What is GDPR?
The General Data Protection Regulation, more commonly known as “GDPR”, is a regulation in the European Union law implemented since the 25th of May, 2018. It aims to increase data protection for EU citizens and individuals within the European Economic Area and simplify international regulations by unifying the European system.
Although new requirements expected from data collecting companies were established to encourage transparency, various obligations regulate information, access and communication with the data subject (Stibbe), the changes will need time and resources to be processed.
These challenges are the core study of this article.
Impact on Actors
1. Users or Data subjects
Most users or data subjects might not see the difference before and after the Regulation was established. However, for the most alert, many will notice websites’ resubmission of their Terms and Conditions. The changes are not evident when surfing on the Internet, to the close exception that one might see fewer targeted ads, as companies are not authorized to display them anymore without one’s clear consent.
In an objective of complete transparency, data subjects can now request their personal data and ask for complete deletion. Also, if they believe their personal data is being misused, they can request an investigation. Last but not least, one’s personal data can be transferred from a service/company to another, meaning European data subjects can shift from a bank to another for instance.
a) Tech and Data Businesses
As data subjects are more in power than ever, the data industry ‘could have a seismic affect on the data industry’, according to The Gardian author Alex Hern. Indeed, many companies rely on acquisition and sale of consumer data. Most, if not all, consumer data is traded globally without clear customer consent. Being deprived of power, companies have to adapt to changes, where they would include data subject in the equation. Such drastic change was widely unexpected, and most companies are unprepared (see Implementation).
Although every company related to the European Union in a way or another is impacted by GDPR, the ones paying the most costs are tech and data businesses. New York Times author Adam Satariano suggests ‘online advertising in Europe could become broader, returning to styles more akin to magazines and television, where marketers have a less detailed sense of the audience’.
b) Tech Titans (GAFA, NATU, BATX)
Tech Titans, more often defined as GAFA for Google, Apple, Facebook, and Amazon, are the first in line concerning the Regulation. As a matter of fact, they are the ones in control of the whole data market, accounting for $42 billion in 2018.
As detailed in The Norwegian Consumer Councils report, GAFA (especially Facebook and Google taken as the study object in this report) companies base their business model on data collection. To optimize it, they use unethical practices such as setting default settings to the least privacy-friendly choice or imposing ‘take it or leave it’-choices. As explained, ‘rather than making decisions based on rationality, individuals have a tendency to be influenced by a variety of cognitive biases, often without being aware of it’, and GAFA companies being aware of these biases have no remorse in applying them, leaving users unnoticed of what they are agreeing to.
Although they have much to lose from the Regulation, GAFA companies’ response to GDPR was globally not hostile. As told in The Guardian’s article, ‘GDPR applies only to the EU, but given the scale of the market, many companies are deciding it is easier — not to mention a public relations win — to apply its terms globally.’ Among others, to comply with GDPR, Facebook launched a set of new tools, and Google changed ‘the default for data retention, meaning that if you don’t take action, certain data older than the cutoff will be automatically deleted’, as explained in Moz article.
Whilst European users have seen their Terms and Conditions updated and part of the power to control their personal data regained, non-European users are still under the very large influence of GAFA and other tech giants. Concerning Facebook’s case, New York Times author Natasha Singer writes, ‘if Facebook wants to offer European-level privacy protection to all, it would also need to provide its users with the data that Facebook itself collected or created about them, including any categories, descriptions or behaviour scores Facebook assigned to them, European privacy experts said.’ According to Politico article, ‘Facebook has altered its legal language so that people from across Asia, Latin America and Africa would no longer fall under the jurisdiction of Ireland’s privacy watchdog.’ making GDPR compliant conditions applicable for European users only.
According to the GDPR articles 83(4), 83(5), and 83(6), fines can get up to €20,000,000 or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year. Concretely, a company like Facebook could end up paying up to $1.6 billion, if they remain non-compliant.
The GDPR implementation process requires several steps detailed in the IAPP-EY Annual Governance Report 2018 released on the 2nd of November, 2018. In this part, recent statistics will be highlighted in order to comprehend the true challenges the Regulation is facing for its implementation. The implementation is not only effective for EU-based businesses, but for all businesses interacting directly or indirectly with the European market, according to GDPR article 3.
1. Current statistics
The IAPP-EY Annual Governance Report 2018 was released on the 2nd of November, 2018 giving the public a more precise vision of GDPR’s evolution. The following numbers are the official ones from the report, giving a further insight to the GDPR implementation problematic.
GDPR is the first strict statement of law to ensure personal data protection since the EU’s Data Protection Directive 1995. It is the first one to be enforced within the age of the Internet and social media.
