May 25 marked one year since the EU’s General Data Protection Regulation (GDPR) came into force.
The idea was to introduce some of the most advanced and strict data protection rules in the world, rein in tech giants and their data exploitative business models and behaviors, and give a fighting chance to smaller companies.
But, writes Politico not much of this has materialized in the first year of the GDPR, that remains insufficiently implemented and effective.
For one thing, the cost of implementing the regulation has hit smaller companies the hardest.
Making matters even worse – as Gibson Dunn law firm’s Ahmed Baladi said, “there is no consensus or clear harmonization for how data should be processed” even after a year into GDPR’s implementation.
At the same time, regulators have not been using the monetary fines hammer against Big Tech as they had been expected – and the fines for those violating the regulation could reach as high as 4 percent of their annual revenue.
But despite some 100,000 privacy complaints being submitted across EU’s 28 member-states, the total money penalties that regulators have dished out so far reach only $63 million – the bulk of which was a French fine against Google of $50 million.
But not only has the GDPR been used insufficiently against those breaching its provisions – companies such as Facebook and Google are reportedly coming up with new ways to continue and even ramp up their massive data collection, right under GDPR’s nose.
Facebook, for example, has turned to gathering biometric data via its opt-out facial recognition tech, and sharing data between WhatsApp and the mothership – all previously outlawed, but now apparently allowed under the GDPR.
And Google is bypassing the new rules thanks to a deal with third-party websites who use – and would like to continue to use – Google’s adtech, making them the entity which secures users’ consent to have their data collected, to then be turned over to Google.
All of this – and Big Tech’s campaigns and lobbying – is starting to give the GDPR something of a bad name outside the EU, in particular in those countries who are considering modeling their own new, more stringent data protection legislation after it.