It was meant to change everything. This time one year ago, Europe's General Data Protection Regulation (GDPR) was just starting to be enforced and the sprawling piece of legislation was more popular than Beyoncé. Businesses were warned that the law would alter everything they did going forward.
But in reality, GDPR has just been a step change that highlighted how badly the internet and some businesses were handling people's personal data. Now that GDPR has come of age it's worth looking back on some of the predictions that failed to come to pass and where there may have actually been some change.
The endless, multi-billion dollar fines
Ahead of GDPR's introduction there was plenty of doom mongering about the upcoming avalanche of fines for data breaches and security incidents. Estimates predicted fines under GDPR would be 79 times higher than those issued under the previous data protection regime. Another forecast said banks could be fined €4.7bn (£4.15bn) in the coming years.
This – unsurprisingly – hasn't happened. In the UK there hasn't been a single GDPR fine issued by the Information Commissioner's Office (ICO) over the last year. Data protection investigations are complex, lengthy affairs that take serious amounts of resource to complete. While the ICO has opened a number of cases looking into complaints there hasn't yet been a monetary penalty.
The Irish Data Protection Commissioner, which has a focus on big tech companies as their European offices are based in the country, is investigating both Google and Facebook for potential GDPR breaches. Data brokers are also among those being investigated under GDPR.
Fines made-up such a huge proportion of the GDPR scaremongering as there is the potential for the imposition of €20 million penalties or four per cent of a firm's global turnover. But anything on this scale hasn't happened yet – as the harshest punishments would only be saved for the worst data breaches. One of the biggest, if not the biggest, GDPR fine that's happened so far was from French data protection officials. They hit Google with a £44m fine over its lack of transparency about how it collects personal data for advertising.
America won't care
The suggestion that Europe's data rules would widen the regulatory approach between the EU – the latter of which has issued huge anti-competition fines against Google, Facebook, Apple and more – hasn't come true. However, the introduction of GDPR has seen a slight yearning from US regulators to copy parts of the law to better protect the rights of US citizens.
At the end of 2018, California passed a Consumer Privacy Act. The piece of legislation has been compared to GDPR as it is one of the US's most comprehensive data protection laws. Subsequently, Microsoft has called for a US-wide federal law that introduces similar practices to those that exist in California.
"Strong federal privacy should not only empower consumers to control their data, it also should place accountability obligations on the companies that collect and use sensitive personal information," Julie Brill, Microsoft's deputy general counsel wrote. "Now it is time for Congress to take inspiration from the rest of the world and enact federal legislation that extends the privacy protections in GDPR to citizens in the United States."
Companies would have to change everything they do
Ahead of GDPR it was suggested the law would change everything. Analysis went as far to say it would up-end entire industries. While this may have been the case in some limited circumstances, GDPR was never considered a completely radical overhaul of data protection laws.
The hysteria around it was misplaced. The principles of GDPR were created from existing data protection laws and only added a limited number of new rights and obligations. Some of the changes were merely updating or enhancing what was already law. The removal of a £10 fee for processing Subject Access Requests was never going to result in a torrent of requests.
At the end of 2018, the UK Information Commissioner suggested that unlike the Millennium bug scare, there shouldn't be any panic: "It’s an evolutionary process for organisations – May 25 is the date the legislation takes effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018."
It's all about getting consent
Nobody can forget the emails. In the weeks and final days leading-up to the enforcement of GPDR almost every company people had ever given their email address to – through shopping, online accounts or mailing lists – wanted to get in touch.
They all had one message: do you want to keep hearing from us? The emails all asked for people to re-consent to receiving messages because GDPR would allegedly change this. Instead, GDPR wasn't necessarily to blame for all the emails that were being sent. It was another law: PECR.
In reality, GDPR was never really about getting people's consent. Consent for data processing is just one way that an individual's information can be collected and used. As the ICO said back in August 2017: "but it’s not the only way."
"Headlines about consent often lack context or understanding about all the different lawful bases businesses and organisations will have for processing personal information under the GDPR," the ICO's blog post said. "Not only has this created confusion, it’s left no room to discuss the other lawful bases organisations can consider using under the new legislation."
This article was originally published by WIRED UK
