Celebrating two years of GDPR: What has changed in global privacy?
<hl>A summary of how the GDPR changed the world and what's yet to come.<hl>
I’m sure it’s in your calendar already, but the 25th May 2020 marked the second birthday of the European Union’s General Data Protection Regulation (or GDPR for short).
If you’ve ever tried to read the GDPR you’ll concur that it is a very… VERY dry piece of text. But the meaning behind the words has proven to be explosive, not just in Europe, but for everyone in the world that works in any way with European consumer data. With June 2018 seeing headlines like “GDPR is outpacing Beyonce in Google Search”, no one can dispute that this regulation had a marked effect on the public consciousness. It defined our personal data as our own for the first time in history and holds companies accountable for the safety of the consumer data they hold, threatening anyone who breached its clauses with fines of up to €20 million (or 4% of an organization’s annual turnover, whichever is greater).
But, despite being one of the most talked about data privacy regulations to this day, it isn’t the first - and it certainly isn’t the last - piece of legislation on earth brought about to protect consumer data.
In this article, because it’s the GDPR’s birthday, I’ll start with a shout-out to what this mammoth regulation has achieved in its first two years, as well as assessing what improvements it needs, based on lessons learned. I’ll then look back to the OG data privacy laws, Canada’s PIPEDA, Japan’s APPI and Australia’s 1988 Privacy Act to assess if these silver surfers still have what it takes to protect their citizens’ data. Finally, I’ll introduce the newbies, the regulations that have emerged out of the GDPR’s shadow, commenting on whether they live up to their big sibling’s reputation… or are even better?
I’ll conclude with a short summary of what I believe makes the perfect data privacy law, namely that it must be “consumer first”, aligning with Mine’s vision of “Dynamic Consent”. Laws must be built not just to protect people, but also to empower them to take back control of their own data with accessible information and tools, whenever they choose, because we should have the right to decide who holds our data.
Seeing as it’s your birthday… A shout-out to what the GDPR has achieved
Firstly, a quick “GDPR for dummies” summary. The GDPR, as told by WIRED, is “the world’s strongest set of data protection rules”. Its primary objectives are to limit how much organisations can do with consumers’ personal data and give people more power over which companies hold onto their data and what companies do with it.
The GDPR law applies to all EU organisations that collect, store, or otherwise process data belonging to any EU residents (not just citizens) as well as organisations outside of the EU that offer goods or services to EU residents, monitor their behaviour or process their personal data.
It has a number of rules that aim to satisfy the objectives I mentioned above. These include mandatory data breach notifications (breaches must be reported to supervisory authorities within 72 hours of companies becoming aware of them; they must also alert affected data subjects without undue delay), proving valid consent (a change of rules around how easy it is for consumers to give away their data, for example removing pre-ticked boxes from forms) and transparency and privacy notices (providing concise and easily accessible privacy notices when collecting data from consumers).
The penalties for disobeying the GDPR are intense, on paper at least. Infringement can result in fines of up to €20 million or 4% of annual global turnover - whichever is greater. So, let’s look at the numbers, what has the GDPR achieved in the last two years?
160,000 data breach notifications have been reported across the countries under the GDPR and interestingly, the daily rate of breach notifications has been steadily increasing (suggest that either data breaches are on the rise, people are getting more comfortable with the GDPR, or a bit of both). Specifically, the daily rate of breach notifications has increased by 12.6% from the first eight months of the GDPR until now.
And, the number you’ve all been waiting for, the GDPR has generated... €114 million in fines. This doesn’t include the €329 million being treated by the Information Commissioner’s Office (ICO) in the UK on organisations like Marriott and British Airways which have experienced very high profile data breaches. Both of these companies’ GDPR fines have been deferred to the end of 2020 because of the Coronavirus pandemic. The highest GDPR fine to date was a €50 million toll against Google by the French data protection regulator, which argued the social media giant had infringed the GDPR’s transparency principle and used consumers’ data without valid consent.
