The European GDPR has done a lot in the early days

The European General Data Protection Regulation, which celebrates its first birthday on Saturday, has brought a lot to children.

The RGPD has changed the rules applicable to companies that collect, store or process information on EU residents, requiring greater transparency regarding the data they have and with whom they share it. The law is hailed as the global standard for the protection of privacy in the digital age, in which data is a valuable commodity.

The GDPR came into effect a few months after the announcement of the announcement that political analyst firm Cambridge Analytica would have entered personal data on 87 million Facebook users without their permission. The timing highlighted the need for the RGPD and the fact that it was late.

The law forced Facebook and its Silicon Valley neighbors to radically change their privacy and data processing policies, including asking users to agree to new terms and opening pop-ups to inform them of any changes. Importantly, he introduced special protections for teens. Until now, only one American company, Google, has been sentenced to a major fine.

For large US companies, the real effects of GDPR remain to come. The EU's decision to update its privacy regulations has prompted other countries around the world, including the homeland of Silicon Valley, to consider doing the same. And as it has been so little used in its first year of existence, technology companies, big or small, still have not felt the force of regulation.

Complaints and fines up to now

According to EU figures, citizens, privacy organizations and other organizations have filed 144,376 GDPR complaints since the entry into force of the regulation. (Complaints may be filed by anyone who feels that their privacy has been affected.) The companies reported 89,271 data breaches, which they are required to report within 72 hours of discovery.

The fines were, however, much smaller than expected. Under the GDPR, companies may be fined 20 million euros ($ 22.4 million), or 4% of their total annual global turnover for the previous fiscal year, whichever is greater. high.

In January, Google had already obtained the single sanction of the GDPR when the French authorities fined the technology giant 50 million euros for failing to properly disclose to users how their data was collected and used for targeted advertising. Google is still facing an open probe, announced this week by the Irish Data Protection Commission (DPC).

"We will fully participate in the DPC survey and look forward to being able to clarify European data protection rules for real-time offers calls," said a spokesman for Google in a communicated. "Authorized buyers using our systems are subject to strict policies and standards."

The authorities responsible for data protection in Portugal (400,000 euros against a hospital), in Poland (220,000 euros against a data processing processor having scratched the Internet) and in Germany (20,000 euros on a chat application intended for children) have also been subject to notable fines. There is currently no record of the total number of fines imposed.

The storm is coming

Marc Dautlich, a partner at law firm Bristows, said the slow start made sense, as data protection authorities needed to learn how to exercise their new powers.

The authorities are fighting against "the official interpretation" of the new law, he said. This involved consulting, as well as law firms and privacy organizations.

With the increase in the number of complaints to investigate – the Irish DPC has seen the number of complaints more than double since the introduction of the RGPD – it has become necessary to hire more staff.

Faster fines would also pose a problem for the data protection authorities. Armed with huge teams of lawyers, tech giants will tackle anything they find unfair, as they did against EU antitrust decisions. And the authorities need to strengthen their workforce because of the increase in the number of complaints.

Mr. Dautlich said the watchdogs would give priority to complaints about AI, facial recognition, data profiling and ad personalization. This will affect Silicon Valley, as most of these technologies are not developed here in Europe.

Ireland has a list of ongoing investigations on technology names to find out if they are complying with the RGP. Targets include Twitter, Apple and Facebook (as well as Facebook's Instagram and WhatsApp services). None of the companies was willing to comment on the ongoing investigations.

It might seem that it is in the interest of the EU to ensure, in the early days, a multitude of high-profile fines aimed at ensuring that high-tech companies from all over the world. Europe and the world continue to take seriously the respect of the rules. But even the European Commission is more concerned about how than when.

"Compliance is a dynamic process and does not happen overnight," said Věra Jourová, European Commissioner for Justice, and Andrus Ansip, vice president of the EU's Digital Single Market, in a statement spouse this week. "Our key priority for the coming months is to ensure appropriate and fair implementation in the Member States."

Large technology companies are also waiting for more details on the implementation of the regulations. "As lawmakers adopt new privacy rules, I hope they can help answer some of the issues left unresolved by the GDPR," said the CEO. Facebook, Mark Zuckerberg, in a blog post in March. "We need clear rules about when information can be used to serve the public interest and how it should apply to new technologies such as artificial intelligence."

The international implications of GDPR

Perhaps the biggest success of the GDPR so far has been the fact that it has launched a global conversation about privacy. In a speech delivered this week, Mr. Jourová welcomed the imitation demands of the RGPD as proof of its success.

"Last year, we heard complaints and criticism, and today we hear calls around the world for comprehensive data protection rules similar to the GDPR," he said. she said.

International efforts by countries such as Brazil, South Korea, Japan, and India to establish confidentiality rules similar to those of the RGPP follow. Meanwhile, in the United States and in the heart of Silicon Valley, lawmakers are preparing to enact the California Consumer Privacy Act.

Increasingly, Facebook, Apple and other tech giants have called for regulation in the vein of the GDPR and are committed to supporting privacy protection in the United States. Microsoft has helped business users to comply with the GDPR and wants to proactively contribute to the development of US privacy regulations. We are calling for legislation that puts a burden on technology companies.

However, even if technology companies have their own ideas about what they hope to look like, it will ultimately be up to decision makers to decide.

The United States will no doubt be interested in the way in which EU regulation is implemented across borders between European countries. The United States will face similar problems in harmonizing federal and state laws.

And there seems to be little doubt about it: US regulation is coming.

"One year after the start of the GDPR, the pressure to find a similar solution in the United States was only intensifying," wrote Shane Green, CEO of the private sharing platform digi.me, in an e-mail . "When the United States adopts its own version of GDPR, it will be a turning point for privacy."