To celebrate Data Privacy Day this year, we are taking a look at perhaps the most globally significant piece of privacy legislation yet, the EU’s General Data Protection Regulation (GDPR). Almost everyone who works with digital services has had to factor its ratification into their work, and almost every consumer has been made aware of it, at least through (occasionally tiresome) consent forms popping up on every law-abiding website.
However, despite it being the most talked about EU law of the year, its real impact on those affected by it can seem slightly shrouded in mystery. For this reason, we are taking a brief look at its surprisingly long history, its immediate impact, and asking industry experts about the implications it has for the future of not just Europe, but the world.
1995-2018: The European Data Protection Directive
Most of us would be surprised to learn that the seeds of this monumental privacy law were sown as early as 1995, when the Data Protection Directive was passed. This EU directive, formed in the very early days of the modern internet, was groundbreaking in many ways. It defined the legal concept of personal data as we understand it in digital terms, set principles which govern when companies are allowed to process that data, and set limits on how personal data can be shared to outside the EU.
If you have read anything about GDPR and this sounds familiar, you are not alone. The GDPR in fact supersedes this directive, taking its core aspects and updating it to the modern age. A major distinction is that GDPR is a regulation, while the Data Protection Directive was, well, a directive. EU directives are not directly enforceable laws per se, but member states are mandated to implement their content into their own sovereign legal framework. Regulations, such as GDPR are directly applicable, which means that they automatically form part of the domestic legal order in all of the EU member states.
If you don’t find the fact that a privacy directive was enacted in 1995 impressive, consider this: As of 2018, the United States STILL does not have federal legislation specifically related to personal data. As far as the other global superpowers go, laws regarding data protection are even more dire. Considering the right to digital privacy a human right in the nineties was nothing short of visionary lawmaking.
May 2018: GDPR Comes into Effect
As of writing this, GDPR has been in effect for less than a year, and things have largely returned to normal. This is not to say it has rolled out flawlessly, with some of its issues more predictable than others. It is quite unfortunate, for instance, that the launch of such a consumer-friendly piece of legislation made such a bad first impression on those it protects.
Practically the whole of Europe had their patience tested with an endless stream of websites prompts requesting consent to process their personal data. In linguistics, the term “semantic satiation” refers to words or phrases which temporarily lose meaning when said too many times. I cannot think of a better example of this than the title “We value your privacy” popping up every time you load a website or load up your inbox.
This oversaturation of privacy policies has regrettably led to some consumer apathy – According to research by SITRA, 29% have a accepted GDPR privacy policies without second so much as a glance. The same research indicated that 64% of users had their online habits affected in some way by GDPR. It’s not perfect, but it’s a good start.
This unintended consequence came about because the authorities underestimated how much companies would procrastinate their GDPR compliance. They had 2 years to do this, yet most seemed to behave like high schoolers trying to write an essay with willpower and coffee at 3 a.m. and became compliant at the eleventh hour.
There were other consequences too, ones that only became apparent once the law rollout date was approaching. For a while it seemed that many websites would simply give up and stop serving EU customers altogether. Certain newspapers (or publishers, to be exact) such as owner of the Chicago Tribune, Tribune Publishing, have elected to simply block traffic from the EU altogether. Other news organizations have opted for a more consumer-friendly approach, with USA TODAY electing to offer European users a rather beautiful, ad-free version of their site.
Other digital services such as the unsubscribing assistant unroll.me and webpage-saving tool Instapaper also halted EU customers from accessing their site, at least superficially. Most services that initially blocked EU users have since taken their finger off the panic button, but some sites like unroll.me are still technically not available to EU subjects.
Both of these bumps in the road happened for largely the same reasons, with the European Union and the service providers themselves sharing some of the blame. First, it’s true that the EU could have done a better job at communicating the contents of the 11-chapter, 99 article behemoth of a document. A campaign listing the various action points that companies might have better served everyone better. There was clearly a communication gap between the occasionally muddled EU bureaucracy and the stakeholders who were directly affected by the law.
That is not to say that businesses are entirely free from blame. Everyone had two years to comply with the law and notify their customer, yet most companies seemed to behave like high schoolers with their essay deadlines. It’s possible companies wanted to see how their competitors would react first, or then they simply underestimated the amount of work needed. There were many GDPR compliance guidelines published in the wake of its rollout, including ours, but perhaps the wake up call came a bit late.
The Global Impact of GDPR
The European Union has tried to position itself as a torchbearer for consumer-friendly legislation, support for liberal democracies and champion of freedom of speech. Since the effects of GDPR reached well outside the boundaries of the European Union, will it have an impact of data privacy legislation around the world?
Microsoft CEO Satya Nadella seems to think so. At a recent talk he praised GDPR, calling for global rules on privacy and artificial intelligence, so that everyone in the tech industry would have a level playing field.
“My own point of view is that it’s a fantastic start in treating privacy as a human right. I hope that in the United States we do something similar, and that the world converges on a common standard.”
Apple CEO Tim Cook, in a recent TIME magazine op-ed, proposed a federal “Data Brokers Registry”, which would allow people to see what information about them is sold online, and if necessary, delete it. While federal law is still lagging behind, progressive states have already stepped up: The California Consumer Privacy Act of 2018 has been widely welcomed by privacy experts.
Canada also recently updated its own version of the GDPR, PIPEDA, to cover many of the same personal data-related issues that GDPR addressed. Brazil and India are also following suit.
It’s fairly safe to say then that the GDPR is having a global impact, and the future of data privacy looks somewhat bright, at least in democratic countries. I reached out to Viivi Lähteenoja, Head of Programmes at MyData Global, and her opinion echoed this optimism:
“Europe has shown itself to be a thought leader in adopting the GDPR after over six years of development. Similar laws are now in force, or discussed, worldwide. In a global economy where personal data is controlled either the Silicon Valley way or the Chinese government way, Europe is showing a third way to use personal data in a way that is both respectful of individuals and useful to business.”