In 2018, the most important currency in the world is data, with companies trading in it and making billions of dollars off the back of it. Tomorrow we will see the introduction of the most comprehensive data privacy law in history, a regulation that is intended to tackle the many pitfalls of this digital age. As a result, Europe’s General Data Protection Regulation (GDPR) will have far-reaching consequences.
The standard complaint about any new regulation – and any new EU regulation in particular – is that it is too complicated. The EU’s GDPR has received the usual dose of this. But in this case, the criticism is wrong-headed.
Vera Jourova, the EU’s justice commissioner, describes it as a “looked gun” in the hands of regulators. The bloc introduces the GDPR, which will, its advocates argue, dramatically improve the core with which organizations both within the EU and elsewhere treat our personal data. The law will be enforced across all EU member states, streamlining compliance. It also applies to any organization outside the EU holding EU citizens’ data. That means any company anywhere in the world that is holding any EU customer or operational data will have to take appropriate measures to protect the data.
GDPR will harmonize data protection rules across the world’s largest trading bloc, give greater rights to individuals over how their data are used, put in place significant protections for children and streamline regulators’ ability to crack down on breaches.
When the new rules were first proposed, many executives in Silicon Valley derided them as restrictive and anticompetitive. But in the wake of the scandal over the use of Facebook data by Cambridge Analytica, Europe’s approach to data privacy has started to appear much more relevant.
According to many companies and data protection authorities, GDPR could become the global norm, setting standards for behavior not just in the EU but in countries where hitherto individuals have had few weapons to defend their rights online. Eve Sherly Sandberg, Facebook’s chief operating office admitted last month that “Europe was way ahead on this.”
Many businesses are unprepared for the new rules and several countries have failed to pass the necessary legislation to implement them nationally. Some questions have also been raised about the ability of data protection authorities across the bloc to enforce the new rules adequately. Even critics acknowledge that GDPR will introduce a new vigour into the messy patch work of rules governing how our data are treated across Europe. It requires any organization anywhere in the world that handles the personal information of an EU citizen to be transparent about how it collects stores and processes it.
Organizations must obtain unambiguous consent to use and retain data, keep it up to date, delete old data and – if they have a large volume of personal information, data subjects and range of items – will have to appoint a data protection officer.
But when is a company a “data controller” and when is it a “data processor”? The two have different responsibilities under GDPR, but the distinction resolutely resists commonsense understanding. Already companies are quibbling over the classification.
Fundamentally, though, when the GDPR comes into effect, it will put just and straightforward principles into place. Organizations that collect or use personal data should ask for the consent of the individual, and disclose their reason for doing so. The data should be used only for the stated purpose. If that individual then wants to see what has been collected, they should be able to do so. If personal data is hacked, that should be disclosed quickly.
In our opinion there is very little to argue with in any of this. If the cast of complying is significant, that speaks less to the rule than to the fact that companies have collected and stored our data in ways that ought to make us uncomfortable like Mr. Zuckerberg with Facebook which we can summarize as “If you fail to control your own creation!”
That said there remain serious questions about whether the law will have the intended impact, or what unintended consequences it may create. Most important of these is whether the burden of compliance will fall with equal weight on all technology companies. The analogy to post-crisis banking reform is useful. Rules designed in part to end “too big to fail” had the contrary effect: the cost of compliance was easier for big institutions to bear. The effect was probably an overall dampening of competition. The European Data Protection Board (EDPB) – the body in charge of GDPR’s application – should make sure that, once the initial transition period is over, the cost compliance does not pull small businesses of a permanent disadvantage.
Next is the question of how responsibility for enforcement will be shared among EU member states. For companies, oversight responsibility for enforcement will be shared among EU member states. For companies, oversight responsibility will be assigned to the Data Protection Authority (DPA) of the member state where they are based or have their primary operations. Complaints originating in other countries will be referred to that DPA. In the case of Facebook, Twitter and LinkedIn, for example, Ireland would probably be in charge. In cross-border cases, national DPAs will recommend enforcement actions to the EDPB for a ruling. In case the companies were to dispute the EDPB ruling, the case would be fought out in the member country’s court system.
The new rules also forbid companies from processing data on race, ethnicity, political opinions, religious beliefs, trade union membership or sexual orientation without explicit consent.
Ultimately, the impact of GDPR will depend on whether individuals decide to exercise the greater powers the rules give them. They are part of a growing worldwide push for customers to mature into “digital adults”, with both greater control over and responsibility for their own information. Proponents hope that GDPR will help individuals become both more demanding and more aware of their new power. “Data subjects are going to become increasingly aware of their rights, and they are not going to put up with poor practices by organizations”, says Helen Dixon, Ireland’s data protection commissioner. She also points to the fact that Facebook’s registered users have even increased while the Cambridge Analytica scandal has raged as an example of the so-called “privacy paradox”, that while people say control over their data matters to them, they have remained, by and large, casual about relinquishing it.
-GDPR’s Reach-
The GDPR’s reach is already spreading well beyond the EU. According to Graham Greenleaf, a professor of law and information systems at Australia’s University of New South Wales, 120 countries globally had data protection laws in 2017, but GDPR is probably the broadcast and most rigorous.
