Is the GDPR data protection law working?

Google offices © iStockphotos
Google accounts for the vast bulk of the fines levied under GDPR

Last spring’s GDPR is one of the most complex pieces of legislation the European Union has ever devised. But is it achieving what it was supposed to? 

What is the GDPR?

It’s the EU’s General Data Protection Regulation (GDPR), an EU-wide set of rules governing data privacy in the age of the internet. It came into effect in May last year, and will remain part of UK law even after we leave the EU. GDPR took four years to debate and compose (mostly by privacy-conscious German lawyers) and consists of 99 articles and 173 explanatory comments, making it one of the most complex pieces of legislation ever produced by the EU. Its stated purpose is to “protect all EU citizens from privacy and data breaches in an increasingly data-driven world”.

How does it do that?

Principally by dramatically expanding the definition of what counts as data; by compelling organisations to secure consumers’ explicit consent to various forms of communications and data storage; and by beefing up penalties for data breaches and non-compliance. Until last year, EU citizens’ rights over their personal data (everything from addresses and health records to credit data) were enshrined in a directive that hadn’t been touched since 1995, when the internet was still in its infancy. GDPR expands the definition of data to photos, posts on social networks, and IP addresses (which identify your computer when you access a website). And it covers virtually any organisation that collects data about EU citizens, anywhere in the world.

What must companies do?

Companies can no longer hide their requests for consent to store or use our data in endless terms and conditions and legalese, or use pre-ticked boxes. Instead, people have to opt in. This explains the flood of messages in the nation’s inboxes in the run-up to last May, when shops and hotels and websites we barely remembered visiting got in touch to ask permission for them to get in touch. Under GDPR, consent to allow our personal data to be used must be unambiguous, freely given, current, and for specific purposes. Moreover, firms (or other organisations) that handle large amounts of personal data must appoint a data-protection officer and design their systems around the need for privacy.

What rights do we get?

Consumers, meanwhile (or “data subjects”) get several new rights. We can access data held on us within a month, free of charge. We have the “right to be forgotten” by making an organisation erase our data, and the right to be notified within 72 hours if our data is compromised – and to get compensation more easily. For organisations, the fines for non-compliance are much bigger under the GDPR: a maximum of €20m or 4% of turnover, whichever is the greater. According to Vera Jourova, the EU commissioner for justice, the EU has “handed a loaded gun” to the national regulatory agencies whose job it is to enforce the rules, such as the UK’s Information Commissioner’s Office (ICO).

How has it been going?

GDPR has greatly increased the number of data breaches reported to the authorities by companies and organisations. In the UK, total reported breaches in 2019 are estimated to be about 36,000, nearly twice the previous annual rate of around 20,000. Doubling that number is no small achievement, reckons Josephine Wolff on Slate.com. Across Europe, the first nine months of GDPR showed 206,000 cases recorded, which included 95,000 complaints and 65,000 data-security breach notifications. That is a valuable trove of information about customers whose personal data has been compromised, and for regulators and technology designers trying to understand and mitigate the root causes of breaches. However, it’s much less clear that GDPR has had much impact on corporate fines for mishandling personal data.

What are the figures?

Across Europe, in the first nine months national data-protection agencies in 11 countries had levied €56m in fines. That sounds impressive, but the vast bulk of that figure was a single €50m French levy on Google in January. Moreover, data for the UK shows that the chances of getting a fine are remote indeed. Between May 2018 and March 2019, 11,468 data-breach cases were resolved but only 29 of these led to a fine, including a £500,000 fine issued to Facebook and another half million issued to Equifax. Clearly, GDPR is a work in progress, but so far the vast majority of firms are not being fined for failing to protect customers’ data, and any fines levied have hardly been onerous. Critics also say that the first year of operation has borne out their worst fears about the potentially damaging effects of GDPR.

What are they?

They worry that GDPR is cumbersome, outrageously costly to comply with, and over time is likely to entrench existing oligopolies while discouraging new investment in potential future champions. In other words, it increases the power of the biggest players, such as Facebook and Google – who can easily afford the compliance costs and have used their market power to pass on some costs to others – while making life much harder for smaller players and new entrants. For example, a study last November for US thinktank the National Bureau of Economic Research detected a 17% fall in venture-capital funding rounds for tech firms in Europe after GDPR came into force, and a fall of almost 40% in the overall funds raised. Meanwhile, in the UK Google and Facebook’s combined share of the online advertising market has risen over the past year to 64%, compared with 59% in the US. Realistically, it’s still very early days in terms of evidence-gathering, and regulators promise that some more big fines are in the pipeline. But for now, the jury is very much out.