Spanning more than 100 pages and 50,000 words — that’s 20,000 words more than Shakespeare’s "Hamlet" — the EU General Data Protection Regulation is more a hike up Mont Blanc than a stroll in the Jardin du Luxembourg. Adopted to great fanfare in 2016 and launched two years ago, May 25, 2018, it is often heralded as the most important technology-legal reform in a generation. With a broad geographical scope sweeping across national borders and industrywide application straddling even the public-private divide, the GDPR impacts almost every digital business in the world, as well as many traditional industries ranging from financial and healthcare to pharmaceuticals and retail.
Two years in, no doubt the GDPR has left a dent. But is it working?
To mark the framework’s second anniversary, the IAPP asked leading policymakers, practitioners and scholars to reflect on the past, present and future of the GDPR. Personally, I give it a mixed grade. To be sure, the higher the expectations, the more difficult the task. And the GDPR, the gifted wunderkind of Brussels-based policymaking, came replete with incredibly high — though sometimes conflicting — expectations from a vast array of stakeholders ranging from European and member state politicians and policymakers, to national regulators, multinational and domestic industry players, advocacy groups, academics and individual residents. But the GDPR did have explicitly stated goals. It set out to enhance privacy and data protection for Europeans and facilitate the free movement of personal data within the EU.
What went right
Public awareness
Like no law before, the GDPR thrust privacy and data protection into mainstream media and public opinion. Once the purview of a small cadre of policy “priests,” data protection became a mainstay of the EU public debate, regularly covered in the media and pursued by individual consumers.
Data protection notices appear in car rental agreements, upon check-in at hotels, and when adopting any app or digital device. Individuals have increasingly asserted their rights, submitting hundreds of thousands of complaints and requests to access, rectify or delete their personal data. Consumer groups have begun to weigh in, multiplying the power of individual residents by pooling complaints and litigation efforts. The media is laser-focused on the latest corporate data practices, as well as gauging and criticizing the activity of regulators. Alongside privacy scandals like Cambridge Analytica and a constant drumbeat of mega data breaches, the GDPR has made data protection a household name.
Corporate accountability
The GDPR fomented a surge in the ranks of data protection and privacy professionals. According to IAPP research, more than 500,000 organizations in the EU have already registered a data protection officer under the law. Thousands more are appointing data protection officers outside the EU, based on the GDPR’s broad extraterritorial reach. Gartner predicts that “by year-end 2022, more than 1 million organizations will have appointed a privacy or data protection officer.” Under Article 37 of the GDPR, to dutifully perform their roles, DPOs must demonstrate “expert knowledge of data protection law and practices and the ability to fulfill (their) tasks.”
This mandate provided a boost of energy to the data protection and privacy profession, creating unquenchable demand for DPOs who are qualified and trained on the law, technology and management of data in organizations. To empower the people who do the work of data protection, the GDPR catalyzed an industry of data protection technology providers. These include creators of tools for data mapping, data protection impact assessments, risk analyses, deidentification, incident response, consent and preference management, subject access request fulfillment and more. A thriving industry of privacy vendors has emerged, and analysts predict that driven by global regulation, it will remain unscathed from the current economic crisis.
Global impact
Perhaps more than any regulatory framework before, the GDPR has had a profound policy impact outside the borders of the EU. Part of this policy export impact is directly attributable to the GDPR’s insistence that data transferred from Europe continue to be protected at a level equivalent to that in the EU. For example, Japan, the third-largest economy in the world, rushed to negotiate a mutual adequacy arrangement as part of its trade package with the EU. But even beyond the data transfer restrictions, the GDPR has appealed to policymakers from Brazil to India, both top-10 global economies that have put in place or are in the process of adopting GDPR-styled data protection laws.
Indeed, over the past two years, even the largest counterweight to the EU model, the U.S. government, has inched closer to adopting an omnibus privacy protection law. Motivated, perhaps, more by legislative innovation in California, Illinois and Washington state than in Brussels, Congress has entertained draft privacy bills from both sides of the aisle that would make GDPR champions Jan Philipp Albrecht, Viviane Reding and Vera Jourova blush with joy. Indeed, the latest pandemic response privacy bill to come from Senate Republicans is called, lo and behold, the COVID-19 Consumer Data Protection Act. Note that even Sen. Roger Wicker, R-Miss., and his Republican colleagues use the GDPR-esque “data protection” rather than the more American “privacy” in the title.
