It has been four years since the GDPR laws were passed in Europe. NOYB offered a reflection of this.
Back in 2018, the GDPR came into force. At the time, there was mixed reaction as to what it means. Some, largely European digital rights organizations, felt that it ushered in a new era of respect for privacy in Europe. Others, like American observers, felt that it was an overreach of the government, requiring unnecessary and overly burdensome requirements to remain in compliance with the law.
What it did do was set a golden standard for the world to follow. Compared to Europe, the US system seemed more haphazard with different government organizations trying to enforce some semblance of privacy. While they are able to lay out fines from time to time, there isn’t exactly a uniform system in place to go after companies who violate the privacy of citizens. In Canada, it’s even worse because the only system in place here is finger wagging and strongly worded letters. Compared to Europe, Canada looks like it lives in the stone age. Even worse is the overall reluctance of the government to move these laws forward, forcing Canadian’s to beg officials to finally do something.
So, four years on, how has GDPR worked out? Well, it isn’t exactly a perfect picture. NOYB raises the point that there are two components to law enforcement: a law on the books and enforcement. While there isn’t exactly any issue with having satisfactory laws on the books, the sore point still seems to be on actually enforcing the laws. From NOYB:
GDPR did not change a culture of non-compliance. When the GDPR became applicable on 25 May 2018, it was perceived as a watershed moment. Comments were somewhere between the EU getting serious about privacy and the internet breaking down at midnight. The past four years have shown that a law alone does not change business models that are based on the abuse of personal data and a culture within the privacy profession that is often focusing on covering up non-compliance. After a first moment of shock, large part of the data industry has learned to live with GDPR without actually changing practices. This is mainly done by simply ignoring users’ rights and getting away with it.
The GDPR culture: open mocking and hostility. This often translates into fundamental rights are belittled. The fundamental right to data protection is not respected and perceived as a result of a long democratic process, but mocked as crazy or “impossible to comply with”. Authorities and non-profits that try to enforce the law as it stands experience open hostility and accusations, like that enforcement would “kill innovation”. Hardly any other area of law is politicized to that extent – at least I have never heard that building or tax codes were openly ignored with the argument that compliance would “undermine the business model” of a company. The privacy bubble accepts such narratives as a legitimate argument.
GDPR compliance dynamics. The GDPR has not (yet) managed to get out of a pre-existing condition: a downward spiral of more and more non-compliance and non-enforcement. Just like when parts of a city become a criminal “no go” zone that are abandoned by police, it seems that many data protection authorities have lost the upper hand on many areas of the digital sphere. Companies realize that competitors do not comply and that acting legally does not pay off. The wider non-compliance spreads, the harder it will get for authorities to gain back control with limited resources.
Lack of enforcement by DPAs. The lack of any real enforcement and hence the lack of a deterring effect on other companies puts more oil into this fire. Of about 50 cross-country cases that noyb has filed in the last four years, none have seen a final decision yet. Month by month without proper enforcement it will get harder to get this situation back on track. While some authorities seem to worry more about public perception if they actually would enforce the law, others seem to have realized the situation and do their best to get going. Nevertheless, the time is pressing and it seems that we are approaching a situation in which the GDPR will be fully ignored – just like the previous EU Data Protection Directive of 1995.
Indeed, one of the most well known examples of non-compliance out there is the Irish DPC. That authority has become well known for dragging its feet on numerous cases and handing out the smallest possible fines available. Last year, the DPC was accused of going so far as to lobby on behalf of Facebook to weaken privacy laws. The accusations got so bad and so prominent, Irish officials were forced to publicly defend the organization. One ruling that the organization laid was against Whatsapp where the company was fined €225 million.
From a Canadian perspective, reading this reaction can be quite discouraging. Canadian’s and digital rights organizations have been trying for years to get the Canadian government to finally get off their collective rear ends and start working on privacy reform. After all, Canada doesn’t really have a mechanism in place to fine companies for violating Canadian’s privacy. At best, private citizens have to later take those respective companies to court on their own. Trying to get laws in the books that says that non-compliance can mean fines seems like such a basic thing.
So, when we are seeing some in Europe being dissatisfied with the gold standard of the world because enforcement isn’t happening, the risk is that some might ask, “what’s the point? Even if we get these laws in place, nothing is going to change.” It’s hard to see this as the right attitude about the situation. After all, actually having laws is the first step. If the attitude is that it would be too hard to enforce after, then that potentially removes what little momentum the privacy movement has in this debate in the first place. So, hopefully, people feel that this issue is still important and worth fighting for. After all, a better society is almost never going to be easy to fight for.
Drew Wilson on Twitter: @icecube85 and Facebook.