So, what does this all mean? Is the GDPR achieving its objectives? My view is that by-and-large the GDPR has done a fantastic job in raising awareness of the importance of personal data privacy and has triggered real change in how organisations globally treat consumer data. This is an amazing achievement. My criticism of the regulation, however, is that despite the fact that its aim is to give consumers power over their data, the entire onus is on organisations to change their ways. The GDPR is also incredibly complicated, so the average person would find it challenging to use it to their benefit without tools and advice that can make it more accessible and help them to really take ownership over their personal information. This concept of “dynamic consent”, which I’ll discuss at the end, is what has the power to truly shift data privacy into a new era where data ownership is the norm.
The OGs: PIPEDA, APPI and Australia’s 1988 Privacy Act
Despite all the buzz, the GDPR wasn’t the first regulation brought in to control how organisations use peoples’ personal data. The real OGs are Canada’s PIPEDA, Japan’s APPI and Australia’s Privacy Acts - but do any of them measure up to the GDPR?
Canada’s PIPEDA: Winning the award for longest acronym, the PIPEDA (Personal Information Protection and Electronic Documents Act) entered Canadian law on the 13th April, 2000. The very forward thinking nation brought in the regulation as it saw the nascent ecommerce landscape developing and wanted its citizens to be able to use these services without worrying about their information being misused.
Reviewed every five years so that it sticks with the times, the PIPEDA is very similar to the GDPR, including having rules around purpose (services are only required to collect data specifically required to complete a transaction) and accountability (similar to the GDPR’s requirement for all organisations to have a Data Protection Officer, Canadian companies must have an individual or team responsible for privacy policies). The one very big gap is that the PIPEDA has nothing like the GDPR’s landmark “Right to be Forgotten” rule, which gives consumers the right to demand any service delete their personal data.
Japan’s APPI: The Act on the Protection of Personal Information (APPI) was born in Japan in 2003 and was one of Asia’s first data protection regulations. The law stayed the same for twelve years until 2015 when Japan experienced a series of massive data breaches, triggering it to give APPI a facelift. The amended APPI came into force in May 2017, applying to all business operators handling the personal data of Japanese residents. The vintage APPI only applied to organisations with over 5,000 “identifiable individuals” in their database on at least one day during the previous six month period, but this restriction has now been completely removed.
Like PIPEDA, the APPI is very similar to the GDPR, but does include a “Right to be Forgotten”-esque law. What it doesn’t have, however, is the requirement for mandatory data breach notifications. Japan’s independent Personal Information Protection Commission (PPC) will contact organisations only if it becomes aware of a data breach and will request the organisation rectify the violation. If requests are ignored, business operators can face fines of up to ¥500,000 (around $4,600) or a year of imprisonment.
Australia’s Privacy Acts: The most old school of them all, Australia’s current data privacy regulations stem from the Privacy Act of 1988 which has been built on by the Privacy Regulation of 2013 and the Privacy Amendment Act of 2017 which was bolted on for security breach reporting. While the Acts in their current are again quite similar to the GDPR, in line with Australian culture generally, they are quite a bit more chilled.
For example, if a company discovers they’ve experienced a breach, they have 30 days to assess the breach and report it to the Office of the Australian Information Commissioner (OAIC), in contrast to the GDPR’s much more stringent 72 hours. As well, Australian Government agencies, businesses and not-for-profits with a turnover of less than $3 million are not required to comply with the same laws as larger organisations. This is worrying because size doesn’t matter when it comes to becoming the victim of a data breach.
The newbies: the CCPA, India and the LGPD
So, the regulations that existed pre-GDPR are all similar but at the same time all lack measures that the stringent European regulation has. Can the same be said for the regulations that have cropped up globally, inspired by the GDPR? In this section I’m focusing on the California Consumer Privacy Act (CCPA), India’s Personal Data Protection Bill and Brazil’s LGPD to see if any of the students have become the master...
The CCPA from sunny California: The California Consumer Privacy Act (CCPA) is the first major US privacy legislation to be enforced post-GDPR, coming into play on the 1st January, 2020. While similar, the GDPR and CCPA have slightly different objectives. The GDPR aims to create a “privacy by design” framework for the EU while the CCPA is more about creating data transparency within California and giving consumers more rights over their data.
