This week marks two years since the General Data Protection Regulation went into effect. In the before times, GDPR was all anybody talked about. It’s a massive set of data-privacy regulations created by the European Union affecting any companies that operate there. It’s also the template for California’s new privacy law, the CCPA.
Companies spent millions of dollars on GDPR compliance. People expected fines so big, they’d put Big Tech out of business. That didn’t exactly come to pass, but what has the GDPR meant for consumer privacy and, more importantly, our awareness of how our data is used by companies?
I spoke with Jessica Lee, a partner with the law firm Loeb & Loeb who specializes in privacy. She says, so far, it’s a mixed legacy. The following is an edited transcript of our conversation.
Jessica Lee: We’ve heard complaints that the GDPR is kind of the dog that didn’t bite. It was supposed to come with all of these big fines and enforcement, and that’s really what got companies scared into compliance. Two years later, we’ve had some fines, but we certainly haven’t had 2% or 4% of annual turnover. No one’s going out of business. Even at the very high end of fines, there’s nothing in the billion dollar range. I think the enforcement has trickled out, as opposed to being this mass explosion of enforcement. That’s caused some frustration on the enforcement side. But that threat of enforcement, I think, caused a lot of companies really to comply. Compliance was the point, and so that’s why I would give it [a grade] in the B/B+ range.
Molly Wood: Companies did make changes. Do you think those changes will be lasting?
Lee: I do. Obviously in the U.S. we have the CCPA, there’s a law in Brazil — multiple countries are standing up their own privacy regulations. While they’re not exact matches to the GDPR, they do reflect a lot of the fundamental principles. I don’t think it really makes sense to stand up a program that will comply with the GDPR and then tear it down because there wasn’t enforcement. Because there could be enforcement. While we haven’t seen it at the levels that some were hoping for, the threat of enforcement will still cause companies to keep their compliance programs in place and up to date. Not perfect. I won’t say that everyone’s perfect. Maybe that’s part of the complaint, but I think it will keep it on the radar as a priority.
Wood: Do you think there’s anything that has trickled down to consumers? I feel like the most visible change is the annoying cookie disclaimers. If anything, the internet got a little more annoying for us. I wonder, are there any other benefits that you can point to?
Lee: I think just as a general matter, consumers generally are more cognizant of privacy online. I think we still have a long way to go. A lot of my complaints with some of the privacy regulation is that it doesn’t contemplate consumer education enough. Internally, I think that companies, if you do implement the GDPR’s principles, that your data might be held and be processed in a more compliant fashion, meaning you’re not collecting more than you need, or maybe there’s additional security controls in place, or maybe it’s not being shared as widely or without contractual protections as maybe it was before. There are things that are benefiting consumers that they probably can’t see.
Wood: Do you think that GDPR really did change the way that companies think about data and privacy, or that this ongoing awareness campaign will lead to a philosophical shift at companies?
Lee: I think so. It probably has a bigger impact for U.S. companies. We’re going to see this domino effect of privacy regulation. If you weren’t thinking about it for GDPR, you’ll think about it for CCPA. If you’re not thinking about it for CCPA, you’ll be thinking about it for the law that ends up in your state or the federal law that we have. It’ll get to a place where you can’t avoid following these principles.
Wood: Although, we are now seeing those principles collide with the COVID-19 outbreak, and we’ve talked to futurists and legal scholars who are saying, privacy might end up being a bit of a casualty of the pandemic. I wonder how those laws are going to interact with what public-health officials may see as a need for greater surveillance or more data?
Lee: I think we were always headed towards surveillance. These laws weren’t going to stop us from getting to surveillance. The goal would be to get us there in a more responsible fashion, which is I think the benefit of the GDPR. Because it’s principles-based, even if you do do a lot of data collection, even if you do do enhanced surveillance, I think there’s still some fundamental principles that will be in place. The U.S. laws are more spotty and more prescriptive. We don’t have that kind of principles-based approach to privacy. That’s going to leave us in a tough spot because I do think that we always have to make a trade-off. Online, sometimes the trade-off with data is, do I want access to content for free or am I willing not to search on the site because I don’t want to give them my information? I think the stakes are obviously much higher [when] we’re talking about COVID-19. I think people are going to be willing to accept more surveillance [and] will be willing to give over more data to get freedom to be able to go back outside again with some level of comfort. We’re going to be pushing in the direction of surveillance, and the question is, will we be doing it in a way where we have responsible rules in place, or are we going to do it in a way where we might be in a little bit of a free-for-all?