Today, the GDPR celebrates its first anniversary. For an infant, it has accomplished a lot (though admittedly it began to exert its influence whilst it was in the womb, so to speak) – and its repercussions were significant to say the least. There were positive externalities as well – knowledge and discourse of data privacy has never been higher (and thankfully more searched than Kim Kardashian and Beyonce for a time), though some of these statistics reveal a little something more beyond their actual figures.
So what next? There can be some things to continue looking forward to – some distant, others resting on a hair’s breadth away from reality. The former relates to a harmony (or discord) between technological developments and the GDPR, as both regulation and technology are in their nascent stages and need time to “bed in” before they can be fully explored. The latter relates to forthcoming fines (looking at you, UK and Belgium) and further guidances (looking at you, EDPB) relating to technology and regulatory implementation.
But first – some thoughts.
Privacy Awareness in the EU and UK
EU awareness of data protection is on the rise (and very likely has never been higher). More than two-third of Europeans have heard of the regulation, and nearly 6 in 10 people know that there is a data protection authority in their country.
Oddly enough, less than half of Britain still hasn’t heard of the GDPR. I’m not even talking about any specific detail of the GDPR here (which only around 10% could identify in any case) or whether they have gotten some details mixed up about the GDPR (which again – ranges between 10% to 28% here) – I’m talking about the existence of the entire legislation that the EU has taken much pain and cost to raise awareness of. And the ICO, as the UK’s Data Protection Authority, very curiously hasn’t gotten round to drafting its own privacy notice yet, despite openly telling other organisations to do so (can they fine themselves for a fundamental infringement of a fundamental right?).
But maybe Brexit took up more UK mental bandwidth at that time. Maybe any discourse relating to the GDPR actually became swept up as part of the pro-Brexit sentiment. The GDPR is a tricky piece of EU legislation to comply with, no doubt, and I can see how further misinformation about it can stoke anti-EU sentiments; particularly sentiments relating to how the UK might be subject to arbitrary silly laws:
Yet, as far as I know Europe has pretty much implemented GDPR without too much fuss to the daily lives of its citizens (barring the German town that banned kids from writing letters to Santa and the consent email flood). The UK didn’t have to look that far to see how the GDPR might be wrecking any sort of havoc when their own conjoined sibling were being particularly odd about GDPR implementation: Irish schools were banning parents from taking pictures at communion and sports days “because of GDPR”, and the General Post Office ended up removing its rubbish bins because of GDPR concerns.
As far as Euroscepticism on data privacy is concerned, maybe the UK’s paranoia is unfounded. Maybe with that in mind, the UK can start reading more about the GDPR – and the ICO can finally get round to drafting its own privacy notice.
Unintended Effects Part 2
As an addendum to the previous post I made, the GDPR has shown a few more interesting effects.
Plague of Web Designers
When web designers come across a coveted domain name, they need to access the WHOIS platform to see who owns a website, and therefore who to negotiate with. Since the GDPR, all entries in the WHOIS database for domains owned by EU nationals or residents must legally omit any private information, thus making negotiating already-owned domains tricky, to say the least.
Opening the door for facial recognition and biometrics
According to this article, previous EU regulations largely prohibited facial recognition under almost any circumstances. Even as Facebook aggressively deployed its facial recognition algorithms across the world, Europe remained a facial recognition-free oasis. When Facebook announced the steps it was taking to comply with the GDPR, buried in the otherwise unremarkable summary of reorganized privacy options was this line:
Facebook has long noted that its facial recognition tools are not available in Canada and the EU due to their enhanced privacy protections that place far greater controls over the use of people’s biometric information compared to the US. It seems as though, through the use of consent, the door to EU biometric use has been opened – but being dependent on consent, this is quite possibly a tiny creak in the hinge, instead of the swing-wide-open view that the author seems to have.
Abuse of Access Rights
The GDPR bestowed individuals with certain rights, one of which was the right to access your own data. What was not intended was for other malicious actors to abuse that right by impersonating said individuals to get their data. Organisations that are lazy in verifying the access request will inadvertently give such data out – often they don’t attempt to verify a person beyond his address or date of birth. As a result, around 26% of organisations may give out your data to a complete stranger. This figure is very likely to rise in line with any additional effort a malicious actor spends on impersonating a person (no matter how basic) – for example, by exercising some basic photoshop skills on an identity card, doctoring the “From” and “Reply to” headers in emails, or simply making an email address that sounds like yours (i.e. email@example.com vs firstname.lastname@example.org – the latter has a zero for its “o”.).
No this is not a sphincter issue from Parliament but a positive unintended effect for a change. When large multinationals (advertising companies in particular) were complying with data protection legislation across the world, they quickly realised that having bespoke measures for each jurisdiction would be time consuming and expensive. An approach that they have ended up taking was to simply conform to themselves to the higher standard – in this case the GDPR – and apply it across all jurisdictions where they have a presence. This “Regulatory Leakage” has ended up benefitting data subjects in countries with a lower level of protection – and arguably, a counter to the multinationals who have largely been unfettered by governments so far.
So what next? As mentioned, there are updates that we can look forward to in the near future, and those in the distant future – though, as with the GDPR itself, surprises both in the timings of the developments and the developments itself are bound to, well, abound.
I’ve mentioned this in separate articles, but there will have to be some sort of understanding between the GDPR and Blockchain (and by extension other technologies like AI, etc) at some point in the near future. Potentially there might be a shift away from the vision of institutional control from the GDPR, towards a vision of further empowering data subjects to control their own digital footprint. We can also expect to see some attempts by larger corporations at creating “understandings” with the GDPR as well, depending on how successfully they campaign for GDPR guidelines and other privacy regulations to be drafted, guided and interpreted according to their guidelines.
The first GDPR fines to be imposed by the UK and Belgian DPAs should be coming soon. In the UK, the ICO sanctions by issuing a notice of intent first before carrying out the fine – as such the gun has been cocked and is waiting to fire. This gun won’t be firing blanks either – the ICO has already fined organisations for pre-GDPR offences and has issued 103 fines (as of January) for the failure to pay data protection fees, in addition to the enforcement actions it has already taken against Aggregate IQ and HMRC. And the Belgian DPA has already made it clear that the era of “sitting back and relaxing” is over – and so Belgium will be baking more than just waffles soon.
Additionally, the EDPB has made it clear that there will be forthcoming guidelines on connected vehicles, video surveillance etc as well as various opinions and reviews in its work programme – and as always, further guidance on the GDPR and emergent technology is always welcomed as the GDPR matures and grows.