What is the GDPR?
It’s the General Data Protection Regulation (GDPR), enforced by the European Union as an EU-wide set of rules governing data privacy in the age of the internet. It came into effect in May last year. The GDPR took four years to debate and compose (mostly by privacy-conscious German lawyers) and consists of 99 articles and 173 explanatory comments, making it one of the most complex pieces of legislation ever produced by the EU.
Its stated purpose is to "protect all EU citizens from privacy and data breaches in an increasingly data-driven world".
How does it do that?
Principally by dramatically expanding the definition of what counts as data; by compelling organisations to secure consumers' explicit consent to various forms of communications and data storage; and by beefing up penalties for data breaches and non-compliance.
Until last year, EU citizens' rights over their personal data (everything from addresses and health records to credit data) were enshrined in a directive that hadn't been touched since 1995, when the internet was still in its infancy.
GDPR rightly expands the definition of data to include photos, posts on social networks, and IP addresses which identify your computer when you access a website. Moreover it covers virtually any organisation that collects data about EU citizens, anywhere in the world.
What must companies do?
Companies can no longer hide their requests for consent to store or use our data in endless terms and conditions and legalese, or use pre-ticked boxes.
Instead, people have to opt in.
Under GDPR, consent to allow our personal data to be used must be unambiguous, freely given, current, and for specific purposes.
Moreover, commercial organisations or other institutions that handle large amounts of personal data must appoint a data-protection officer and design their systems around the need for privacy.
What rights do consumers get ?
Consumers, or ‘data subjects ‘ got several new rights.
They can access data held on on them within a month, free of charge.
They have the "right to be forgotten" by making an organisation erase data, and the right to be notified within 72 hours if their data is compromised — and to get compensation more easily.
For organisations, the fines for non-compliance are much bigger under the GDPR: a maximum of €20 Million or 4% of turnover, whichever is the greater.
It is fair to say that the EU has handed a loaded gun to the national regulatory agencies whose job it is to enforce the rules.
What’s the scenario post GDPR ?
GDPR has greatly increased the number of data breaches reported to the authorities by companies and organisations.
Across the first nine months of GDPR 206,000 cases were recorded, which included 95,000 complaints and 65,000 data-security breach notifications.
That is a valuable trove of information about customers whose personal data has been compromised, and for regulators and technology designers trying to understand and mitigate the root causes of breaches. However, it's much less clear that GDPR has had much impact on corporate fines for mishandling personal data.
Across Europe, in the first nine months national data-protection agencies in 11 countries had levied €56 Million in fines. That sounds impressive, but the vast bulk of that figure was a single € 50m French levy on Google in January. Clearly, GDPR is a work in progress and so far the vast majority of firms are not being fined for failing to protect customers' data, and any fines levied have hardly been onerous.
Critics also say that the first year of operation has borne out their worst fears about the potentially damaging effects of GDPR.
What are the fears of a flawed GDPR ?
The activists worry that GDPR is cumbersome, outrageously costly to comply with, and over time is likely to entrench existing oligopolies while discouraging new investment in potential future champions. This is a crucial point wrt Data primacy and data sovereignty.
In other words, it increases the power of the biggest players, such as Facebook and Google — who can easily afford the compliance costs and have used their market power to pass on some costs to others — while making life much harder for smaller players and new entrants.
For example, a study last November for the US thinktank the National Bureau of Economic Research reported a 17% fall in venture-capital funding rounds for tech firms in Europe after GDPR came into force, and a fall of almost 40% in the overall funds raised.
Meanwhile, in the UK Google and Facebook's combined share of the online advertising market has risen over the past year to 64%, compared with 59 % in the US.
Realistically, it's still very early days in terms of evidence gathering, and regulators promise that some more big fines are in the pipeline.
But for now, the jury is very much out.