What this means is, unlike the GDPR, businesses don’t need prior consent from Californian users before processing their data or selling it to third parties, but Californians have the right to “opt out” of having their data used or sold after the fact. A big part of this is all businesses under the CCPA must have a clear, visible and accessible Do Not Sell My Personal Information button on their website. So, in contrast to the GDPR, the CCPA puts more onus on the consumer to exercise their rights over their data, although aside from things like the button described above, there have been little to no tools empowering them to do so.
Another big difference between the CCPA and GDPR are the associated fines. The CCPA’s fines are miniscule compared to the GDPR, with the maximum penalty being just $7,500 (which is also only reserved for intentional breaches of the regulation). Violations lacking intent are subject to a maximum fine of $2,500, which is a drop in the ocean for many organisations. However, the regulation does give consumers the right to bring lawsuits against companies who breach their “non-encrypted or non-redacted personal information”, empowering people to collect between $100 to $750. In a way this is a good approach because it works as an incentive for organisations to very carefully protect consumer data (considering that California has seen nearly 19 million records lost in attacks since 2005, that $750 per person can quickly add up) and teaching people about the value of their personal data.
India’s Personal Data Protection Bill: So this hasn’t actually been enforced yet, but India’s Personal Data Protection Bill which will likely come into play in a year or two years time, is heavily based on the GDPR. The International Association of Privacy Professionals (IAPP) has put together a very in-depth comparison of the two regulations side by side and it’s clear to see the regulations are very similar. But there is one notable exception which triggered The New York Times to write that “the bill would… move India closer to China...”. This is because, while the regulation would give Indian residents far more rights over their data, the regulation doesn’t apply to the government, meaning that Indians will remain powerless to how the government uses their data.
Brazil’s LGPD: Brazil’s General Data Protection Law (LGPD) also hasn’t started yet, but is due to come into effect on the 16th August this year, so we don’t have as long to wait as for India’s Bill. Once again it is based heavily on the GDPR but fines are more lenient ($11 million or 2% of the Brazil-sourced income of the organisation).
The LGPD and GDPR are much similar, with one stand-out regulation that they share being that they both give consumers the power to request information about the entities with whom any organisation has shared their personal data. This means that if using a tool like Mine, which empowers people to take back ownership of their data from services they willingly handed it over to, they can also see and take control over their wider data footprint. This is super important because our data tends to be held by three times more services than the organisations we knowingly handed it over to, due to third party data sharing.
CONCLUSION: This is only the beginning. Privacy regulations are going to change the digital world as we know it.
As data regulations go, the GDPR should be pretty pleased with itself compared to its global counterparts. It is certainly one of the most stringent and is satisfying its objective of generating a new, privacy-first attitude towards consumer data.
All in all, it’s fantastic that countries all over the world are embracing data privacy and, while not the first, the GDPR has been a landmark regulation in pushing greater respect for consumers’ personal data. As I’ve shared above, however, the thing I feel is missing globally is that there aren’t enough tools out there to actually empower the average person to take advantage of the fantastic rights given to them by these laws. It is the duty of tech companies to create innovative new services which give consumers the power of “Dynamic Consent” i.e. to let the user have the choice to decide what data they want to share and what data they don’t want to share when using online services. As it stands, consumers around the world have rights that they either don’t know about or aren’t sure how to use. For example, imagine if an individual decided they wanted to reclaim all their data on their own - they’d have to remember all the services they’d ever given their data to, find those services’ DPO’s emails and contact each one individually asking for their data back.
In light of this, we built Mine to give people the ability to take ownership over their personal data. This starts with Accessibility - understanding what companies are holding their data, what does it mean for them and what are the risks. It then gives them the Choice - to control their data without having to avoid exchanging it for the interesting services available on the web today (Starting with the right to be forgotten but in the future other privacy rights).
As data regulations continue to evolve all over the world, it would be fantastic to see governments create more accessible laws alongside the development of an ecosystem of services that empower consumers to take back control of their data.