Back in November 2011, when Brussels chiefs revealed plans to update European data protection laws for the first time since the late 1990s, little could they have known quite what a Herculean task it would be and how it would fuel a worldwide drive to bring in new privacy laws.
However, one thing everyone recognised was that the EU Data Protection Regulation, as it was initially called (the “General” was added later), would put the European Commission on a collision course with US tech giants who had been building huge global businesses on the back of their data operations.
No-one realised it more than the tech giants themselves, who unleashed a major lobbying offensive to fight the worst excesses of EU Justice Commissioner Viviane Reding’s masterplan, including proposals to force companies to get “explicit consent” from consumers before they could process their personal data.
But they were not the only critics, evidence gathered by the UK advertising and marketing industry – and spearheaded by the DMA – revealed British firms would be hit hard under the proposals, leading to cuts in profitability, increased costs and even to staff losses.
At the time, DMA chief executive Chris Combemale warned: “If the Data Protection Regulation were to be implemented in its current form, then it would cause significant financial harm to UK businesses. Many elements of the Regulation would be unduly restrictive for businesses, without meeting the EU’s stated aim of enhancing protection of individuals’ data privacy rights.”
The battles raged, some were won, others were lost but ultimately many of the draconian measures – including moving to an opt-in only regime – were ditched and the text was finally agreed in 2016, triggering a two-year grace period to allow firms to implement the changes.
The run-up to GDPR D-Day May 25, 2018 was not pretty, with more scare stories than the Horror Channel, sparking fears that many businesses were facing Armageddon. Even on the eve of the regulation becoming law, misinformation was still widespread with BBC News at Ten claiming every organisation needed to appoint a data protection officer, while the Financial Times reported organisations had to obtain explicit consent to use and retain data.
The ICO, which had been criticised for being too slow in publishing its own GDPR guidance, was keen to point out that May 25 was not the “beginning, not the end”. Deputy Commissioner Steve Wood told Decision Marketing: “The important thing is that organisations take concrete steps to implement their new responsibilities – to better protect customer data. There isn’t a deadline in the sense that if organisations aren’t compliant by today, then they’ve missed their chance.
“We recognise that most businesses want to get this right and we will always look to educate, engage and encourage. We’ll continue to support organisations in the run up to and after the new law takes effect.”
Soon, other countries outside the EU started to look at their own data laws, with amendments and even entirely new laws introduced in countries across Africa, Asia-Pacific, Latin America and North America, including the launch of the California Consumer Privacy Act; a US version of GDPR has also been muted.
But with the EU regulation set to mark its third anniversary in May next year, what has been the long-term impact?
REaD Group data quality and governance manager Andy Bridges comments: “While companies are now more aware of their responsibilities, being genuinely GDPR-compliant remains a work in progress. The lawfulness of processing data (Article 6) and what clients should be doing to justify the use of data still remains unclear for some.
“This can be seen as both a lowlight and a highlight: it’s a lowlight because education is clearly still needed in this area, but it’s a highlight because companies are trying their hardest to communicate responsibly and legally.”
Econsultancy group head of data Ben Barrass reckons that while firms are now much more aware of their obligations in handling data, without doubt this has fallen down the agenda since 2018, even more so following the Covid-19 outbreak.
However, he added: “The legacy that has been left is stronger control processes and, to some degree, GDPR has facilitated a cultural change within organisations. Everyone who works at a company is also a consumer, and each of those people is now more aware of their own rights and as such will be more likely to turn to the ‘data expert’ to at least ask ‘is this ok?’ Stronger controls are a requirement of vendor selection processes, so in the B2B supply world it’s now more critical than ever to have your ship in order.”
Nevertheless, GDPR enforcement has had it critics, with some countries being far more active than others. According to a Decision Marketing analysis of data provided by the CMS.Law GDPR Enforcement Tracker in October this year, Spain’s data protection authority (DPA) is way out in front on 143 fines, followed by Romania (43), Hungary (32), Italy (31) and Germany (27).
In comparison, the Irish Data Protection Commission – the lead authority for most tech giants – and the UK ICO, have issued three and four penalties respectively and are in the same league as Estonia, Lithuania, Latvia, and Iceland – countries with DPAs that operate on a fraction of the budgets which the UK and Irish regulators command.
Perhaps unsurprisingly, this has led to claims that the tech giants are still getting away with riding roughshod over consumers’ privacy, none more so than in the adtech industry, which is still awaiting its fate. Meanwhile, the class actions against companies which have suffered data breaches, including British Airways, easyJet, Marriott International, Virgin Media and Google, among others, continue to gather pace.
However, Bridges maintains that the market has seen an improvement in the transparency of data processing. He adds: “While this isn’t 100% there yet, it is getting better, with consumers becoming more aware of who and how their data is being processed. GDPR has ensured that businesses are applying rigour and common sense while balancing commercial interests with consumer rights and testing that decision to ensure it is the right approach.”
With Brexit looming large, the EU GDPR will no longer apply directly in the UK at the end of the transition period on December 31, 2020. However, UK organisations must still comply with its requirements after this point under a new regime known as “the UK GDPR”.
There is little material difference between the two regimes but how this will pan out in the years ahead is still a grey area, especially as there is so much up in the air in the Brexit negotiations. Whatever the outcome, the UK will have to maintain tough data laws to trade with other major nations in or outside of the EU.
Barrass highlights another issue with Brexit: “The uncertainty of whether a deal is available is forcing companies to dive deeper into the architecture of their technology stack – there was always a spotlight on ‘where does your tech store your data’ and now there is a more focused view on ‘and where does your data transit through to get to that system’.
“This is challenging for some organisations to even audit and where previously anywhere in the EEA was deemed to be nailed down, companies are now having to consider the implications of the risk of data transferring out of the UK. I doubt anyone is tearing apart their stack right now though, we’ll all just have to wait and see who takes the lead in the new year when things are a little more certain.”
The future of the EU GDPR also appears to be far from certain following fresh concerns about the so-called one-stop shop mechanism, which puts the Irish DPC in charge of all cross-border complaints.
This week’s Twitter enforcement notice revealed that many of the top EU authorities – including those in Austria, Germany, France, Hungary, Spain, Italy, and the Netherlands – did not think the punishment was severe enough. Ultimately, they were overruled but the issue is likely to linger and will no doubt feature large in any other cross-border cases.
The French recently shunned the one-stop shop system to fine Google and Apple a total of €135m (£123m) for cookie violations under the France’s data protection legislation and not GDPR. Meanwhile privacy organisation NOYB, fronted by Austrian lawyer Max Schrems, has filed two complaints against Apple, in Germany and Spain, also under the ePrivacy Directive.
Both were deliberate decisions to prevent investigations going through Ireland and therefore having to be approved by other EU states.
Even so, Bridges is in no doubt that the regulation has been beneficial for all businesses. He concludes: “I firmly believe GDPR has driven up the importance of data governance for many organisations, an improvement from the time when it was a new buzzword, and nobody really knew what it meant.
“In turn this has created the cultural shift towards privacy by design and ‘responsible marketing’, which can only be a good and positive thing as it helps to implement alignment of standards and compliance, ownership and accountability, and education across organisations.
“Finally, companies are becoming more aware that the consumer information they hold and process is a key asset and should be afforded the highest level of protection, not only due to large fines but reputational loss. And, yes, while there have been some big data breaches and while I think we will see more in 2021, information security is definitely now discussed at C-Suite level: something IT teams have been pushing for for many years.”