One of the most talked-about pieces of legislation to have emerged in the EU since the turn of the millennium, the General Data Protection Regulation (GDPR) has now been in effect for more than two years.
Applying to EU-based businesses since 25 May 2018, the GDPR has sought to boost Member States’ data protection safeguards, provide individuals with stronger and additional rights in relation to their personal data – and ensure that those who handle that data are more accountable and responsible.
It also makes provisions for the transfer of personal data to third countries.
With all that in mind, the GDPR has been a significant discussion point – and, for that matter, action point – for large corporates with sprawling, international interests and strong connections to the global digital economy.
A month on from the GDPR’s second anniversary, the European Commission recognised the milestone with the publication of an official review of the legislation’s practical effects in the time since it has been active.
Here are some key highlights with particular resonance for large corporates:
“The need to ensure trust and the demand for the protection of personal data are certainly not limited to the EU,” says the report. “Individuals around the world increasingly value the privacy and security of their data.”
On that theme, the report cited a November 2019 survey from CISCO, which showed that privacy is an important factor influencing consumers’ purchasing decisions and online behaviour.
The report pointed out: “A growing number of companies have responded to this demand for privacy notably by voluntarily extending some of the rights and safeguards provided for in the GDPR to their non-EU based customers.
“Many businesses also promote respect for personal data as a competitive differentiator and a selling point on the global marketplace, by offering innovative products and services with novel privacy or data security solutions.”
Furthermore, says the report, the increased ability for private- and public-sector actors to collect and process data on a large scale “raises important and complex questions that increasingly place privacy at the centre of the public debate in different parts of the world”.
In the Commission’s view, the pandemic has provided a “vivid illustration” of the globalised nature of the privacy debate, both during the crisis and as the world seeks to emerge from it.
“In the EU,” the report says, “several Member States took emergency measures in an effort to protect public health. The GDPR is clear in that any restriction must respect the essence of… fundamental rights and freedoms, and be a necessary and proportionate measure in a democratic society to safeguard a public interest, such as public health.
“As containment measures are being phased out, decision-makers need to address the expectation of citizens that they are offered digital solutions which are trustworthy and which respect the rights to privacy and personal data protection.”
The report notes that, in many countries, built-in privacy protections – such as voluntary user signups, data minimisation and the exclusion of geolocation – have been essential for ensuring the reliability and social acceptance of data-driven solutions for tasks such as:
However, it points out, within the EU the GDPR’s data protection and privacy framework has proven sufficiently flexible to allow for the development of practical solutions – for example, tracing apps –while guaranteeing a high level of protection of personal data.
In that context, the Commission published guidance in April on data protection issues around apps supporting the fight against the pandemic.
Both before and since GDPR’s inception, the Commission has consistently stressed that Member States are obliged to allocate sufficient human, financial and technical resources to their national data protection authorities.
As a result, the report reveals, between 2016 and 2019 there was a 42% increase in staff and 49% rise in budget for relevant national authorities as a whole across the EEA. The Irish, Luxembourgian, Dutch, Icelandic and Finnish authorities were the greatest beneficiaries of these rises.
However, it points out, as the largest Big Tech multinationals are established in Ireland and Luxembourg, those countries’ data protection bodies frequently act as lead authorities in important, cross-border cases. As such, it recommends, they may require larger resources than their populations would otherwise suggest.
In a news bulletin on the Commission’s report, Reuters explained that Ireland’s Data Protection Commission is currently pursuing several cases involving large corporates – for example, Facebook and its subsidiaries Instagram and WhatsApp, plus Twitter, Apple, LinkedIn, Verizon Media and US digital advertising firm Quantcast.
Given Ireland’s heavy caseload, the report argues, the resourcing scenario between Member States is “still uneven” and “not yet satisfactory overall”.
As such, it notes: “Data protection authorities play an essential role in ensuring that the GDPR is enforced at national level and that the cooperation and consistency mechanisms [work] effectively – including, in particular, the one-stop-shop mechanism for cross-border cases. Member States are therefore called upon to provide them with adequate resources as required by the GDPR.”
As GDPR was conceived in a technology-neutral way, on a foundation of principles, it is designed to cover new technologies as they develop and emerge.
According to the report: “Future challenges lie ahead in clarifying how to apply the proven principles to specific technologies such as artificial intelligence [AI], blockchain, Internet of Things or facial recognition, which require a monitoring on a continuous basis.”