For a start, any country wanting to sign a trade deal with the EU will have to sign up to respecting GDPR, the first time the EU will formally address the issue of trade and data flows as part of its role negotiating free trade agreements on behalf of its 28 member states.
For many large multinationals, it could make sense to adopt GDPR globally both from a cost and consistency standpoint. Regulators in places such as Hong Kong have based their laws on the EU’s 1995 data protection directive, and have confirmed they intend to update them to reflect GDPR.
Yet despite the predictions about global impact, there are big questions about how it will actually be implemented within the EU. Given the scope of the new rules, which run to more than 200pages, preparing for GDPR has proved both onerous and expensive. Companies in the UK’s FTSE 100 are estimated to have had to spend an average of 15million Pound each to comply with them, according to research by the legal tech firm Axiom. Meanwhile, in the US, the International Association of Privacy Professionals and EY say members of the Fortune 500 will spend a combined 7.8billion US-Dollar on compliance, an average of almost 16million US-Dollar each.
The Survey suggests that Fortune 500 companies have each had to hire on average of five full-time dedicated privacy employees – such as data protection officers – as well as another five employees to work part-time on compliance. For some businesses, GDPR has required them to conduct an audit of what information they hold, but the task of “cleansing” databases of old or duplicate information, and contacting individuals for consents, has offer taken months of staff time.
Given the scale of the task, a significant number of organizations will not be ready in time for May 25. A survey of nearly 200 global businesses by SAS, an analytics company, in February found out that fewer than half expected to be fully compliant by deadline day.
Smaller companies across the EU and elsewhere are at particular risk. In March, the UK’s Federation of Small Business for example found that fewer than one in 10 small businesses in the UK were fully prepared for GDPR, with just under one in five unaware even of the existence of the new rules.
But it is not just organizations which are lagging behind. In January the European Commission said that the bloc’s 28member states only Austria and Germany had fully adopted changes to their legislation ahead of the new regulations. While countries such as the UK are expected to pass the laws at the last minute. Baker McKenzie says five EU countries, Bulgaria, Greece, Malta, Portugal and Romania, have not even published a bill or proper information about how they will implement GDPR.
For organizations which remain in breach of the new rules, failure to comply could bear a high cost, with fines of potentially 4% of global turnover or 20million Euro, whichever is the greater.
The cost of putting things right, as well as the reputational hit, could be even higher. But there are significant question marks over whether those in charge of enforcing the new rules are up to the task.
As early as 2015 Jacob Kohnstamm, former chairman of the Netherlands’ data protection authority, was warning that organizations breaking the rules faced “little chance of being caught”. Given his organization’s budget to do investigations, “the chance of having the regulator knock on your door is less than one every thousand years”.
The resources available to most European DPAs’ budgets are still a fraction of those in North America – and have only risen by about a quarter on averages across the bloc in response to the increased demands on them that GDPR represents.
Giovanni Buttarelli, the EU’s European data protection officer, warned at the end of last year that the number of people working for regulators in the EU – about 2,500 – was” not many people to supervise compliance with a complex law applicable to all companies in the world targeting services at, or monitoring, people in Europe”.
Last September Elizabeth Denham, the UK’s information commissioner, said she needed more staff on better pay if the regulator was to effectively enforce GDPR. After a boost in government funding, the Information Commissioner’s office will increase headcount by a third to about 700 by 2020, but DPAs and companies across the bloc are fighting to hire the trained staff they need.
Ms. Dixon’s office in Ireland has 100 staff and she plans to recruit 40 more this year, bringing in litigators, criminal lawyers and staff with investigative experience, for example from the insurance sector. “To use big corrective powers that really bite we will have to be demonstrably showing we have followed fair process”, she said. Ms. Dixon is well aware of the scale of the task ahead, given that Dublin is the European home to many of the US tech groups such as Facebook, Twitter, Dropbox, LinedIn and Airbnb.
Under GDPR one authority will take the lead on cases such as data breaches and related issues rather than current situation where a company can face multiple legal challenges from regulators in different EU member states. In theory, GDPR prohibits “forum shopping” by companies keen to choose their preferred regulator, and objective criteria should govern who leads on specific cases.
Facebook would be the Irish DPA’s responsibility, given its central administration is in Ireland, its term of service are associated with its Irish entity and it has a substantial data protection and privacy team in Dublin.
For companies such as Google, which provides services through its global headquarters, regulation will depend on where cases are brought in Europe. This will make it less clear which regulator has oversight over the company’s data use and privacy practices.
There are other grey areas. Advertising technology businesses that harvest data from third-party websites may have to seek consent from users. Google has attempted to deal with this by defining itself as a “controller” of data under GDPR when handling third-party information. But the designation has been resisted by publishers which will have to seek consent to share information with Google, raising concerns among their own users.
Therefore the question is if the national DPAs have the financial and organizational muscle to take on powerful companies?
DPA funds will come out of national budgets; no European funds have been allocated to them. And the EDPB is itself thinly staffed and could struggle to provide support. Ireland’s DPA is relatively well-staffed but its 11.7million Euro budget this year is small change compared with Facebook’s or Google’s public affairs department.
GDPR is designed to give EU citizens information and control. If they do not absorb the information or exercise the control, and grant consent casually, the rules will not make them better off.
In our opinion much is still to be leant about how to best put it into practice. But we already know that rights are empty unless exercised.