May 25th marked one year since the GDPR went into effect. Love it or hate it, the General Data Protection Regulation is the first step we’ve taken towards establishing digital privacy in Europe. But what effect has it had so far, and more importantly, what are we to expect from it in the future? We celebrated the first anniversary of the GDPR with an episode of our biweekly vidcast, GoodTech. We invited Mitch Ratcliffe, journalist, author, editor and serial entrepreneur who has covered the topic of digital privacy since the early days to talk about what the GDPR means for business worldwide. Here’s a recap of our conversation.
What is the GDPR, anyway?
The GDPR is an EU framework in effect since May 25th, 2018 that protects the rights of EU citizens to control their personal data. It regulates how their data can be collected, stored and used by companies in and outside of the EU. It requires the ability to opt in and out of data collection (consumers must be able to give and retract consent), grants consumers the right to be forgotten (their data deleted forever), and obliges companies to report significant data breaches within 72 hours.
The stakes are high. Failure to comply with the regulatory policy may incur a fine of up to €20 million or 4% of the company’s annual revenue.
“The intention of the law is to make it easier to do business based on a set of guidelines on how to manage personal data,” says Mitch.
Before the GDPR, each country had its own national laws, which have now been standardized to apply to the EU’s 500 million consumers.
Mitch points out that Europe has a long history of data exploitation which serves as a reason for caution when it comes to privacy: World War II and the Nazi regime’s systematic abuse of personal data to identify Jews and other minorities have not faded from the continent’s collective memory.
The effects of the GDPR beyond Europe
The GDPR affects companies from outside the EU, too. For example, if a US-based company runs an ecommerce website visited by EU citizens, they are required to store the data of the consumers that they deal with in their own countries. If they store their data in US data centers, the company is potentially liable.
We have already started seeing examples of European regulators calling out global tech companies for failing to comply with the GDPR. Google is currently being investigated by Ireland’s Data Protection Commissioner, which raises a lot of concerns about the tech giant’s approach to digital privacy.
“The argument that Ireland is making is that every time Google places an ad, they target a particular demographic – that’s unabashed exploitation of personal data,” says Mitch.
We have yet to see how this scenario plays out.
Is the US following suit?
With the establishment of the California Consumer Privacy Act, a bill that enhances the privacy rights of residents of California, it appears that the US has started to take the first steps towards regulating digital privacy, too.
According to Mitch, California’s privacy law model is likely to become the basis of all future US privacy laws – just like seatbelt laws and emission control laws were first put in place in the state that has the 5th largest economy in the world.
The US has it own, complicated relationship with privacy, which has caused disputes between the government and big tech companies. For example, US law requires companies to hand over personal data to law enforcement (under specific circumstances, following a court order), and Apple is known to have refused the decryption of iPhones for the FBI on several occasions.
Are we consumers before citizens?
The adaptation of new laws is a slow process because it takes time to adapt to today’s rapidly evolving technologies.
According to Mitch, we never thought of personal data as something that carries value – and we never realized that free services come with a lot of costs that are not acknowledged.
What he sees at the heart of this issue is that people tend to think of themselves first and foremost as consumers, and forget about the fact that they are also citizens with rights.
“As citizens, we have a right to privacy,” he says. If your privacy is compromised, “you’re losing your freedom of thought and your right no to be manipulated.”
As for how companies that don’t respect privacy laws should be treated, Mitch believes that the answer will be found in case law. In 10-15 years time, we will have had enough lawsuits to be able to decide how to deal with the misuse of private data.
The link between privacy and sustainability
Towards the end of the vidcast, Mitch talks about a very interesting aspect of privacy: its potential to promote sustainability.
As 5G and IoT devices become widespread, we will be able to use our personal data (well-protected, under regulation) to optimize many different processes, for example, delivery. We will be able to achieve a much more efficient economy by employing the strategic sharing of information to achieve certain common sustainability goals without losing control of our personal data.
Here’s Mitch’s final advice.
“Constructive doubt is the way to proceed for us as a society,” he says. “Are we going to be a part of the drama or are we going to stand on the sidelines? I would encourage you to be a part of the drama.”
To close out this article, we’d like to quote our CFO, Bjørn Stormorken on the GDPR and the future of digital privacy:
“... Much more is needed. We need to look at radical concepts in order to dig ourselves out of the deep hole we, in fact, are in. We need to look at mandatory end-to-end encryption, prohibition of default sharing, mandatory provision of any service on a subscription basis where no information is collected and used at all, and last but not least, the prohibition of trading in sensitive personal data as a whole.”