Today marks an important date in the calendar of all those working in the data protection industry. It’s the third-year anniversary of the General Data Protection Regulations (GDPR) coming into force across the EU, a piece of landmark legislation underpinned by the aims of enhancing individual privacy rights and unifying data protection rules throughout the EU.
It’s fair to say that since May 25, 2018, the fields of data protection and privacy have evolved significantly. There have been several major global events that have challenged these issues, including Brexit and the COVID-19 pandemic, while concerns about the way big tech firms collect and use personal data have come increasingly to the fore. Additionally, there has been a swathe of new data protection laws enacted throughout the globe during this time.
As we reach GDPR’s third birthday, it feels like an ideal time to assess and grade its performance so far. To discuss this in depth, Infosecurity recently spoke to Omer Tene, vice president & chief knowledge officer at the International Association of Privacy Professionals (IAPP), a not-for-profit organization that works to define, promote and improve the privacy profession globally.
GDPR Successes
In Tene’s view, the biggest success of the GDPR to date has been to push privacy and data protection issues high up on the boardroom agenda in organizations. “It definitely elevated data protection for pretty much every business, and I think that motivated them to go through the exercise of mapping their data flows, inventorying their data and putting in place a privacy program,” he outlined.
This impact has ultimately been felt far beyond Europe, with the rules inspiring a raft of new data protection legislation throughout the world, which are broadly based on the GDPR model. These include the California Consumer Privacy Act (CCPA), the Brazilian General Data Protection Law and the Act on the Protection of Personal Information (APPI) in Japan. Privacy legislation is also pending in the two largest countries in the world, China and India, and many experts believe it is just a matter of time before a federal privacy law is introduced in the US.
Tene therefore gave the GDPR an "A+" rating for its legislative impact, stating it has had “a really profound effect on policymakers.”
Impact on Individuals’ Privacy?
However, its impact on individual privacy has been more modest, according to Tene, who gave its performance in this area a "B." “GDPR did trickle down to consumers, citizens and employees, but I think largely it’s still more of a corporate compliance issue,” he explained, noting that “for the most part, if you ask your relatives and friends who are not in this industry how impactful GDPR has been for them, the answer would probably be that it hasn’t revolutionized their life.”
“GDPR did trickle down to consumers, citizens and employees, but I think largely it’s still more of a corporate compliance issue"
While Tene acknowledged that privacy issues have “exploded” on the news agenda in recent years, particularly regarding the activities of big tech firms, he believes this has occurred regardless of the GDPR. “I think the media has just caught on to the impact that data practices have on the digital economy,” he explained.
In fact, Tene is skeptical of the idea that GDPR will ever be the driver of significant change in terms of providing individuals with great control over their own data. Instead, he expects we will increasingly see big tech firms take the lead in this area, motivated by commercial factors. He pointed to Apple’s recent introduction of an app-tracking transparency framework into its ecosystem as an example of this, which “will probably end up doing far more than GDPR does in curtailing tracking practices.”
He predicted companies such as Apple, Facebook and Google will continue to take it upon themselves to confer greater controls on personal data in the coming years. Tene asked: “Did Apple bring in app-tracking transparency because of GDPR or some impending US regulation? No, it did it because it thinks it’s integral to its brand and reputation – it’s a competitive move against Google, Facebook, and I think that is a stronger motivation.”
Facilitating Data Flows
Another area where the GDPR hasn’t worked as well as initially hoped is in facilitating data flows globally, according to Tene. This came to the fore last year with the Schrems II ruling by the Court of Justice of the European Union, which held that the Privacy Shield scheme for transfers of personal data from the EU to the United States is unlawful. As a result, there are now “a lot of questions” about the adequacy of ‘third countries’ when it comes to data transfers to and from the EU, noting that even the UK has had difficulties in being granted this status post-Brexit. “I’m not sure that the GDPR can be said to have facilitated and enabled data flows,” commented Tene.
He therefore hopes that the EU looks to adapt the GDPR to address this issue, as there is currently a very real danger of Europe's “becoming an isolated island in global trade.” He added: “I hope that some things will adapt in GDPR because the cross-border data transfer impasse we’re in is unsustainable, and it is fundamental for European businesses.”
Impact of COVID-19
It’s almost impossible to talk about any topic at the moment without mentioning the COVID-19 pandemic, and there is no exception for the field of data privacy and protection. Tene believes that in some respects, the GDPR has proved “very forward looking” in regard to tensions that have been seen between data protection and public health during the pandemic. “There’s even language around contact tracing,” he observed.
However, Tene said there have been significant challenges surrounding the greater need for research and data to be shared among healthcare institutions that GDPR has struggled to resolve. “We have certainly seen a lot of dilemmas play out such as does the EU enable pharma companies, research institutions and academia to share data effectively enough in order to develop vaccines and roll them out, or to track the spread of the virus,” he explained.
He expects that further reform of the GDPR will arise from these experiences, outlining that “the pandemic will move the needle on areas like data sharing, not only in Europe, but between Europe and other countries for things like pandemic mitigation.”
It’s hard to dispute that the GDPR has had a substantial impact on data protection and privacy, not least in inspiring a wave of new laws governing these areas throughout the world. There are certainly areas for improvement though, with Tene highlighting areas such as individual privacy and data transfers in that regard. Nevertheless, it should be noted that the GDPR is still very much in its infancy and to achieve an A+ in all aspects of its work at this stage would have been highly unrealistic. The key to its success going forward is likely to come down to how well the EU adapts its provisions in response to an ever-changing landscape; this will be well worth keeping tabs on in the months and years ahead.