GDPR has frustrated users and regulators

The EU's general data protection regulation has been celebrated as a revolution in the way of legislating privacy on the Internet. This was a reaction to the EU's long-term concerns regarding the collection of information by tech giants such as Facebook, Alphabet and Apple.

Known as DMP, the regulation gave individuals new powers to control their data, including the right to require companies to tell them how their data is used and to ask businesses to destroy their data. known principle of the law. like "the right to be forgotten".

The law also imposed the world 's toughest privacy penalties: up to 20 million euros, or 4% of the company' s annual global turnover. company for the previous year, for the most egregious violations. For Facebook, such a fine could reach $ 1.6 billion.

But a year later, the GDPR has not yet realized its potential.

Among some consumers, the GDPR is perhaps best known as an embarrbading series of quick-start contextual privacy notices. These astronomical fines did not materialize. The law created new bureaucracies within companies and with them, tensions and confusion. And it is unclear whether the EU data authority overseeing the law has the staff to handle its requests.

"I am kind of a conscientious objector to the notification and consent model," said Laura Jehl, BakerHostetler's partner in data protection and data privacy practice, referring to the general framework of the RGP which led to the current omnipresence. "updated our privacy policy" notice.

"This discharges too much responsibility to the individual", to understand the opinions and act accordingly.

Reviews have been designed as a starting point for users to understand how each of their applications and the websites they visit use their data. But, they probably had the opposite effect, said Jehl. "If you have a job, children, hobbies or a life, you can not do it, while keeping track of it all.It would be a full-time job to protect your privacy in a notification template and of consent. "

Consumers often wonder how they can really take advantage of GDPR's privacy powers.

"I think this has given consumers a greater knowledge of the data collected about them and a greater ability to control that data," said Scott Pink, a special lawyer at O ​​& # 39; s Melveny Law Firm. & Myers, responsible for data protection and privacy. . "But now, I think consumers still do not know exactly what they have to do."

"Consent fatigue" could be an unwanted side effect, said Odia Kagan, president of the GDPR's compliance program at law firm Fox Rothschild.

"I think it's important that people understand what's going on in their data and not have a surprise reaction that someone has their information.". When you have to click 329 toggle, this is also a problem because you do not want to do it. The current process is a process that we still need to work on to avoid the fatigue of consent. "

In January, Google was fined $ 57 million for using data for ad targeting, but the company is opposed. Facebook was fined approximately $ 645,000 for the Cambridge Analytica scandal, which involved the alleged fraudulent use of his clients' personal information for election research purposes as part of Donald Trump's presidential campaign.

"At first, a number of [EU] Regulators said informally, "We know you're not ready for the GDPR, and to be honest, we're not, either," Jehl said. This informal grace period is likely to end, she added.

"Enforcement is just beginning," Kagan said. "The higher fines are likely to involve very large companies with very complex structures, we have not seen them because they are not finished yet."

The authorities responsible for data protection also have other tools, which could even be more expensive than fines, Kagan said.

In some cases, European regulators can tell companies: "You have 90 days to rectify what you are doing wrong with the data, or after 90 days, you can not use the data anymore". Sometimes, even the heavy fines will not make them disappear, but the data will be if they are at the heart of their activities.

GDPR has introduced something new in many companies that deal with European customers: a data protection officer.

To comply with the GDPR rules, companies had to hire (or outsource) someone to run a data protection office. This is a delicate proposition for many companies, especially the larger ones, where this new role – and the resulting bureaucracy – often overlaps with existing executive functions, such as cybersecurity, confidentiality, legal risk, and risk. and audits, among others. other.

"They have a lot of special protections that regular [executives] I do not have it, "explained Jehl.The duty of the data protection officer is to protect the data of the customers, even if this protection goes against other objectives commercial, which means that there are often different rules on how an executive can be sanctioned or fired, she said.

This new role is a positive step in terms of "strengthening the importance of data management and privacy, as well as privacy professionals," Pink said.

"But there is still a certain tension between meeting these requirements and ensuring that the company can make a profit, but also ensuring that compliance expenses are properly funded, without being too expensive."

The GDPR has implemented a new 72-hour reporting guideline – a much tighter reporting deadline than other regulations. It has apparently panicked so many companies that they have overwhelmed – and completely overtaken – the regulator of UK data confidentiality by September 2018.

"The British commission office has published an SOS that says," You make too many statements, we are drowning here, "Jehl said.

The question highlights another potential problem related to the GDPR: most EU regulatory agencies do not have staff and deal with legislation and its new radical demands. The total budget of the Irish Data Protection Commission, which oversees the implementation of the GDPR, was approximately $ 18 million for 2019, an increase of 30% over 2018.

"I always feel that, unless there is a very significant increase in the numbers, they will probably have to choose the enforcement actions they take," Kagan said.

European regulators have also been confronted with a mbadive influx of "rumors" into the GDPR or widespread panic spreading on social media, mistakenly interpreting how the law applies to events in everyday life .

For example, an article recently published by the Irish Data Protection Commission in a blog discusses the absurd:

"Let's take the case where a school would like to take and post pictures on a sports day – schools could inform parents in advance that photos will be taken at this event and could provide children with stickers in different colors. to indicate if no, they can be photographed, "suggested the Commission. The message then addresses the possibility that schools ban photographs in a high school musical, but suggests that this might be difficult to handle.

Kagan said, "Many things that are said about what the GDPR does are myths, there are tons of misconceptions."

As a result, regulators have had to spend a lot of time debunking myths, explaining the general language of the law and providing guidance. She predicts that they will eventually move this time to investigate and enforce the law.

"Ultimately, the PMP is a matter of consent and is a very European approach to privacy," Kagan said. "This is not a mistake, it's a statement of values."