You are here

Happy birthday, GDPR. You're awful; you're great

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

The General Data Protection Regulation is one year old this month. The data-protection and -privacy regs cover most of Europe—the EU, EEA, and much of EFTA.

But is it achieving what it set out to do? Or is it just expensive, unnecessary red tape?

One thing’s for sure: Many European data-protection regulators are doubling-down in Year Two. In this week’s Security Blogwatch, we click OK yet again.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: SyatiA nlevi.

[ Get Guide: Best Practices for GDPR and CCPA Compliance ]

GDPR redux

What’s the craic? Ben Lovejoy counts twice, to be sure—GDPR fines total €56M in first year:

The stats are in for the first year of GDRP, Europe’s gold-standard data privacy law. GDPR fines totalled [$65M], with more than 200,000 investigations, 64,000 of which were upheld. However, the fines were dominated by a single case.

€50M of the €56M total was a single fine against Google. France’s National Data Protection Commission (CNIL) found that the company failed to comply with its obligation to be transparent about the data it was collecting. [But] countries like Slovakia and Sweden … have yet to issue a single fine.

Some companies, including Apple and Microsoft, have already pledged to extend GDPR-standard privacy protections to their customers worldwide. However, there are growing calls for a US federal privacy law modelled after GDPR.

But one EU country dominates—as does one defendant. Aunty Beeb’s Matthew Wall explains How Ireland became Europe's data watchdog:

Most of the major US tech companies, including Facebook, Google, Microsoft, Twitter, Apple, LinkedIn, Airbnb and Dropbox, are registered for processing personal data in Ireland. … So the responsibility for policing their compliance with [GDPR] falls on the country's Data Protection Commission (DPC).

[The DPC] says it has launched 19 statutory investigations, 11 of which focus on Facebook. … Ireland's Data Protection Commissioner, Helen Dixon, is expected to circulate her decisions on some cases by July or August, with final rulings made by the end of the year.

An office of 27 staff has had to be beefed up to more than 130. [It] expects the number to rise eventually to more than 200 over the next year or so.

A Facebook spokesperson said: "We spent more than 18 months working to ensure we comply with the GDPR. … We are in close contact with the [DPC] to ensure we are answering any questions they may have."

Hungry for more emerald-isle stats? The DPC’s Graham Doyle—reflects on the first year of the GDPR:

GDPR, which applied from 25 May 2018, has marked the start of a new era in data protection standards in the EU and significantly strengthens the rights of individuals as well as increases the obligations on organisations. … GDPR has given rise to a significant increase in contacts with the DPC over the past 12 months:
  • 6,624 complaints were received.
  • 5,818 valid data security breaches were notified.
  • Over 48,000 contacts were received through the DPC’s Information and Assessment Unit.
  • 54 investigations were opened – 35 of these are non cross-border investigations and 19 are cross-border investigations. …
  • 1,206 Data Protection Officer notifications were received.

But Alec Stapp warns of Costs and Unintended Consequences:

Compliance costs have been astronomical; individual “data rights” have led to unintended consequences; “privacy protection” seems to have undermined market competition; and there have been large unseen … costs in foregone startup investment.

Unintended consequences: If your account gets hacked, the hacker can use the right of access to get all of your data. The right to be forgotten is in conflict with the public’s right to know a bad actor’s history. … The right to data portability creates another attack vector for hackers to exploit. And the right to opt-out of data collection creates a free-rider problem where users who opt-in subsidize the privacy of those who opt-out.

However, here’s an alternative viewpoint, from Bart:

What a load of baloney. If your account is compromised your data is compromised. Don’t blame GDPR for that.

Besides, GDPR is there to protect the consumer, not to help businesses. Nice try Big Ad.

Mind you, “help businesses” is exactly what Mark Scott, Laurens Cerulus, and Steven Overly say it’s doing—[GDPR] was supposed to help citizens. Instead, it’s helped Big Tech.:

Big fines and sweeping enforcement actions have been largely absent, as under-resourced European regulators struggle to define their mission. … New forms of data collection, including Facebook’s reintroduction of its facial recognition technology … and Google’s efforts to harvest information … have been given new leases on life under … GDPR.

Smaller firms … have suffered from the relatively high compliance costs and the perception, at least among some investors, that they can’t compete with Silicon Valley’s biggest names. … It was not supposed to be this way.

With negotiations in Washington stalled, particularly ahead of the U.S. presidential election in 2020, attention has shifted toward U.S. states, many of which are mulling wide-ranging privacy legislation that often mirrors sections of Europe's rules.

What of the US firms that exited Europe? Brent Ozar explains why he pulled out:

We stopped selling to the EU. [It] only represented 5% of our revenue, and for that small of revenue, I wasn't prepared to risk the GDPR's fines if any one of the third party tools we use had a problem.

During our GDPR prep with our attorneys, it was completely clear that the third party app ecosystem was in no way ready for GDPR enforcement actions. For example … if I had to face EU officials, I could never say with a straight face, "Oh yes, I was completely confident in WordPress's abilities to keep customer data secure."

However, this is just the life of a small bootstrapped business: Sometimes, you gotta make choices to focus on your best customers. … I only have so many hours in the day. If I have the choice between doing regulatory paperwork for 5% of my customers, versus adding more value for 95% of my customers, I gotta make the obvious choice.

And here’s lm28469, with a perspective:

We need regulations because people will go as far as they can to make more money. Businesses were upset when their country banned child labor.

Same when weekends, vacations, reasonable work weeks were introduced. What about safety requirements, food quality inspections, &c? Self regulating markets are a myth, just look at the US insurance and health industries.

Meanwhile, Aaron Gray—@agray—is slightly sweary:

This is a case of the market ****ing itself. If companies behaved ethically with personal data, the regs would never have come to pass.

Speaking as a product manager at an impacted company, I believe the regs are needed. The fact that some people are making less money? ¯\_(ツ)_/¯

The moral of the story?

European regulators are only warming up. Year Two of GDPR promises to be “interesting.” So get serious.

[ Get Report: Radicati Group Information Archiving Market Quadrant Report 2019 ]

And finally

Stayin Alive but beats 2 and 4 are swapped


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Kevin Doncaster (cc:by)

[ Webinar: Data protection: Your biggest reputational risk? ]