Since no strict regulations were established prior to that, online businesses, especially ones basing their model on data management, took liberties that were not necessarily in favour of individuals’ personal data protection. In fact, most businesses may be burdened by the Regulation’s requirements, since they ‘may not previously have had tools for collating all the data they hold on an individual’, according to The Guardian’s article.
As a result, less than half of the firms consider themselves fully compliant or close to it, and only 25% expect to be ready by the end of 2018.
2. Member States
According to the IAPP’s table, most European countries have passed the Regulation in their own national law. The first country to adopt it was Germany, followed by Austria.
Member states are obliged to apply the Regulation as it is considered ‘a superior rule of law’, as explained in Deloitte’s article, ‘If a national law is not in line with the GDPR the country violates its obligation of loyalty in Art. 4 EUV, which may lead to an infringement procedure against this country.’ which explains a standardization of law related to data and privacy.
As pointed out in The Guardian’s article, ‘regulators will be able to work in concert across the EU for the first time’, unifying the European Union more than ever. With an objective of law application, data protection commissioners, such as Helen Dixon in Ireland, are ready to oppose Tech Giants in their unethical practices.
In response to the GDPR, Germany published a new Bundesdatenschutzgesetz (BDSG) during the Summer 2018. As GDPR acts as a superior law, Germany had to review several aspects of its law regarding data and privacy online. These modifications include:
- the designation of a DPO ‘if at least 10 persons are regularly engaged in the processing of personal data as a whole or in parts by automated means’, ‘if they undertake processing that is subject to a data protection impact assessment pursuant to Art. 35 GDPR or if they commercially process personal data for the purpose of transfer or anonymous transfer or for purposes of market or opinion research’
- data processing in the context of employment, making the employee data researching process much stricter for employment and use of employee personal data much more regulated
- data processing in the context of video surveillance, making controller’s name accessible faster
- data processing in the context of profiling, enabling data subjects to choose whether or not they want to share their personal data and for which purposes
- the use of credit checks, where the score cannot be solely determined by address data
- criminal law provisions to prevent law infringements
b) United Kingdom
As the United Kingdom voted for Brexit in 2016, does the Regulation apply to them too? As explained on gdpr.associates, ‘The General Data Protection Regulation applies to all companies based in the EU and those with EU citizens as customers. It has an extraterritorial effect, so non-EU countries are also affected. Even though the UK is planning to leave the EU, the UK will still need to comply with the GDPR.’ Regardless of whether or not the UK belongs to the EU, it still has its obligations towards the EU as an external country (just like the United States or Australia), the Regulation being extraterritorial.
Elizabeth Denham, the UK Information Commissioner, positions herself in favour of GDPR-implementation through encouragement and reward of businesses ready to comply with the Regulation: Denham says there is “no intention” for overhauling how her office hands out fines and regulates data protection across the UK. She adds that the ICO prefers to work with organisations to improve their practices and sometimes a “stern letter” can be enough for this to happen.
The UK modified their official document from 1998 on the 23rd of May, 2018, setting the legal age for consent at 13 years old instead of 16, and ‘exemptions from certain rights and obligations set out in the GDPR when it comes to certain criminal and immigration matters’, according to Inside Privacy.
3. Foreign States
As repeatedly told, and contrary to some false beliefs, GDPR does not only concern Member States. In fact, every corporation worldwide in relation with the European Union or European citizens must apply the Regulation under penalty of being sanctioned, as previously described.
According to the IAPP 2018 report, the most concerned privacy pros are located in the United States. As facing the Regulation can appear challenging for some companies, a compelling choice has to be made: either comply with GDPR or retire from the European market. In this section, foreign states reaction will be studied.
a) United States
GDPR is the first wide and concrete action taken for personal data privacy across a large and influential market. The United States and Europe traded, in 2016, nearly $1.1 trillion, according to the USTR website, making the U.S. one of the first countries concerned by the Regulation passed in May, 2018. Following the Regulation, the United States started a conversation relative to data privacy at the core of the country, a conversation that would not have happened otherwise, according to Will Hurd, chairman of the Information Technology Subcommittee of the House Committee.
Although the federal government did not undertake any concrete legal statement, the Californian government decided otherwise. Thus, according to The Register, California passed its own strict privacy standards, with plans to put it into effect in January 2020. This legislation provided data subjects with the right to access the data companies hold about them, and ‘request that it be deleted and not sold to third parties’.
This rush in passing such legislation can be explained by the presence of the Silicon Valley in the State, making the local population more aware and worried about data privacy.
China is the second largest trading partner of the European Union after the United States. Regarding, privacy policies and legislation, the Chinese data protection regime released in 2017 shows more compatibility with the GDPR than U.S. undertakings.
