The GDPR’s has just celebrated its one-year anniversary. To mark the occasion, AT Internet has created a comprehensive guide on how you can ensure that your digital analytics is 100% compliant with the regulation. To accompany the guide, we are running a blog series and GDPR quiz to get you up to speed!
In the first blog, we wade through the flood of derisive articles on how the regulation has been ineffective so far in addressing data privacy issues. Are the attacks justified, or is it too early to criticise such a complex and ambitious project 12-months in?
Here are the top 12 criticisms❌of the GDPR – and the case in defence✅ of the regulation…
1. ❌ There was total chaos when the GDPR came in, with 206,326 reported breaches in the first few months alone.
✅ Although initially there were a large number of reports cases following the GDPR deadline, many were quickly resolved. Of the 200,000 or so breaches in the first nine months of the regulation, around 65,000 were initiated on the basis of a data breach report by a data controller. Of the 95,000 complaints, some 52% of the overall cases had already been closed, with only 1% facing a challenge in national courts.
2. ❌ For the consumer, the regulation has simply created an endless barrage of rapid-fire, pop-up privacy notices that nobody actually reads. This has caused consent fatigue and has done little if anything to improve individuals’ comprehension of their data privacy.
✅ The implementation of the GDPR has in fact significantly raised the awareness of privacy issues for consumers. Following the Cambridge Analytica scandal, a poll in the UK showed that 72% of individuals had already changed their data permissions ahead of May 25th, 2018 and were planning on sharing less data in the future.
3. ❌ The GDPR offloads too much responsibility on individuals who have a limited understanding of the complexities of the regulation.
✅ According to Eurobarometer results from March 2019 in an article by the European Data Protection Board (EPDB), the increase in queries and complaints confirms a rise in individuals’ comprehension of data protection rights – 67% of EU citizens polled indicated that they have heard of the GDPR, 36% of them indicated that they are well aware of what the GDPR entails.
✅ 57% of EU citizens polled indicated that they are aware of the existence of a public authority in their country responsible for protecting their data protection rights. This result shows an increase of 20 percentage points compared to 2015 Eurobarometer results.
This can only increase in the future…
4. ❌ Businesses have no idea how they can be compliant and what constitutes a data breach – as reflected in the large number of complaints. According to the IAPP more than 56% of respondents subject to the GDPR said they were far from compliance or would never comply and one-fifth said that “full compliance may be impossible.” Hoping to avoid the costs of incorrect or delayed compliance, many companies are moving forward with a risky “wait-and-see” approach as they struggle to understand the best course of action.
✅ As a brand-new regulation, the GDPR will take time to become truly effective – confusion during the implementation phase is to be expected. It is also a monumental challenge for regulators as well as for businesses being regulated. Many organisations are still running through a backlog of activity required for compliance even so many months after the GDPR entered into law. This can be very slow work and requires an experienced Data Protection Officer (DPO) with both legal and technical expertise.
✅ Regulatory bodies spent most of 2018 getting up to speed with their staff levels and internal procedures and finishing the last pre-GDPR investigations.
5. ❌ There is inadequate support and information available on how companies and individuals can be GDPR compliant. Local Data Protection Authorities (DPAs) are not taking the necessary measures to inform businesses and individuals on the regulation requirements.
✅ Following a record number of complaints in France, the CNIL has affirmative taken actions to support operators and ensure the successful implementation of the GDPR. These include raising awareness for local authorities with a practical guide, thematic sheets (teleservices, security, Data Protection Officer (DPO) and local authorities, etc.) and a dedicated module in its online training open to everyone. They provide support via the CNIL website and an asset and a developer kit have already been published. CNIL is also in close dialogue with professionals and “network heads” to promote the development of skills in all sectors and support for data protection officers. In practical terms, they have tools available to everyone on their website including:
- A way to check if an organisation has appointed a DPO for people wishing to exercise their rights or ask a question to an organisation that manages their data, including contact details publicly available via a dedicated search engine
- an online GDPR training course open to all since March 2019, already attended by more than 35,100 people, including 6,900 who have obtained a certificate of success
- a model for a register of processing activities, which makes it possible to identify all data processing operations and to have an overview of actions relating to personal data
- open source software to conduct a data protection impact assessment (DIA), which is obligatory for some processing operations
With 2,044 data breach notifications in France and 89,271 at European level, more than 19,000 data protection officers (natural or legal persons) have been appointed by more than 53,000 organisations. There has been also an influx of requests for information from professionals wanting to apply the GDPR framework and a growing mobilization of professionals and individuals on data protection – the CNIL website has had more than 8.1 million visits over the last year.
