This week marks the second anniversary of the EU GDPR coming into force. Reflecting on what has changed since May 2018, it seems to me that although we have traveled well, we are not quite at our destination. There needs to be regulations on the one hand, which we have by definition, and consumer awareness on the other – and we still have some way to go on this.
I believe we are at a similar point as the car industry was with seatbelts many years ago. You might be surprised to know that there was a time when seatbelts in cars were optional, not compulsory. Then, they became compulsory only for those in the front. And now, today, they are compulsory for everyone including back seat passengers. Seatbelt behaviours only changed dramatically when regulations were introduced. The first laws appeared in the United States in 1968 and similar regulations came into force in Ireland just over 40 years ago.
What does this have to do with GDPR? A lot, I believe.
The privacy seatbelt
Wearing a seatbelt began as a compliance requirement: an activity which had to be implemented by drivers and passengers simply because the law said so. Some people followed the rule because it was the law; others because they felt it was the right thing to do.
But until the Gardaí started enforcement, we could not achieve full compliance. Of course, there were always those who would only buckle up at the sight of a Garda checkpoint, and those who outright refused to wear one. But general compliance came when enforcement was normalised, i.e. when people understood that breaking the law meant being fined or jailed. After enforcement, cultural change began to happen, together with consumer awareness campaigns – which publicised the seatbelt laws and emphasised the positive outcomes of wearing a seatbelt, linking it to protecting children in the back seat, or passengers in other cars. Eventually, wearing seatbelts became a social responsibility. This served to normalise the wearing of a seatbelt as a minimum expected behaviour, while it also served to engender a sense of guilt and shame in those not wearing a seatbelt. It became ethical, not just legal. Wearing a seatbelt simply became ‘the right thing to do’.
The GDPR connection
Coming back to the past two years of GDPR, I think we are not yet at the ‘cultural change’ phase. The privacy ‘seatbelt’ is still at the compliance stage, and exceeding GDPR is not yet central to many organisations’ processing behaviours.
We have seen some very high-profile technology organisations actively promote that they exceed GDPR protections (e.g. Apple, IBM, and Microsoft have implemented GDPR-level protections across all countries regardless of need, whereas certain other large technology and social media companies have yet to do so). However, can we be certain that this is a cultural shift in attitudes to privacy regulation? Several academic studies tell us that privacy pays when associated with trust. So, do these organisations exceed GDPR because it is their value of social responsibility, or are they commoditising privacy by framing it as a social value in order to engender increased consumer trust and increased shareholder value?
Data privacy as a social issue
As yet, we do not know why some organisations exceed GDPR compliance – we just know that they do. On this point, my PhD research journey has taken me to explore the non-market strategies of several large technology organisations towards consumers’ privacy. I investigated how privacy materialises in their corporate social responsibility (CSR) publications and their corporate political activity (CPA) i.e. lobbying. There is evidence that many large technology organisations are ‘claiming’ to value privacy and exceed legislation, while behind the scenes they are lobbying for reduced privacy rights for consumers. Some organisations have implemented GDPR across all organisations in their global corporations – and in their CSR publications, state that they do so ‘to respect consumer privacy’. However, their CPA lobbying publications state that they support harmonised privacy laws, as they are easier and cheaper to comply with than patchwork compliance requirements. Perhaps it is both? But why the disparity?
So, although I see a lot of talk about ethics in relation to privacy, I do not necessarily see a lot of evidence to support that it is a ‘felt’ value, rather than just a ‘published’ value. My sense is that some organisations are ‘talking the talk’ about ethics because they know it enhances consumer trust, but we have no real insight as to their true intentions or values until a breach occurs and we get a clear lens into the processing behind closed doors.
Another very compelling reason to comply with any regulation is the fear of punishment for failing to meet obligations. As an example, in the financial sector, compliance is always more profitable than non-compliance. Financial institutions are audited regularly and fear the risk of losing operational licenses or big fines if they fail to comply. Before May 2018, much of the build-up to GDPR focused on the size of potential fines in the private sector for non-compliance. Two years since the regulation came into force, we are still waiting – and this, I believe, is the single biggest failure of the GDPR in Ireland.
For any regulation to work, the watchdog must have teeth. There needs to be a supervisory authority that will monitor for compliance and is prepared to fine offenders. If a regulator does not exercise that power in a reasonable timeframe, then it is pointless because an organisation can quite easily choose to opt for non-compliance as a more profitable approach. In data protection, as in banking, compliance should always be the more profitable route.
Regulators must regulate
A worrying development was the news last month that Brave, a privacy-focused browser company, released a report into Europe’s data protection authorities, which found that few of them are sufficiently well funded to defend themselves in court against large technology multinationals.
(In May, the Data Protection Commission issued its first fine, to Tusla, the child and family protection agency, for €75,000. However, I feel it would have been a far more effective strategy if the regulator had insisted that Tusla use the €75,000 to improve privacy protection, processes, and products instead.)
So taking stock two years into GDPR’s existence, as a privacy professional working with clients and consulting in this area – and as someone who has dedicated four years of their life to researching privacy in the non-market environment – I definitely see an increased level of compliance with data protection regulations as a result of GDPR.
However, I feel we are missing the consumer awareness aspect that worked so successfully with the seatbelt safety campaign. As consumers, we know when we walk into a shop to buy something that we have certain statutory rights. Unless you are working in the privacy and data protection fields, it is very unlikely that the average person knows their rights under GDPR to make a subject access request, for example. When that level of public awareness starts to happen, combined with a more present threat of fines for non-compliance, we can say more confidently that the regulation is working as intended.
For any organisation that does not yet know what it needs to do to be compliant, now is the time to figure out how the seatbelt works before the Garda checkpoint comes into view.
Have you signed up to our monthly newsletter? Every month we send out cybersecurity and data protection trends from across the globe, with an eye on the future of security and privacy, as chosen by our consultants.. Sign up here