GDPR, four months on: is it working?

Yesterday marked four months since the General Regulation of Data Protection (GDPR) came into force, offering a good time to reflect on the issue and to ask ourselves if it is working and if it is fit for the job.

The implementation of the GDPR did not go unnoticed: prey to what looked like a collective panic attack, thousands of companies began to fill our mailboxes with emails asking us to confirm that we really wanted to continue on their databases… messages that were in many cases violations of the GDPR, and databases that most of us had no idea about, because our data had been obtained through methodologies that violated the concept of informed consent; acquired by suppliers that crawled web pages, reusing old lists or obtained from all kinds of activities. The result was expected: most people did the logical thing and jettisoned the junk mail without even opening it, as well as asking to be removed from these databases. This is what the internet and e-mail should be: a communication tool, not a source of unwanted marketing. Although many old fashioned marketing directors still haven’t grasped it, e-mail is not a means to achieve their ends: it is a tool designed to be useful. Sadly, in our logicless society, e-mail marketing should simply be prohibited, as should annoying and environmentally damaging offline activities such as mail shots and flyers of all kinds.

The second consequence of the GDPR has been a marked increase in complaints. In France, the CNIL has received 3,767 complaints since the entry into force of GDPR, compared to 2,294 received in the same period last year, a record year, and both the United Kingdom and Ireland show similar increases. We can only hope that a significant number of these complaints result in fines, otherwise word will get out that the GDPR is toothless.

The third effect of the GDPR, however, is more annoying and does not seem especially successful: a lot of publications on the web have incorporated pop-ups, banners or notifications of some kind that force users to accept their terms of use, in many cases under the threat of not being able to continue reading. The idea is to obtain the consent of the user for everything, a kind of “license to kill” that includes compiling page use statistics or monitoring your advertising, and in some cases, taking advantage to include you in a base of data to be sold to third parties. A clear violation of the concept of consent, a key element in the GDPR, which clearly states such only be granted freely, specifically, and on an informed and unambiguous basis.

What kind of freedom do users have when, to all intents and purposes, we are being blackmailed with the threat of not being allowed access to certain information if we do not consent? Is it reasonable that somebody actively looking for certain information should have to spend time reading a relatively complex form that requires time to understand the different clauses, options and elements we are consenting in an informed way? Such a pop-up should be very simple, very clear, unequivocal and, in addition, not condition access. A few sites allow us to simply close the pop-up or click on the “I do not accept” button, allowing us to continue reading. But in some cases, if we do not accept, we are redirected to another page or simply prevented from continuing, a practice that should be considered an infraction. It’s not for web sites to demand consent, and less so if the practices we’re consenting to are not specific.

This coercive message when we open a web site is becoming, in many cases, a permanent annoyance, reminiscent of the absurd and bothersome warning about cookies. Let’s be clear, these messages do not imply informed consent, and instead twist the spirit of the GDPR in an attempt to obtain this supposed consent through blackmail, something that, if not sufficiently clear in the wording of the legislation, should be. A concept as central as that of consent cannot be considered ambiguous in newly implemented regulations.

Four months after the GDPR came into law, my general impression is that, in general, it is working: I seem to be receiving less junk mail, more attention is paid to removal requests, and apart from the hassle of the forms on many web pages, things have improved. But that does not mean things can’t be improved, which will have to be dealt with quickly to avoid some bad practices becoming accepted. If the GDPR ends up being remembered as something that filled the web with useless messages it would turn out to have been a waste of time and a sadly missed opportunity.

(En español, aquí)