6. ❌ A vast new Data Protection Officer bureaucracy has been created in organisations and the associated costs are huge.The GDPR makes it a legal requirement for all companies doing business in the EU to appoint a DPO if their core business consists of data processing activities. If they process special categories of data (sensitive data, like biometrics, ethnic, health data etc.) they must appoint a one regardless of the scale of processing – public institutions also have to appoint one. Failure to appoint a DPO can carry fines of up to €10 million or 2 percent of a company’s global turnover, whichever is higher. This is expected to generate the need for up to 28,000 DPOs in the EU and the US and 75,000 worldwide.
✅ Although initial reports warned that the GDPR would create the need for vast numbers of DPOs, many companies will outsource and the likely figure is a considerably lower. Smaller companies are also allowed to share a DPO and they can be in the form of an existing employee as well as a new hire.
✅ The GDPR may seem draconian by demanding that each organisation has its own DPO, but data regulation was in drastic need of modernisation to bring it in line with a rapidly changing online ecosystem and make the law fit for purpose.
✅ By fostering a culture of data protection within an organization, the DPO will save money by avoiding potential fines.
✅ Businesses are realising that aside from focusing on the fines they might receive, GDPR compliance can be viewed as an opportunity to engage with customers and build loyalty, as a driver of increased trust and overall business growth. This is one of the reasons mobile banking, streaming services, and tech companies, have been extremely agile when it came to GDPR compliance. DPOs must be allowed to act independently and cannot receive orders from the management which also creates an atmosphere of confidence in a company’s data privacy practices.
7. ❌ EU data authorities are not adequately staffed or coordinated to handle the demands. EU regulators claimed they had insufficient resources or funding to cope with the new GDPR workload and that they need needed a “substantial increase in resources and staff”.
✅ 2018 was a transition year and the various agencies needed time to staff up. EU data authorities have stated that “while the cooperation procedures are robust and efficient, they are time and resource intensive – SAs need to carry out investigations, observe procedural rules, coordinate and share information with other supervisory authorities.”
✅ The Irish DPA ‘beefed up’ it’s 27 staff to more than 130 to cope with the steep rise in complaints and this is expected to rise to more than 200 in the next year.
✅ The framework surrounding GDPR fines is still being created. One of the likely reasons for the uneven GDPR fines across countries, as well as the slow associated process, is that those in charge of making legal decisions don’t have legal precedents to guide their actions.
✅ In 2019, people should expect regulators to become more concise in their interpretations of the law.
8. ❌ There is little international coordination – the DPAs of several EU countries also need to harmonise the wide range of fines being handed out.
✅ To provide more guidance as to how a data protection agency should calculate the amount of a fine, the Dutch data protection agency, the Autoriteit Persoonsgegevens has released a framework to determine how severe a penalty will be. The Dutch framework (in Dutch) has four categories of violations, and each category has a defined “default” fine, along with a range of possible fines depending on the severity of the violation.
✅ The UK’s Information Commissioner’s Office (ICO) are coordinating with both the Dutch and Norwegian DPAs to create a harmonized framework or matrix ‘toolkit’ for various watchdogs to give them a foundation for calculating fines in the future.
✅ Data Protection Authorities across the EU will soon be publishing annual reports, which should give us a wider and better picture of the level of compliance one year into the GDPR.
9. ❌ The threat of huge fines never materialised, with the exception of Google’s token slap on the wrist by the French. Only 91 fines were imposed in the first eight months of GDPR and (removing the €50M Google fine) the average GDPR penalty was approximately €66,000. Even Google’s fine was merely a snip of the company’s $136.2 billion 2018 revenue, approximately .04% – far below the 4% potential.
The fines that were handed out were extremely measured and reflect that DPAs are not out to trip companies up and were moving forward diligently.
✅ The ‘token’ GDPR fine from French CNIL against Google for “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization” can be viewed as a shot across the bows for the tech giant. It also demonstrated that DPAs have the will and muscle to implement fines on larger companies and that the major players are not untouchable.
✅ The first GDPR fine was for German social media platform Knuddels. Although the data breach was a major one, compromising the email addresses and passwords of 330,000 users, the company’s proactive approach to addressing the breach meant that that the fine was only €20,000. They not only responded quickly by notifying the German data protection authorities and customers, they also worked rapidly to bring in the recommended security procedures.
