ePrivacy and GDPR, six months on: Everyone worse off?
It has almost been six months since the General Data Protection Regulation (GDPR) entered into force, simultaneously putting an end to the laxity with which the preexisting ePrivacy Directive (as amended in 2009) had come to be interpreted and applied across different countries with regards to the threshold for valid consent in the context of digital communications.
While we patiently wait for an upcoming ePrivacy Regulation to fully align the lex specialis to the new, wider framework, both the GDPR’s recitals and the European Data Protection Board’s Guidelines on Consent provide enough guidance for marketing, big data, or e-commerce professionals (particularly exposed to digital environments) to ensure compliance with this interplay.
And yet, compliance as a whole remains a low priority. It is, instead, the avoidance of blatant missteps while sticking to “business and usual” that drives adoption of a few cosmetic measures. After all, stronger efforts would entail a serious loss of business for whoever moves first in highly-competitive, breaching-by-default verticals. Did we ever expect to see real change in the absence of large-scale enforcement?
In the meantime, the vast majority of individuals on the other side of the screen have perceived more inconvenience than value. Interruptions have become more annoying and confusing, requests for permission have done away with the user experience (and accessibility by the disabled) on mobile devices. Most privacy policies are now even longer and more unintelligible.
On a more generic note, the GDPR has given rise to unfair competitive advantages: its complexity favors large incumbents with enough muscle to adapt; its (welcome) push for transparency and consent favors a few tech giants enjoying a direct relationship with the consumer, providing them with fresh legal grounds on which to bar new players from leveraging their platforms.
While there is little we can do to prevent the latter (a higher level of protection seems to run parallel to a less competitive scenario in the absence of real demand for it), plenty can be done to address complexity and lack of enforcement.
Addressing complexity requires a strong act of humility on the part of privacy professionals and legislators. We must eventually accept that lawyers and academics are not immune to “filter bubbles”: GDPR compliance has become an elitist game, well beyond the reach of SMEs or the very data subjects it was meant to look after. If society is to benefit from greater transparency and choice, compliance should not hung on spending a little fortune in legal fees - to be fair, some EU Supervisory Authorities (starting with ICO, AEPD, and CNIL) are starting to be really effective at producing simplified, accessible guidelines for specific use-cases.
Addressing lack of enforcement starts with another realization. Should we really expect Supervisory Authorities to do it themselves in view of their current budgets, muscle, and breadth of competencies? There probably was hope in the GDPR’s Principle of Accountability to take the additional burden off their shoulders, but the most patent violations of the regulatory framework originate in industries and activities whose very existence depends on the law not ever being truly enforced. In the words of an ad agency executive I was recently speaking to, “you are asking the turkey to join the Christmas party”.
From this it follows that enforcement is unlikely to come in the form of sanctions (as defined in the GDPR), or even private lawsuits. As the value of transparency permeates society, I would expect people themselves to take control, demand respect, and leverage an alternative, highly effective means of enforcement: reputation.
Here’s what it could look like: www.comply.org
Co-founder and CEO at PrivacyCloud | Privacy Advisor at Empathy.co
6yThanks, Andor. As advanced, I am pretty confident that enforcement will actually arrive, it only not through the expected channels.
Trusted Advisor, Senior Information Security, Privacy, GDPR Professional , experienced trainer, public speaker (gold dust)
6yWhilst I tend to agree with this article, the view by itself is rather dim without any hope of improvement. Or it would be the larger budgets required for the DPC Ireland, ICO and CNIL’s of Europe to come to an over-arching enforcement power. I really hope that that is not the answer. On the other hand, how can we expect companies, organizations or governments to improve on their data protection posture whilst most of them have been ignoring the topic for more than 2 decades? Simplify explanations and scenario’s can only do so much within a topic that is by it’s nature complex and dependent heavily on the actual details of the situation.