Features

Is the GDPR data protection law working?

Last spring’s GDPR is one of the most complex pieces of legislation the European Union has ever devised. But is it achieving what it was supposed to? 

952_MW_P12_Briefing

Google accounts for the vast bulk of the fines levied under GDPR

What is the GDPR?

It's the EU's General Data Protection Regulation (GDPR), an EU-wide set of rules governing data privacy in the age of the internet. It came into effect in May last year, and will remain part of UK law even after we leave the EU. GDPR took four years to debate and compose (mostly by privacy-conscious German lawyers) and consists of 99 articles and 173 explanatory comments, making it one of the most complex pieces of legislation ever produced by the EU. Its stated purpose is to "protect all EU citizens from privacy and data breaches in an increasingly data-driven world".

How does it do that?

Principally by dramatically expanding the definition of what counts as data; by compelling organisations to secure consumers' explicit consent to various forms of communications and data storage; and by beefing up penalties for data breaches and non-compliance. Until last year, EU citizens' rights over their personal data (everything from addresses and health records to credit data) were enshrined in a directive that hadn't been touched since 1995, when the internet was still in its infancy. GDPR expands the definition of data to photos, posts on social networks, and IP addresses (which identify your computer when you access a website). And it covers virtually any organisation that collects data about EU citizens, anywhere in the world.

What must companies do?

Companies can no longer hide their requests for consent to store or use our data in endless terms and conditions and legalese, or use pre-ticked boxes. Instead, people have to opt in. This explains the flood of messages in the nation's inboxes in the run-up to last May, when shops and hotels and websites we barely remembered visiting got in touch to ask permission for them to get in touch. Under GDPR, consent to allow our personal data to be used must be unambiguous, freely given, current, and for specific purposes. Moreover, firms (or other organisations) that handle large amounts of personal data must appoint a data-protection officer and design their systems around the need for privacy.

What rights do we get?

Consumers, meanwhile (or "data subjects") get several new rights. We can access data held on us within a month, free of charge. We have the "right to be forgotten" by making an organisation erase our data, and the right to be notified within 72 hours if our data is compromised and to get compensation more easily. For organisations, the fines for non-compliance are much bigger under the GDPR: a maximum of €20m or 4% of turnover, whichever is the greater. According to Vera Jourova, the EU commissioner for justice, the EU has "handed a loaded gun" to the national regulatory agencies whose job it is to enforce the rules, such as the UK's Information Commissioner's Office (ICO).

How has it been going?

GDPR has greatly increased the number of data breaches reported to the authorities by companies and organisations. In the UK, total reported breaches in 2019 are estimated to be about 36,000, nearly twice the previous annual rate of around 20,000. Doubling that number is no small achievement, reckons Josephine Wolff on Slate.com. Across Europe, the first nine months of GDPR showed 206,000 cases recorded, which included 95,000 complaints and 65,000 data-security breach notifications. That is a valuable trove of information about customers whose personal data has been compromised, and for regulators and technology designers trying to understand and mitigate the root causes of breaches. However, it's much less clear that GDPR has had much impact on corporate fines for mishandling personal data.

What are the figures?

Across Europe, in the first nine months national data-protection agencies in 11 countries had levied €56m in fines. That sounds impressive, but the vast bulk of that figure was a single €50m French levy on Google in January. Moreover, data for the UK shows that the chances of getting a fine are remote indeed. Between May 2018 and March 2019, 11,468 data-breach cases were resolved but only 29 of these led to a fine, including a £500,000 fine issued to Facebook and another half million issued to Equifax. Clearly, GDPR is a work in progress, but so far the vast majority of firms are not being fined for failing to protect customers' data, and any fines levied have hardly been onerous. Critics also say that the first year of operation has borne out their worst fears about the potentially damaging effects of GDPR.

What are they?

They worry that GDPR is cumbersome, outrageously costly to comply with, and over time is likely to entrench existing oligopolies while discouraging new investment in potential future champions. In other words, it increases the power of the biggest players, such as Facebook and Google who can easily afford the compliance costs and have used their market power to pass on some costs to others while making life much harder for smaller players and new entrants. For example, a study last November for US thinktank the National Bureau of Economic Research detected a 17% fall in venture-capital funding rounds for tech firms in Europe after GDPR came into force, and a fall of almost 40% in the overall funds raised. Meanwhile, in the UK Google and Facebook's combined share of the online advertising market has risen over the past year to 64%, compared with 59% in the US. Realistically, it's still very early days in terms of evidence-gathering, and regulators promise that some more big fines are in the pipeline. But for now, the jury is very much out.

Recommended

What will happen to the price of gold in 2022?
Gold

What will happen to the price of gold in 2022?

Gold is traditionally the go-to asset during inflation. But with inflation at 30-year highs, it has gone nowhere. Dominic Frisby investigates why, and…
20 Jan 2022
UK inflation is at a 30-year high and it hasn’t peaked yet
Inflation

UK inflation is at a 30-year high and it hasn’t peaked yet

UK inflation has hit 5.4% - its highest in 30 years. And it could be heading higher. John Stepek explains what it means for you and your money.
19 Jan 2022
The UK jobs market is booming – but wages are struggling to keep up with prices
UK Economy

The UK jobs market is booming – but wages are struggling to keep up with prices

Britain’s jobs market is booming, with wages rising and plenty of of vacancies. But inflation is rising faster than wages can keep up. John Stepek loo…
18 Jan 2022
Amazon halts plans to ban UK Visa credit card payments
Personal finance

Amazon halts plans to ban UK Visa credit card payments

Amazon has said that it is to shelve its proposed ban on UK customers making payments with Visa credit cards.
17 Jan 2022

Most Popular

Five unexpected events that could shock the markets in 2022
Stockmarkets

Five unexpected events that could shock the markets in 2022

Forget Covid-19 – it’s the unexpected twists that will rattle markets in 2022, says Matthew Lynn. Here are five possibilities
31 Dec 2021
US inflation is at its highest since 1982. Why aren’t markets panicking?
Inflation

US inflation is at its highest since 1982. Why aren’t markets panicking?

US inflation is at 7% – the last time it was this high interest rates were at 14%. But instead of panicking, markets just shrugged. John Stepek explai…
13 Jan 2022
Tech stocks teeter as US Treasury bond yields rise
Tech stocks

Tech stocks teeter as US Treasury bond yields rise

The realisation that central banks are about to tighten their monetary policies caused a sell-off in the tech-heavy Nasdaq stock index and the biggest…
14 Jan 2022