It’s been a year since the EU enacted the sweeping data privacy legislation that is GDPR (General Data Protection Regulation), and the report card for year one is mostly filled with C’s. There have been aspects that have succeeded–such as the policy succeeding as a breach privacy law — but both media pundits and members of the International Association of Privacy Professionals agree that the GDPR has failed in its efforts to enact substantial (if any) fines to companies in violation of the law.
In a March IAPP panel in London, which saw leaders across the EU, and from the IAPP, convene to discuss the effectiveness of the law, Stephen Eckersley, head of enforcement, UK Information Commissioner’s Office, said the U.K. had seen a “massive increase” in data breach reports since the May 25 implementation date. According to a February survey issued by international law firm DLA Piper, approximately 60,000 data breaches were discovered in the first eight months since GDPR came into effect.
The Netherlands, Germany, and the U.K. topped the table in the report with approximately 15,400,12,600, and 10,600 reported breaches respectively. The lowest numbers of reported breaches occurred in Liechtenstein, Iceland and Cyprus with 15, 25 and 35 reported breaches respectively, the survey shows.
According to Ross McKean, a partner at DLA Piper specializing in cyber and data protection: “The GDPR completely changes the compliance risk for organizations which suffer a personal data breach due to revenue based fines and the potential for US style group litigation claims for compensation,” he said. “As we saw in the US when mandatory breach notification laws came into force, backed up by tough sanctions for not notifying, the GDPR is driving personal data breach out into the open. Our report confirms this with more than 59,000 data breaches notified across Europe in the first 8 months since the GDPR came into force.”
While the breach notifications are nothing to ignore — in fact, it’s quite an accomplishment in the realm of data privacy — the most valuable takeaways have to be that consumers whose information may have been stolen have been identified, regulators and developers can better understand and mitigate the causes of breaches, and researchers and legislators can work on understanding the impacts and damage of the breaches.
With regard to implemented fines, this is where French Regulator Mathias Moulin stressed that the first fiscal year of GDPR “should be considered a transition year.” According to a report published by the European Data Protection Board, approximately 55,955,871 euros were imposed as penalties and fines in the first nine months of GDPR. Almost impressive — until you consider the fact that 50 million of those euros were pinned on Google in late January. So that’s about 5 million in fines levied against other companies world-wide for the entire first year of GDPR. Now, remember when we touted the fact that a GDPR fine could be up to 4% GAR fine or up to 20 million euros of a firm’s global annual revenue? Well, not so much, when you look at what Google brought in this year. After $136.8 billion in revenue, the fine levied against the tech giants accounts for only 0.04 percent of GOOG’s GAR.
A transition year indeed, Mathias Moulin. Fines and appropriate fiscal actions taken will have to be a main priority for the EU government going into year two of GDPR enaction.
The effect on U.S. tech startups
When it comes to collecting and utilizing first party data, US-based company Braze, a customer engagement platform, has been at the forefront of championing and implementing GDPR globally.
“For us, our consumers are inherently global anyway. It’s not worth the confusion for us to build two different levels of data privacy,” said Jonathan Hyman, Co-Founder and CTO, echoing the Apple method of GDPR implementation. “If US companies treat their US consumers differently to their EU consumers, there is going to be a huge reckoning when similar data privacy provisions become effective and adopted in the US,” he said, pointing to the inevitable data regulation legislation in the US.
As for how GDPR has affected their day-to-day operations, GDPR has certainly been part of the weekly conversations at Braze, especially when it comes to designing products. According to Hyman, the firm has been diligently working on re-structuring their data warehousing.
“A big part of that project is making sure we’re deleting data from our data warehouses consistently with respect to GDPR information deletes,” he said. “We’ve had to ensure that our projects have a focus on data privacy, as GDPR has mandated, and that we bring data privacy into the fold when thinking about projects.”
Braze is now expecting the same from the vendors they work with.
“We’re now asking to understand the data they’re storing. If we’re using a vendor for a certain set of functionality, they need to tell us what other information they’re storing on end users, and if they have the ability to delete that data,” he said.
“It’s definitely affected the way we’ve conducted business internally and externally.”
Data regulation in the U.S.
Facebook CEO Mark Zuckerberg issued his latest plea for increased internet regulation, including widespread adoption of data privacy laws, in a Washington Post op-ed and blog post published last month. Zuckerberg laid out four areas of the internet that require a “more active role for governments and regulators.” According to Zuckerberg, one area is a common framework for comprehensive privacy regulation such as GDPR.
“New privacy regulation in the United States and around the world should build on the protections GDPR provides. It should protect your right to choose how your information is used — while enabling companies to use information for safety purposes and to provide services,” wrote Zuckerberg. “It shouldn’t require data to be stored locally, which would make it more vulnerable to unwarranted access. And it should establish a way to hold companies such as Facebook accountable by imposing sanctions when we make mistakes.”
Zuckerberg isn’t the first tech CEO to endorse GDPR globally. Last year, Apple CEO Tim Cook called for federal privacy regulation and Microsoft CEO Satya Nadella has also praised Europe’s laws. And like many other professionals involved with GDPR compliance, Neil Lustig, CEO of GAN Integrity, a global compliance management system, points to examples of new GDPR- spurred or inspired privacy laws such as the California Consumer Privacy Act (CCPA), the introduction of the Washington State Privacy Act and Congressional action on a federal privacy bill.
“Data regulation similar to GDPR is coming to the US,” he said. “It’s inevitable. But when it does, it needs to be federal, as opposed to state-level, and it’s crucial for tech companies to take a seat at the table to educate our legislators on data privacy.”
GDPR is still young and both companies and regulators are still busy figuring out how it works, but for Lustig, he believes that US companies are eager to have the necessary talks to implement regulation in the states.
“Very few people, very few companies wake up and say, “How am I going to violate privacy today?” he said. “Companies want to protect consumers.”