As the European Union’s much discussed General Data Protection Regulation (GDPR) turns one later this month, what has its legacy been and has it overall been successful in its attempts to increase digital privacy or has it largely failed and in fact made digital privacy worse for EU citizens? A closer look at its impact suggests the latter.
GDPR was supposed to mark a major milestone in helping EU citizens regain control over their digital lives, from recouping their privacy to exerting control over what companies around the world do with their data. Yet, like any technology legislation, in the end, the legislation that was actually passed was so watered down and deferred so strongly to technology companies that it actually did far more to help “big tech” than it did to help the ordinary citizen.
Take facial recognition. Previous EU law largely prohibited facial recognition under almost any circumstances. Even as Facebook aggressively deployed its facial recognition algorithms across the world, Europe remained a facial recognition-free oasis.
GDPR stripped away all of these protections, opening the continent up to mass continent-scale facial recognition of the kind Facebook had applied everywhere else in the world.
From a biometrics standpoint, GDPR backfired spectacularly.
What about GDPR’s extensive rules and regulations governing disclosures about data breaches? Hasn’t it made EU citizens far more aware of breaches of their personal data and ensured they receive timely and detailed notification when their private information has been compromised?
As Facebook has reminded us again and again and again over the past year, even the strictest and most unambiguously worded sections of GDPR have been liberally interpreted by the companies they impact. Facebook, for example, took two months to notify customers after one breach, claiming it was still in compliance with GDPR’s 72-hour notification rule because the company believes it has the right to determine when the 72-hour clock begins.
For its part, the Irish DPA has yet to take meaningful action against Facebook in any of these cases.
Yet, even if the EU were to attempt to prosecute GDPR violations to the fullest extent, the resulting fines and penalties are so small as to be meaningless for companies that earn billions of dollars a month. For a company the size of Facebook, even a multi-billion-dollar fine could be absorbed as simply the cost of doing business.
Of course, those are the companies that are actually impacted by GDPR. American companies that don’t explicitly target EU citizens can freely harvest and resell their most personal and intimate data without limitation.
Putting this all together, previous privacy protections have been rolled back, companies have been free to redefine GDPR’s rules to whatever they wish and the majority of companies harvesting EU citizen data aren’t even subject to its rules. That hardly sounds like a success story.
In the end, GDPR has been merely public posturing rather than privacy protection, offering the public empty promises that their governments have yet to deliver upon.
