The March 2019 Senate Judiciary Committee hearing on GDPR and CCPA. Photo: Alex Wong (Getty)
Is the world any more private today than it was a year ago?
Get out the streamers and balloons: May 25 is the one year anniversary of the General Data Protection Regulation coming into effect, the day the world’s most important digital privacy legislation became law.
The law was hyped up to come in with a roar. It’s spent much of the last year in a whisper. The conversation, however, promises to get louder soon.
“We’re seeing mixed results so we’re having mixed feelings,” Estelle Masse, a senior policy analyst at the privacy advocacy organization Access Now, told Gizmodo. “We had a lot of expectations with GDPR. We think it has a lot of potential to strengthen data protection rights. But the first year has been quite slow.”
GDPR is the landmark regulatory regime designed to create and enforce digital privacy rights in an era where it feels like the internet — and the data-greedy businesses that profit on it — has long since outpaced the law. The main weapon GDPR wields are fines that could, in theory, reach up to 4 percent of a company’s total yearly revenue. Armed with the GDPR, national privacy regulators in Europe would finally have the capability to facedown Silicon Valley’s tech giants.
That was the sales pitch. But of around 144,000 privacy complaints filed in the last year, very few have led to significant penalties.
“If you want to be more skeptical, the question is does all this activity actually deliver more privacy?” said Omer Tene, Vice President at the International Association of Privacy Professionals, an industry trade body. “Ostensibly the goal isn’t just to mobilize compliance and regulatory efforts, complaints, and notifications but to actually result in better privacy for individuals on the ground. I think the jury is still out on that. It’s not clear at year end that corporate data practices are different or have changed.”
The European privacy non-profit “NOYB filed complaints on the 25th of May, the very morning GDPR came in,” said Johnny Ryan, chief privacy officer for the browser Brave. “We’re still waiting for those complaints and the investigations that came out of them to produce results. This is a study in slow motion.”
Is the end result moving toward more and better privacy? The answer is muddled. Regulators and observers expect the next year to be considerably louder than the last. We may not have to wait long to find out.
One of the most important privacy regulators in the world is Ireland’s Data Commissioner, Helen Dixon. Most American tech giants have their European headquarters in Ireland for tax reasons and therefore Silicon Valley falls in many ways under Dixon’s jurisdiction.
Dixon’s office “currently has 50 large scale investigations running,” she told the U.S. Congress earlier this month, “which, as they conclude in the coming months, will serve to set the mark for what is expected of organizations under the principles of transparency, fairness, security, and accountability.”
The investigations are looking at American internet behemoths including Google, Facebook, WhatsApp, Instagram, Twitter, Apple, LinkedIn, and Quantcast.
Dixon predicted “substantial” fines will be enforced by this summer.
Earlier this week, Dixon opened up its first GDPR investigation against Google on the question of how Google and other ad tech companies handle personal tracking data from around the internet. The inquiry is looking at practices that are fundamental to the ad tech business. Google has denied any wrongdoing and say they’re committed to complying with GDPR.
Let’s use our own website to illustrate the basic point:
When you go to Gizmodo dot com in your web browser, you might understandably but naively think you are actually only connecting to Gizmodo dot com. On the contrary, you’re instantly connecting to dozens of domains. In my last visit, I hit 50 different domains. It’s the same with almost every major website for one simple reason: The ubiquitous advertising technology industry. Another phrase that sums them up: Surveillance capitalists.
When you visit a website like ours — or virtually any website, really — a host of sensitive data about you is instantly broadcast to tens or hundreds of advertising companies that in turn send the data out to thousands of advertisers who can then bid on serving up their ad to the individual being targeted with, critics persuasively argue, none of the privacy protections GDPR says it will enforce.
The information ranges from details on your exact device, income, gender and age to what you read, your religion, sexual orientation, political leaning or health status. Your location, right down to the exact latitude and longitude, can be packaged right up alongside everything else. The next time you are seen — likely at the very next website you visit or app you use — your unique ID follows you, allowing the companies to build a long-term profile of everything you do.
For now, sites like ours and much of the entire advertising industry is in wait-and-see mode. Our site operates on the basis of consent and we, like most sites in our industry, are doing the best we can to stay firmly in line with GDPR. But there’s a huge amount of open questions that only European investigations, enforcement, and court decisions will ultimately answer in the coming years.
