GDPR One Year On: Expectation vs Reality
31 May 2019
In the lead-up to 25 May 2018, there was a huge sense that the General Data Protection Regulation (GDPR) was going to change everything. Businesses were going to have to wipe their entire customer databases out of fear they wouldn’t meet the high standards of opt-in consent (seriously, JD Wetherspoon did this), and we were convinced of the endless, multi-million euro fines the Information Commissioner’s Office (ICO) would hand out, even predicting that the new legislation would upend entire industries.
And yet, the doom and gloom turns out to have been overhyped. The reality is that the GDPR’s main effect has been to highlight what businesses are doing with our personal data and has given us more autonomy to decide whether we’re OK with it.
Now that the GDPR is officially one year old, here are some of the predictions that failed to materialise, as well as a look at what has changed.
Data Subject Access Requests (DSARS)
The GDPR granted individuals more rights in relation to their own personal data, including that to data portability. It also gave a lot of publicity to existing rights like erasure and access. Something about being able to make a business trawl through hundreds of files to extract the few pieces of information that relate to you, excited a lot of people.
Immediately after coming into force, we noticed a huge boost in these requests as people tried to clean up their e-footprint, but it’s calmed down significantly since.
One particularly interesting complaint brought by noyb—or, (my privacy is) none of your business, the brainchild of Max Schrems—has put online streaming services, including Amazon Prime, Netflix, Spotify and YouTube, to the test. In eight out of eight cases, noyb filed formal complaints when the internet giants failed to adequately respond to access requests on their use of automated systems.
The complaint was filed in January this year and will be one to watch.
Increased fines were the hot topic a year ago. Some estimates predicted fines under the new rules could be almost 80 times higher than previously. Perhaps unsurprisingly, that’s yet to happen.
In the UK, while the ICO has opened a number of enquiries, it hasn’t issued a single fine. Although this is probably more to do with the time it takes to investigate complaints and breaches rather than a lack of desire to issue fines.
It’s clear that the harshest fines are to be saved for the worst breaches. Google, for example, was hit with one of the biggest, if not the biggest fine so far by the French data protection authority. It had to fork out £44m due to a lack of transparency over the collection of people’s data for advertising.
Most recently, it was widely reported that the GDPR enabled Prince Harry to bring a case against the press for processing his data illegally after Splash News took aerial photos of his home. In fact, although the dispute was settled out of court, Splash could have made a strong case that it didn’t breach the GDPR. And in fact, there’s nothing to suggest that the GDPR offered any protection that didn’t already exist under the old law.
Another case of scaremongering perhaps.
Consent, consent, consent
Lastly, who can forget the emails. All the emails. Roughly 99% of which opened by asking whether you wanted to continue receiving them, as company marketing departments panicked that they would fall foul of consent laws.
In fact, the GDPR wasn’t really the bad guy, it just clarified the requirements of a different law: the Privacy and Electronic Communications Regulations (PECR) which has been in force since 2003.
Headlines about consent often lacked context. As the ICO commented: “Not only has this created confusion, it’s left no room to discuss the other lawful bases organisations can consider using under the new legislation.”
So, one year on, what have we learned?
- People care about what businesses are doing with their personal data and understand their rights more than ever.
- Don’t believe everything you read in the media.
- Consent is not the only lawful basis in which to process personal data under the law.