Stefan Brink, state data protection commissioner for Baden-Wurttemberg, commented on its €20,000 fine against Knuddels: “The LfDI is not interested in entering into a competition for the highest possible fines. In the end, it’s about improving privacy and data security for the users.” Although it remains to be seen whether other DPAs take a similar approach, this case sets a valuable precedent.
✅ In March 2019 when the Polish DPA showed a highly measured response by only issuing a €219,000 fine to a company who failed to inform six million individuals that their personal data were being processed. While the Danish DPA only fined a company €161,000 for holding on to personal data longer than allowed under GDPR.
✅ In June 2019, the CNIL dished out a second fine of €400,000 fine to the French real estate company Sergic. Although the breach was a serious one, i.e. a lack of due diligence in addressing vulnerability and the fact that the accessible documents revealed very intimate aspects of people’s lives, CNIL took the size of the company and its financial strength into account and imposed a measured fine.
10. ❌ It is a weak start from the regulation considering that DPAs have already handled around 100,000 self-reported breaches and user complaints.
✅ The complaints are still being processed and the impact has yet to be felt, in that we haven’t yet seen significant enforcement activity, both in terms of volume and amount.
✅ Many cases are also ongoing on an international and national level – there have been 446 cross-border cases which tend to be far more complex and take longer to resolve. Of the large number of reported to EEA Supervisory Authorities (SAs), over 144,000 queries and complaints and over 89,000 data breaches have been logged. 63% of these have been closed and 37% are ongoing.
11. ❌ The GDPR is ineffective against the tech giants as they have interpreted the regulation liberally at best. There is also a major lack of transparency. Facebook has been in the headlines for its reintroduction of facial recognition software and data sharing with its recently purchased subsidiary WhatsApp. Paul-Olivier Dehaye (a privacy expert who helped uncover Facebook’s Cambridge Analytica scandal) stated that “big companies like Facebook are 10 steps ahead of everyone else, and 100 steps ahead of regulators – there are very big questions about what they’re doing.”
✅ The EDPB released a report stating that out of the 206,326 cases reported under the GDPR across the 31 countries in the European Economic Area (EEA), the national Data Protection Agencies (DPAs) have only resolved only 52 percent of them. As regulators work through this backlog, businesses can expect more fines of greater amounts in the coming months.
12. ❌ Google continues to turn a blind eye in terms of its failure to get consent from users “before sharing data among its fast-growing line of networks and products—from YouTube to Google Photos to Gmail and more.” Nicolas Vinocur at Poltico refers to a significant loophole being exploited by the tech giants. Chief policy officer at Brave, Johnny Ryan referred to Google’s processing of user data in advertising transactions as a “massive and ongoing data breach” in which it leaks intimate user data to “thousands of companies every day”. According to Brave, Google’s ad exchange broadcasts personal information about users to “tens or hundreds” of potential advertisers every time they visit a website, with no limits placed on how the data is used, making it the “most massive leakage of personal data recorded so far”.
✅ The Irish DPA recently launched a probe of possible violations by Google’s online Ad Exchange – it became the lead authority to watch over Google’s privacy compliance after the Alphabet established its main European base in Ireland in January.
✅ The Irish Data Protection Commissioner Helen Dixon said that substantial fines were on the way in the “coming months”. There are currently 18 investigations underway by the Irish DPA which has become the lead GDPR regulator for the majority of the major tech companies who are based there.
✅ The cases before the DPC in Ireland are some of the most consequential that will be made about the GDPR. As precedents that could “redefine business models”, the actions need to be coordinated with other countries and the decision needs to be watertight to withstand court challenges. The progress of the Irish DPO will be fundamental to shoring up the GDPR in the future – as other U.S. high-profile technology leaders such as Facebook, Twitter, WhatsApp, Airbnb, Microsoft and Oath also have their European headquarters in Ireland to take advantage of the “one-stop shop” mechanism that simplifies cross-border data processing for non-EU organizations under the GDPR.
Part two looks at what the future holds for data privacy. Tune in to find out where the GDPR goes from here.
Make sure your digital analytics is GDPR-proof!
AT Internet’s Analytics Suite is 100% compliant with the GDPR. Protecting user data and respecting user privacy has been central to our analytics approach for over 20 years.
As an independent European provider since day one, we’ve always been strongly aligned with strict European policies on data protection and privacy. Our solution has been developed with privacy-by-design since the very beginning.
Our long-standing relationships with the CNIL, France’s data protection authority, and Germany’s TÜV, speak volumes. These trusted authorities recognise the conformity and surety of the Analytics Suite and have awarded us their certificate of compliance year after year.