“Let’s just recall where the verb broadcast comes from,” said Johnny Ryan, the technologist who filed the privacy complaint against Google that led to the new investigation. “It’s an old word from before radio. A farmer has a bag of seeds, the guy sticks his hand in and then chucks them wildly in the air and hopes it bears fruit. That’s a bid request. There’s not an article in GDPR that this does not infringe.”
It took a full year of complaints to GDPR authorities to launch a full inquiry into the core of the ad business that underlies Google and much of the free web. That’s the pace at which we’re moving. And that’s just advertising technology. Europe’s regulators also plan to tackle technologies as broad as connected vehicles, video surveillance, artificial intelligence, blockchain, and connected assistants. It’s an ambitious and incredibly tall peak to climb. The biggest privacy optimists think the ascent will be slow.
The fundamental reasons behind the slow pace are myriad. Under-resourced regulators reorganized and reprioritized for showdowns with some of the wealthiest companies on the planet, a process that takes time especially when coupled with an influx of thousands of complaints, data breach notifications and data protection officer registrations. The complaints themselves are technologically, legally and economically complex. The companies handling personal data are rarely voluntarily giving ground, they are appealing at every corner. Due process is glacial.
It’s been a year of build up. With only a few exceptions, the data protection enforcement authorities are now finally widely seen as in a position to act. In Ireland, France, Germany, Belgium, and a few other key European nations, the regulators are now expressing enthusiasm for enforcement. Enforcement of the law is what will ultimately make a fundamental difference.
GDPR has had some notable and immediate impacts. The global conversation around privacy has shifted. So have the laws. As a direct result of GDPR, countries including Japan and Brazil passed GDPR-inspired privacy laws. India is considering its own law. California’s new privacy law, which will go into effect in 2020, is a direct result of GDPR.
As a consequence of California’s action, there is now unending and unprecedented talk in Washington D.C. about federal privacy legislation. If you want to talk about slow pacing, no one should expect legislation as big as this to be sorted out and passed for at least two years when the 2020 presidential campaign is in the rearview mirror. Until then, Congress is effectively paralyzed.
The last year has seen a small handful of important GDPR enforcements, by far most notably a $57 million fine against Google from French regulators for burying privacy disclosures about the use of user data. That’s about .04 percent of annual revenue. The company is appealing the ruling.
“The idea that on May 26, 2018, you would have regulators bringing sudden billion dollar fines against American companies was never realistic,” Joe Jerome of the Center for Democracy and Technology said.
There have been hundreds of smaller fines from regulators around Europe but in most cases, they’ve been for a few thousand dollars and levied against smaller targets. Austrian regulators fined a retailer about $5,300 for surveillance of a public space without notice. Smaller companies also may have a harder time dealing with higher compliance costs while ultra-profitable Silicon Valley giants absorb the costs in stride.
It only takes a quick glance at the past few months in Silicon Valley to see the winds have shifted. Every major event, including Google’s I/O and Facebook’s F8, now centers privacy in a way that was previously unfathomable. After every new product announcement, the companies take a beat to talk about new privacy features and promises. Silicon Valley executives like Mark Zuckerberg, Sundar Pichai, and Tim Cook have called for GDPR-style legislation to come out of D.C. But a fair bit of the talk is overblown marketing-speak meant to appeal to changing public sentiment, the actual details and impact are often less impressive. And as a rule of thumb, American corporations love to call for regulations when they know there’s an army of lobbyists actively drawing up just the right, loop-hole filled, plan.
“The slowness is the nature of the beast. The wheels of justice grind slowly,” said Tene. He expects this year to see the conclusion of major enforcement actions — after that, years of court battles and appeals are inevitable.
“Even when tech companies do get hit with billion dollar fines, it’s a tap on the wrist,” he said. “And I don’t know if it changes underlying business models. It’s not just the business model of a company, it’s the entire internet. The way the internet has been built and the reigning economic model isn’t with privacy top of mind. Changing that requires fundamental and painful adjustments to the way things have been structured.”
The last year has been dominated by attention-grabbing hypotheticals. The specter of potentially billions of dollars worth of fines looms large. Facebook faces what could be a $2 billion fine in Europe for poor password security and a potential $5 billion fine in the United States for privacy violations. Ireland’s anticipated “substantial” fines will hit companies all eligible for ten-figure fines — if that’s how the regulator lands. That would then be the start of years-long court battles.
Expect a bigger, louder and more impactful year for GDPR’s second go around the sun. But more importantly, expect a much longer, global saga that will last many more years before the fate of internet privacy — including everything private about you that’s now sent and sold globally in an instant — is decided.