine of 1.2 billion euros against Facebook Ireland based on the complaint lodged by NOYB. The group said the company's privacy guarantees couldn't protect Europeans against surveillance by U.S. intelligence agencies. Schrems has urged the social media giant to federate its network, keeping Europeans' data physically within countries that are members of the trading bloc (see: Facebook Ordered to Suspend Data Transfers to US From Europe).
"Not only did it take more than 10 years for the DPC to reach a first decision, the case also required three sets of litigation against the Irish DPC to force it to do its job," NOYB said in a statement. "This included the Court of Justice of the EU and the European Data Protection Board telling the Irish DPC thrice to effectively handle the case."
One of the main criticisms against the GDPR by NOYB is its failure to limit targeted advertisement by big tech companies. For instance, in 2018, Meta Ireland introduced "contractual necessity," its updated, privacy-focused terms of services for Instagram and Facebook that sought to legitimize the processing of user data just as the European GDPR came into effect.
In a complaint lodged against the company, NOYB argued Meta Ireland's updated terms of service forced users to consent and accept the company's terms of service for processing user data for behavioral data and other personalized services. In doing so, the organization argued Meta Ireland had "bypassed" the consent requirement under the GDPR by adding a clause to the terms and conditions to include advertisement (see: Irish Privacy Watchdog Fines Meta 390 Million Euros for Ads).
Another key challenge associated with the GDPR is differences in how national data protection authorities enforce the regulation, resulting in inconsistencies, critics say.
One such agency that is the target of a hefty chunk of criticism is the Irish Data Protection Commission. A large number of American big-tech companies, including Facebook, Microsoft and Apple, have their international headquarters in Dublin. This has given the Irish agency outsized influence over these tech companies' behavior.
This flexibility made Ireland a "bottleneck" in effective GDPR implementation, according to critics such as the ICCL who accuse the agency of using a soft touch (see: Irish Civil Society Dogs Irish DPC With GDPR Criticism).
The Irish DPC rejects these claims, citing its history of multiple, multimillion-euro fines against companies such as Facebook.
Keeping Pace With Technology?
The GDPR has done little to help public and private sector organizations address privacy concerns, said Kelsey Finch, privacy and data protection senior associate at Aleada Consulting. GDPR provides a "sufficient framework" to help IT and cybersecurity teams adapt to the technological advances, but most are challenged with keeping pace, she said.
"A lot of the challenges for organizations are still just that day-to-day data governance - making sure that you know where your data is, making sure that you have clear lines of internal communication and approvals and decision-making," Finch said. "These things sound really straightforward but with the scale and complexity of the data-fied world around us, it's extremely challenging in practice and really does require that increased resourcing."
The tech industry's growing reliance on emerging AI technologies, exemplified by OpenAI's popular ChatGPT chat bot, has the potential to further exacerbate privacy issues, said Jonathan Armstrong, partner at Cordery Compliance.
EU members have brought some AI-related cases against organizations for facial recognition technology, video surveillance and political campaigns, but an EU AI law is still years away from passage, he said.
One unintended consequence of GDPR is that cybercriminal groups have used the potential fines as leverage to obtain extortion payments following ransomware attacks, which have increased significantly since 2018.
One recent case, LockBit's ransomware attack against Royal Mail in February 2023, showed that the cybercriminals had calculated the potential GDPR potential fine and suggested that paying the ransom was the better deal (see: Royal Mail Refused 'Absurd' LockBit Extortion Demand).
Vendors serving large numbers of clients also have been pressured by ransomware gangs, but Armstrong said that regulators still require breach reporting and no one is "getting brownie points" for paying the ransom.
Challenge of Fragmentation
The U.K government's recent decision to pursue its own version of GDPR is another cause for concern as European lawmakers worry if the proposed strategy will widen the existing gap in the policy implementation.
In a European Parliament hearing on Tuesday, lawmakers said the United Kingdom risks losing its adequacy decision granted by the European Commission in 2021, should the proposed Data Protection and Digital Information Bill is pass in its current form (see: EU Committee Probes TikTok, UK's Updated GDPR).
If such a scenario occurs, post-Brexit complications for businesses on the U.K. and the continent would grow even larget, since the free flow of data between the two regions would be curbed. This will likely force U.K. businesses to store European customer data in the EU, Rebekka Weiss, head of trust and security at German tech industry body Bitkom, said.
Although fragmented implementation continues to be a challenge, the fact that the GDPR is able to sanction non-EU tech companies should in itself be seen as a mark of its success, Weiss added.
Even though the regulation has had some positive impact in ensuring data protection, it is hard to measure the benefit of the regulation, Armstrong said.
"I don't think we will ever know which incidents were prevented by having a good or better policy in place."