In February, the Commission published its White Paper on Artificial Intelligence, opening up a public debate about which specific circumstances may justify AI’s use for remote, biometric identification purposes – for example, facial recognition – in public places, and on common safeguards.
In that respect, the report says, “data protection authorities should be ready to accompany technical design processes early on. Moreover, strong and effective enforcement of the GDPR vis-à-vis large digital platforms and integrated companies – including in areas such as online advertising and micro-targeting – is an essential element for protecting individuals.”
Significantly, GDPR’s progress helped to inform the Commission’s February publication A European Strategy for Data, which outlined how the EU intends to facilitate data flows for the benefit of digital trade.
Over the past two years, says the report, the EU “has developed specific provisions on data flows and data protection in trade agreements, which it systematically tables in its bilateral – most recently with Australia, New Zealand and the UK – and multilateral negotiations such as the current World Trade Organization e-commerce talks”.
It notes: “These horizontal provisions rule out unjustified restrictions, such as forced data localisation requirements, while preserving the regulatory autonomy of the parties to protect the fundamental right to data protection.
“Synergies between trade and data protections instruments should thus be further explored to ensure free and safe international data flows that are essential for the business operations, competitiveness and growth of European companies… in the increasingly digitalised economy.”
GDPR’s safeguards have spurred countries in other regions to consider following suit with their own, similar packages of legislation. The report adds: “This is a truly global trend running from Chile to South Korea, from Brazil to Japan, from Kenya to India, and from California to Indonesia.
“The EU’s leadership on data protection shows it can act as a global standard-setter for the regulation of the digital economy, and has been welcomed by important voices of the international community.”
One such voice is United Nations secretary general António Guterres, who has recognised that GDPR has “set an example… inspiring similar measures elsewhere”, and “urge[d] the EU and its Member States to continue to lead to shape the digital age and to be at the forefront of technological innovation and regulation”.
On that final point, as the report emerged, Microsoft president Brad Smith hailed GDPR’s global impact in an online debate with Commission vice president Vera Jourova, the official who shepherded the legislation into existence.
“I do continue to see the trends from Brussels being the most influential in the world,” Smith said. “Even when you look at something like the Australian law last year [NB: Smith is referring to the Consumer Data Right, passed on 1 August 2019]… it was clearly influenced by a lot of thinking that had been taking place for a couple of years in Brussels," he said.
A mixed reception emanated from international privacy and security advocates Access Now, who went so far as to publish their own report on GDPR’s first two years.
In a statement, the organisation noted: “The GDPR faced one of the most aggressive lobbying efforts against a piece of legislation in the EU: the debate and negotiations lasted for nearly five years, and after more than 3,000 amendments were made, it emerged as a flagship law for protecting data in the digital era.”
Access Now pointed out that even after GDPR was adopted, “industry lobbying against it never really ceased, which is a contributing factor as to why [this] report by the European Commission has been so highly anticipated”.
However, it added, “enforcement of the GDPR has severely lagged… data protection authorities have been crippled by a lack of resources… and have been unable – or sometimes, unwilling – to enforce the GDPR adequately”.
Access Now therefore called upon the EU to “put its money where its mouth is and invest the resources necessary to realise the promise of the GDPR”.
A further critique emerged from global law firm DWF. In a 25 June statement, its global head of data protection and cybersecurity Stewart Room took issue with the report’s focus on narrative at the expense of numbers.
He commented: “While it is certainly the case that the GDPR [has] triggered a huge amount of compliance activity… and lots of news coverage, which helped to raise awareness levels of data protection rights, the lack of empirical evidence to support the Commission's claims stands out.”
A key problem, Room explained, is an absence of hard evidence on data protection performance levels under the previous legal regime, established under an EU Directive of 1995. As a result, there is no available benchmark to substantiate GDPR’s progress over the older system.
“In contrast,” he noted, “reports of personal data security breaches have not run dry; there are still structural problems in the AdTech environment and with the ceaseless progression of developments in technology – such as facial recognition and AI – there have to be doubts about the ability of the law and the regulatory system to keep up speed.”
Room added: "The GDPR is certainly a good and welcomed innovation. But perhaps we should divorce legislative intent from the realities on the ground, within which there remain serious problems with the resourcing levels of the regulatory offices compared to the work that needs to be done, and low levels of enforcement activity.”
Read the Commission’s full GDPR report here.
Matt Packer is a freelance business, finance and leadership journalist