Is 2023 the Year When Data Privacy Enforcement Meets Expectations?
One of the most commonly levied criticisms against the EU’s 2016 GDPR has been the nature of its enforcement, which European lawmakers have repeatedly gone on record as needing to be more “vigorous.” Similarly, the first data privacy regulation in the United States, the California Consumer Privacy Act (CCPA)—which passed in 2018—seemingly lacks the reach necessary to keep companies compliant.
Both bills had a two-year grace period, with the GDPR coming into effect in 2018 and the CCPA in 2020, with impactful headlines around either in their early years few and far between. However, the talk around enforcement has gradually shifted over the course of 2022, as several high-profile cases came into the spotlight.
In the United States, the CCPA took aim at the first official offender this summer, eventually settling with beauty brand Sephora to the tune of a $1.2 million fine over selling customer data and ignoring opt-out clauses. While the figure doesn’t jump off the page, setting a precedent that companies couldn’t blatantly disregard the regulation is enough to entrench it in global privacy programs.
The EU was even more active, and although Europe's regulatory and appeals process unfolds slowly, the fines released this year set the table for future enforcement. This is particularly true for the ongoing saga between GDPR regulators and Meta, which has time and time again found itself in the crosshairs for privacy violations.
Meta gets hit with new fines on a regular basis, with the most recent coming just a few weeks ago, a $275 million fine for a data-scraping breach. This fine fundamentally represents Meta’s refusal to adjust its product design to comply with regulations, as the breach occurred due to violations of Article 25 of the GDPR, the tenets of “Privacy by Design” and “Privacy by Default.”
The Irish Data Protection Commission (DPC), the EU’s lead privacy regulator tracking Meta, has been the primary body issuing fines to the tech giant over the past few years, but the battle over 2022 felt different. Meta no longer seems to have a clear path to litigating away or dragging out regulatory proceedings now that the company’s fines total billions of dollars and the European Data Protection Board (EDPB), one of the overarching governing bodies of the GDPR, has stepped in to oversee decisions against the company.
Investigative reporters have confirmed that the Irish subsidiary of Meta has placed aside 3 billion euros to cover GDPR fines during 2023, all but confirming that even the company knows the bill has finally come due.
The company has instead long posed the practice of personalized ads as part of the user contract required to use Meta services, despite the practice being called out back in 2018 once the GDPR became law. Describing the strategy and years-long legal battle, European data privacy activist Max Schrems noted as, “... not just unfair but clearly illegal. We are not aware of any other company that has tried to ignore the GDPR in such an arrogant way.”
Even companies trying to comply are having trouble unraveling the data knot their products have tied. After lengthy and extensive assessment by German data protection regulators, Microsoft’s cloud products are facing serious privacy concerns, which could jeopardize the viability of the company’s current European operations.
Data compliance is a delicate matter that requires product design, engineering, and corporate focus to align. This fact is what makes Twitter’s recently proposed foray into dishonest data practices so head-scratching.
In a bid to draw advertisers back to the platform in the aftermath of the unprecedented amounts of chaos through the early tenure of Elon Musk’s ownership, Twitter has unveiled preliminary plans to force users to consent to targeted ads as well as to allow the platform to sell their data to third parties. None of these suggestions are in any way legal under the GDPR or the CCPA and its 2023 overhaul, the California Privacy Rights Act.
For the data privacy world, that might actually end up being a good thing, as the business plan is so egregious in its disregard for user privacy rights that regulators will almost assuredly shut it down quickly if Twitter tries pushing it through. In an industry where violations have traditionally taken extended periods of time to punish, a quick victory would be a welcome sight.
Likewise, with the looming threat to Microsoft and the Meta fines positioned to be settled and paid out—both presumably prompting changes these companies will have to implement to their products and advertising practices—2023 is shaping up to be a crucial year for data privacy and protection. With the more comprehensive CPRA overtaking the CCPA and Virginia’s new data protection law becoming the fifth state-level regulation, there is even some momentum within the U.S.
Many within the industry, on both sides of the Atlantic, have repeated at the end of every year in recent memory that the coming year would be the year for data privacy, the year when the other shoe would finally drop and the ball would really get rolling. Well, 2023 may actually be that reality.
2022 has somewhat eased concerns over the lack of enforcement behind data regulations, but 2023 will serve as a benchmark year for how far enforcement can and will go. Either past criticisms will definitively be put to rest or allowed to fester as companies avoid consequences in alignment with the severity of their offenses.
While Big Tech has taken center stage in this battle, regulators are not fighting to discipline or even control them, but rather to create a level playing field for individuals to use the internet without companies commoditizing their very existence. For any spectators awaiting decisions on Meta, Microsoft, or Twitter’s violations, 2023 should make it abundantly clear that compliance is the only answer.