The Chinese conversation regarding data privacy was thoroughly discussed prior to GDPR, and started to be more severely implement since the Regulation was launched, linking China and the European Union, and resulting in an economic marginalisation of the United States.
Throughout this article the reader can comprehend the challenges relative to GDPR implementation. In this section, solutions to ease the process will be discussed.
1. International Agreements
a) APEC Privacy Framework and Cross-Border Privacy Rules (CBPR)
Countries trading with the European Union are obliged to comply with the Regulation (at least for their European market). However, most countries already have national laws incompatible with the GDPR without modification. In order to pursue international business, foreign states, such as the United States, seek agreements with the European Union. Keeping the case of the U.S., the Privacy Shield agreement was signed, enabling the two parties to follow through their collaboration. The CBPR agreement is crucial for economic growth and information flow.
This system requires participating businesses, since they are at the core of the legislation. As explained in IAPP’s article, CBPR does not require participating countries to modify their domestic law, contrary to GDPR.
b) Adequacy of the protection of personal data in non-EU countries
As stated in GDPR article 45, the European Commission can decide on the basis of described elements, whether a third country or an international organization can benefit from an adequacy decision. In other words, if a third country or international organization is able to provide an adequate level of protection, it can be whitelisted by the European Commission, enabling data transfers without further notice.
According to the European Commission website, 12 countries or corporations have been recognized as such, including Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework).
2. New businesses
As explained in the IAPP-EY Annual Governance Report 2018, ‘In this fourth iteration of the IAPP-EY Privacy Governance Report, we see a significant increase in the number of privacy professionals working full time in dedicated privacy programs — the global mean number of employees working full time in privacy programs has climbed over last year from 6.8 to 10 full-time privacy employees.’ In fact, it was estimated that big British firms combined a $1.1 billion preparing for GDPR and $7.8 billion for big U.S. firms, as detailed in Forbes’ article.
As seen in the previous statistics, firms (especially large and mature ones) are working towards compliance by hiring, investing in training, technology, and privacy staff and budget. Increasingly, companies are searching for B2B services enabling them to comply with the new regulations in place. Markets and Markets expects ‘the GDPR services market to grow from USD 907.4 million in 2018 to USD 2,659.4 million by 2023, at a Compound Annual Growth Rate (CAGR) of 24.0% during the forecast period.’
This incredible market opportunity opens the way to the emergence of new businesses solely providing a GDPR-compliance service. For instance, Maureen Data Systems is an American-based company providing services for GDPR compliance. An equivalent in the UK would be Oosha.
The Future of GDPR
a) Unfairness towards small businesses
Whilst GDPR intends to enable data subjects to regain control over their data and privacy, it also triggers a colossal shift in the current online market. Indeed, presently data is the most traded product for firms online. Adding obstacles to that trade will therefore, and obviously, cause important changes. Even though it is fair to apply it to all businesses, the ones who will adapt best will necessarily be the ones with the most resources. In other words, small businesses might end up out of step in the game towards compliance.
b) How can free services be ‘paid’ for?
“If you are not paying for it, you are the product being sold.” This famous quote actually reflects the very functioning of today’s society (in fact, even when paid for, ‘we’ are still sold). It is true though: if all of the services everyone can access for free (social networks, Internet…) by simply giving out personal data have no power whatsoever over that data, how can they be paid for? Most importantly, who would be ready to pay a monthly fee to access Facebook or merely Google search?
2. The Blockchain Opportunity
While businesses are working to become GDPR compliant, the European Union Parliament adopted a resolution [underlining] that blockchain technology can provide solutions for the ‘data protection by design’ provisions in GDPR implementation on the basis of their common principles of ensuring secured and self-governed data. This call for action on blockchain adoption in trade provides the basis for a long-term solution involving blockchain technology.
The blockchain market accounted for USD 339.5 million in 2017, and is expected to grow to USD 2.3 billion by 2021, according to Statista. The GDPR market opening combined with the humongous growth of the blockchain technology market can provide businesses and individuals with amazing opportunities.
Many wrongly believe that blockchain pseudonymization will counter the European regulation. However, blockchain is a tool, not an actor. The core of blockchain lies in the very fact that each piece of information enrolled on the blockchain is unique and unchangeable. As summarized in Forbes’ article, ‘the reason for the GDPR coming into existence was a loss of trust in major corporations when it came to accessing individuals data, and with the blockchain, its decentralized nature totally removes control of such data anyway.’
Regarding GDPR, blockchain has the power to carry it, as individuals will be in direct link with all services they need access to. Ultimately, and thanks to blockchain, individuals could regain full control over their data, and deliver it to the people and the businesses they want to deliver it to, resulting in greater and more meaningful customer engagement.
If you would like to find out more about Varanida mission and vision, please make sure to download our Prototype and follow our journey.