Online privacy has become a point of contention in recent years, particularly surrounding Facebook and Google. There is a lot being done behind the scenes of the ever-growing online world to make your information safer and more private. One of the most impressive and thorough pieces of privacy legislation, so far, comes from the European Union, named the General Data Protection Regulation (GDPR). While only in its infancy, the GDPR has become a huge topic of conversation. The current state of the GDPR has shaped the footwork for other countries to begin the privacy battle as well.
The Introduction of GDPR
The GDPR was originally implemented on May 25, 2018, but had been in the works for nearly twenty years prior. Gaining recognition back in 1995, the first form of privacy legislation brought to life in the EU was adopted. Given the name European Data Protection Directive, this piece focused on the protection of processing individuals’ personal data and the freedom of movement of that data, which brought together the member states for a universal privacy law. From there, the journey of online privacy legislation in the EU began a long and winding road towards official implementation. While the minutia of those twenty years isn’t too important, the EU eventually came to a conclusive law that has become known as the GDPR. Over the last year, there has been much talk about this new regulation and what it meant for the business world. While nothing monumental has occurred, there has been a bit of change in the EU. Here is what the current state of the GDPR looks like:
The implementation of the GDPR sent out a shockwave across Europe and foreign companies that were involved with the EU. Conversations focused on how this regulation was changing the world and had set a certain bar for privacy worldwide. The GDPR was the evolution of existing rules within the EU that allowed people to both hope for and work towards stronger online privacy. Most, if not all, were extremely interested in the GDPR and did their best to reach compliance; but, the excitement surrounding the GDPR quickly dissipated.
The First Year
Within the first year, the GDPR enacted new cookie banners as the conversation around the actual definition of consent drew on. Many websites were using an approach known as implied consent; unfortunately for these websites, the GDPR required a higher standard of consent – forcing cookie banners to allow users to confirm or deny their usage. Websites struggle to find a positive way to adhere to these laws put in place and it seems as if the regulators don’t care too much about it.
Another issue companies are facing is the complete transparency that the GDPR, along with ePrivacy laws, require. Simply put, this means that websites must explain what each cookie and tracker does on the site – bringing to light the issue of 3rd-party trackers and how to define them. We’ve yet to see finalized rules regarding transparency in relation to 3rd parties. In the meantime, one way to combat these trackers is with Ghostery. As a privacy-focused company, Ghostery offers several products that are designed to increase transparency and allow users to block ads and trackers within their browsers.
With GDPR’s first year having passed, there are a few things that have occurred. First off, there was a failure in imposing fines on companies that failed to decently protect their customer’s data. While it has only been considered a transition year, there has been great success for the GDPR as a breach notification law during a period of increasing data breach reports. But, many see this as an insignificant feat since it only pertains to a few, peripheral things. Increased breaches are valuable for three groups of people: those whose information has been stolen, regulators and technology designers attempting to understand and alleviate causes of said breaches, and researchers inspecting the breach impacts and costs. Otherwise, the only other notable part of this aspect of the GDPR is that it has created the only single breach-notification regulation in the EU. Unfortunately, there hasn’t been much done to allow regulators to fine companies that mishandle personal data. Penalties imposed under the statute added up to nearly 56 million euros, which isn’t that impressive given that there was a fine of 50 million euros against Google back in January. Lastly, on a more positive note, the GDPR did finally establish a more comprehensive definition for personal data.
It’s easy to see that the full implementation of the GDPR within the EU is an ongoing process, but considering its youth, it’s an impressive step forward. Increased territory, magnified penalties, and stronger consent requirements have all played a role in the current state of the GDPR. Yet, there are still issues in place. Part of the difficulty the GDPR faces stems from the general population’s concern for data security, rather than data privacy. The difference between the two is that data security is protecting data against any unauthorized access (technical issue) while data privacy is about who has authorized access to data and who defines that (legal issue). Many people still ignore cookie banners and simply click through to access sites. However, as efforts continue, there is hope for the GDPR to continue moving in the right direction of better data protection.