One Year on, EU’s GDPR Sets Global Standard for Data Protection
The EU’s strict data laws have set the global benchmark for protecting personal information online since coming into force a year ago, but some worry that many users have barely noticed the change.
The “General Data Protection Regulation” (GDPR), launched on May 25 last year, enhances the rights of internet users and imposes a wide range of obligations on companies, including that they request explicit consent to use personal data collected or processed in the European Union.
The EU has billed it as the biggest shake-up of data privacy regulations since the birth of the web, saying it sets new high standards as the world seeks closer scrutiny of tech giants like Facebook, Google and Amazon.
It has also prompted other authorities around the world to strengthen their own data laws.
The US state of California, home to global tech haven Silicon Valley, last year adopted stringent data legislation largely inspired by the GDPR.
Japan meanwhile has worked with the EU to finalise common rules to offer its citizens an equivalent level of data protection as the GDPR.
And Australia plans to significantly strengthen sanctions against companies that breach data privacy rules, following the EU’s lead — the GDPR allows fines of up to four percent of a firm’s turnover.
– Companies slow to implement –
But the transition has not always been easy — companies inside and outside the EU have spent a total of hundreds of millions of euros to comply with the regulations.
Much of this has gone to upgrading how firms handle the vast amounts of data streaming in every day.
“Many companies face a major problem: their IT system was designed around providing services, but not around the data, which is constantly duplicated in all directions, sent to multitudes of providers and suppliers,” said Gerome Billois, an expert at the IT service management company Wavestone.
He added that 31 percent of companies fail to implement the GDPR’s “right to be forgotten” — which allows people to have their personal data deleted — because “they don’t know precisely where the data is”.
But Jean-Michel Franco of the French software company Talend says the industry is now “starting to get up and running” in implementing the GDPR.
– Users ignoring rights? –
However several campaign groups that defend the rights of internet users say that the GDPR’s lofty goals are still a long way from being reached.
The main difference that most EU internet users notice under the GDPR are consent banners that pop up as they access a website.
Many users simply give their consent in the quickest way possible rather than asking for “more information” and being led into a maze of dense information and further questions.
A recent study of one urban transport website found that nearly 80 percent of users simply clicked the “accept all” button to move onto the site as quickly as possible.
Only around 10 percent of users chose to read the information detailing their rights — if the explanations were short — while another 10 percent read them thoroughly, according to the study of more than 280,000 people conducted in February by mobile marketing firm Ogury.
– 145,000 complaints –
But while many internet users may pay the changes little heed, the GDPR has empowered some to take action against tech giants.
So far nearly 145,000 complaints and questions have been registered with the EU’s national authorities in charge of enforcing the GDPR, an initial assessment revealed this week.
The complaints have also triggered severe penalties, including France’s record 50 million euros ($56 million) fine on US giant Google for not doing enough to inform users on how their data is used.
EU Justice and Consumer Affairs Commissioner Vera Jourova has said the regulation is like “a one-year-old baby who has an appetite and is very agile”.
There was widespread criticism in the months leading up to the regulation coming into force, but now voices “around the world are calling for comprehensive data protection rules similar to GDPR”, she added.