It has been two years since the European Union’s General Data Protection Regulation (GDPR) was put into law on May 25, 2018. These regulations and rules have helped shape how companies manage and collect consumer data. The laws are centered on protecting consumer data on an individual level ensuring companies are acquiring consent before collecting. It reinforces trust by putting individuals back in control of their personal data and at the same time guarantees the free flow of personal data between EU Member States.
Since the GDPR was put into place European privacy watchdogs and regulators have handed out a total of $163 million in fines. On July 8, 2019 a year after the GDPR went into effect, the UK’s Information Commissioner’s Office (ICO) released an intent to fine their first big company British Airways for $228 million after 500,000 users’ details were stolen. Shortly after releasing their statement of intent to fine British Airways, the ICO proceeded to send the same message to Marriott International Hotels for $122 million after they were breached and exposed around 339 million guest records.
These fines are still pending due to the outbreak of COVID-19 and this pandemic, but the fines are set to be enforced sometime in the near future either late August or September of 2020 according to InfoSecurity. According to Politico, just a couple days ago Ireland announced it had finalized its privacy investigation into Twitter, with a final decision and possible fine expected in the coming weeks, and the Netherlands is still investigating Netflix. So the GDPR has clearly affected the way companies conduct business not only in the EU, but in the US as well. In June it will be the 6 month anniversary of the California Consumer Privacy Act (CCPA).
Although there are many things to celebrate, a lot of privacy experts and watchdogs demand more enforcement of these legislations because the major tech companies and collecting massive troves of data have gone unscathed. The problem is data privacy is a new and expansive field and Estelle Massé, the global data protection lead at Access Now stated, “Crippled by a lack of resources, tight budgets, and administrative hurdles, Data Protection Authorities have not yet been able to enforce the GDPR adequately.” Politico highlights the frustrations, “Collectively, regulators’ budgets to police and enforce the rules now stand at almost €300 million, an amount far lower than what many officials would like.” It is understandable that the GDPR has not yet lived up to the highest expectations or standards simply because they have not been equipped properly to do so.
On the two year anniversary of the GDPR Věra Jourová, Vice-President for Values and Transparency, and Didier Reynders, Commissioner for Justice issued an important statement regarding the GDPR and its future enforcement. They stated, “compliance is a dynamic process and does not happen overnight. The national data protection authorities, as the competent authorities to enforce data protection rules, have often not yet reached their full capacities.” There is more still to come as the member states of the EU and companies figure out the best practices and applications for compliance. Despite the GDPR not living up to expectations of some privacy experts, there are examples of optimism that with time, individuals and their data will be protected with stricter enforcement and consequences for those looking to make a quick buck off consumers’ data.