Certainly, over time, some things do change.
Stress test
The last few months have provided GDPR fans unassailable proof that the law can withstand a real-life stress test. Sometimes derided by critics as overly rigid and bureaucratic, the GDPR has emerged as resilient and flexible when dealing with the COVID-19 crisis. Even as the pandemic put data protection rules under the spotlight, on issues ranging from work and study from home, return to the office, contact tracing, antibody passports and health care research, regulators and governments have deployed the GDPR judiciously, benefiting from the framework’s intricate balance of privacy rights against other compelling public interests such as public health. This facilitated the deployment of public health measures in Europe, including employee health scans and using technology for contact tracing at scale.
In the U.S., meanwhile, similar efforts have been mired in red tape, with companies treading cautiously in a regulatory minefield comprising dozens of disparate and sometimes conflicting, federal, state and even city- and county-level laws and regulations.
What needs more work
More privacy
Surely, data subject complaints and corporate data notifications are a means to an end and not the ultimate goals of privacy data protection laws. The jury is still out, I think, on whether the GDPR has actually afforded European individuals with more privacy compared with their global counterparts. Has the GDPR fundamentally altered data-driven business models and organizational data practices? Are data brokers and advertising technology players less active or more restrained in the European data market than elsewhere?
While the GDPR no doubt inundated European online users with more privacy notices and choices, did it result in less cookie-tracking, marketing emails, geolocation targeting, biometric or genetic data collection? Are privacy notices in Europe now more transparent, clear and concise than before?
More harmonization
One of the thorniest policy issues impeding the progress of U.S. privacy legislation is the scope and degree of preemption of state privacy laws. Clearly, the passage of California’s strict California Consumer Privacy Act changed the dynamics among stakeholders and galvanized Congress to act. And one of the stated goals of federal legislation is to harmonize protection across state lines. But U.S. senators and House of Representative members continue to debate to what extent states should remain free to offer additional protections beyond a baseline federal standard.
Similarly in Europe, alongside stronger data protections, one of the central goals of the GDPR was to rationalize European data protection law, which was fragmented across 28 member states, some of them with federal systems. Two years in, divergent interpretation between national and state data protection authorities remains on issues ranging from children’s privacy to the role of the DPO. Moreover, the cooperation and consistency mechanism, which is a key aspect of the much-heralded concept of one-stop shop, surfaces procedural and substantive difficulties in applying the GDPR across national borders. Two years in, and it seems like despite replacing the 1995 Directive with a directly applicable regulation, the project of EU harmonization remains a work in progress.
More focus
In a recent media interview, Helen Dixon, Ireland’s data protection commissioner, observed, “One of the problems with GDPR is that it has become the law of everything, and that it’s drawing data protection authorities, who are not elected officials, into making an awful lot of decisions that impact societies and individuals, which go well beyond data processing.”
That is a salient point.
As a “law of everything,” the GDPR has enabled Brussels to compensate for its weakness in other regulatory areas, in which its competence is less clear cut. One obvious example is the "Schrems" case, in which Brussels and national data protection regulators obtained the authority to oversee the practices of U.S. intelligence agencies, a power they do not wield even in their own jurisdictions. Another is the field of artificial intelligence, in which DPAs, whose traditional remit was limited to privacy concerns, now confront policy questions about opacity and transparency, fairness and bias, auditing and due process. For decades, Euro-skeptics have accused the Brussels bureaucracy of suffering from a democratic deficit. Similar concerns are now focused on DPAs, who as unelected officials are thrust into highly politicized, fundamental policy debates, with little or no guidance from policymakers.
This, of course, is a very partial list of the GDPR’s strengths and weaknesses. Researchers are devising experiments and metrics to assess the effectiveness of the legislative reform. And we are only just getting started. Many of the tools and mechanisms of the GDPR, such as certifications, seals and marks and codes of conduct, have hardly even been put to use. The next years or even decades will provide a clearer view of the success of this formidable European project.
Photo by ål nik on Unsplash