gdpr europe.png

gdpr - the troublesome privacy

A year and a half after coming into effect, GDPR seems to still be far from being just another part of daily life. While growing pains were to be expected, there is now some hard data showing just how much of an issue the regulation has been - and continues to be, for both companies and regulators.


THE COMPLEXITY OF PRIVACY

We all remember the "We've updated our privacy policy" statements that were usually the first thing to pop up once you reached a website or opened a marketing email. News reports and think pieces about the implementation of GDPR were, at one point, almost always followed by reports of people complaining about the deluge of such update notifications.

But while those update notes have now become a rare occurrence, what of the actual GDPR compliance? Well, the fines have so far been few and far between but experts point out the reason for this is not, unfortunately the superb preparedness of companies for the regulation - but the fact that implementation of data privacy policies in large enterprises proved to be much more complex than expected and the required technology often simply not yet up to the task, causing regulators to rethink fines. 

In fact, some experts are still of the opinion that the intricacies of implementing and maintaining GDPR might affect multinational companies’ plans for potential headquarters inside the EU. And there are also the regulators themselves, still grappling with understanding the digital ecosystem inside which they are expected to issue said fines.

BREACHES, GEOGRAPHY AND FINES

DLA Piper's report places the Netherlands, Germany and the UK at the top of "reported breaches" list - in fact, the three countries have almost double the reports of all other EU countries combined. By GDPR's first "birthday" on 25 May 2019, the amount of fines issued had reached €56m. However, an impressive €50m of that total comes from the pockets of a single company: Google, fined by France for GDPR infractions. This case may also be of interest for more than just the amount of the fine - the company was fined by France even though its European headquarters were in Ireland. 

facialrecognition.png

The reasoning provided by the French regulator was that all decisions regarding the processing of data in Android and Google accounts are made by the company's US headquarters and therefore the fine may still be given out by France with regards to infractions in the EU.

And France seems to so far be the most stringent when it comes to GDPR, with CNIL, its data protection agency (DPA) also fining Uber €400,000, Bouygues Telecom €250,000, Optical Center €250,000 and Dailymotion €50,000.

Ireland, being the preferred location of European headquarters of many US tech giants has also become a hotbed of GDPR investigations, from Apple to Twitter and LinkedIn. At the head of the list is Facebook, with Ireland's Data Protection Commission having so far opened 19 different investigations focusing on Facebook and its popular acquisitions WhatsApp and Instagram.

COMPLIANCE, VARIED

The rush for GDPR compliance in the face of the then-coming 2018 deadline significantly accelerated both the development of technologies as well as forcing a sooner-than-expected synergy once issues caused by the regulation started being raised.

Data and its management became the area of interest while data handlers suddenly found themselves working even closer with the company's legal department. 

But the "how to deal with GDPR" is a question that also wasn't easily answered by EU countries themselves.


OVERSIGHT AND MORE OVERSIGHT

Issues with GDPR and data protection implementation in general have also lead to questions regarding both data privacy and oversight of those in charge of manipulating said data within a company. Ken Leong, co-founder and CEO of ZL Technologies, is quoted as saying that "[...] every individual’s information has to be completely governed and accessible in order to meet privacy regulations, and once this level of control is available we’re only a step away from several dystopian scenarios. Privacy and intrusion are only kept separate by oversight. If oversight is missing, it slips into intrusion."