As we approach the one-year anniversary of the GDPR which went into effect on 25 May 2018, we can now review the benefits and pitfalls of the EU’s General Data Protection Regulation. While many businesses, primarily Google, have been fined a total of €56 million for GDPR breaches out of over 200,000 reported cases and over 59,000 reported breaches in the first eight months, there are more practical questions for how the GDPR has affected the culture of technology and the everyday use of the internet.
Initially, the GDPR was created to codify and unify data privacy laws across European Union member countries while also serving as the legal basis for protecting user data. A secondary ethos of the GDPR was to redress the imbalance of power between big tech and consumers, forcing big tech companies to be accountable for how they use data. Both rationales, however, have largely turned out to be a failure, according to Giovanni Buttarelli, a European data protection supervisor. In fact, Buttarelli notes that ticking a box “does not necessarily mean consent is freely given.” So, all those pop-ups we have had to go through in order to access sites this past year? Was all this time wasted for nothing?
Two months ago, UK-based law firm, DLA Piper, reported that only 91 fines had been reported not all which were related to personal data breaches, but also other sorts of GDPR infringements. The highest fine imposed to date was the €50 million fine made by the French government against Google on 21 January 2019 for the improper processing of personal data for advertising purposes without authorization. In short, it is still unclear what the legitimacy is of business to collect user data for the purpose of targeted advertisements and this is why the GDPR is perhaps one phase of many to clarify what data and how data can be used, if at all.