Europe's general data protection regulation, which celebrates its first birthday in Saturday, has achieved much for an infant.
GDPR changed the rules for companies that collect, store, or process information about EU citizens, and require more transparency about what data they have and who they share it with. The law is hailed as the global standard for privacy in the digital age, where data is a valuable commodity.
GDPR came into effect a few months after the news broke the political consultant Cambridge Analytica had obtained personal information about 87 million Facebook users without their permission. The time emphasized the need for GDPR and highlighted that it was delayed.
The law has forced Facebook and its neighbors in Silicon Valley to make extensive changes to privacy and data management policies, such as asking users to agree to new terms and bringing in pop-ups to inform them of any changes. It is important to introduce special protection for teenagers. So far, only one American company, Google, has been hit with a big fine.
Complaints and Fines So Far
According to EU figures, citizens, privacy organizations and others have filed 144,376 GDPR complaints since the regulation came into force. (Complaints may be sent by people who feel that privacy has been affected.) Businesses have reported 89,271 data violations, which they are obliged to report within 72 hours of discovery.
However, fines have been much less than expected. Under GDPR, companies can be fined 20 million euros ($ 22.4 million) or 4% of their total annual worldwide revenues in the previous fiscal year, whichever is higher.
In January, Google earned the only landmark GDPR penalty so far when French regulators issued a 50 million euro fine to the tech giant so as not to provide users with accurate information on how the data was collected and used for targeted advertising. Google still faces an open probe,(DPC).
"We will fully engage in the DPC's investigation and welcome the opportunity for further clarification of Europe's data protection rules for real-time bidding," said a Google spokesman in a statement. "Authorized buyers using our systems are subject to strict guidelines and standards."
Other notable fines are issued by the data protection authorities in Portugal (400,000 euros for hospitals), Poland (220,000 euros for a computer processor that scraped the internet) and Germany (20,000 euros for a chat app aimed at children). There is currently no overview of the total number of fines issued.
The storm comes
Marc Dautlich, a partner at Bristow's law firm, says that the slow start makes sense because the data protection authorities must learn to use their new powers.
The authorities violate the "official interpretation" of the new law, he said. This has meant consulting with each other, as well as with law firms and privacy organizations.
With an increase in the number of complaints to be investigated, Ireland's DPC has seen complaints more than double since the GDPR was introduced – has come in need of hiring more employees.
The issue of fines quickly will also cause problems for the data protection authorities. Armed with massive layers of lawyers, technological giants will push for something they find unfair, as they have done against the EU's antitrust decisions. And the authorities have to seek out because of the increase in complaints.
Dautlich said the security officers will prioritize complaints involving AI, face detection, data profiling, and ad inclusion. It will affect Silicon Valley, because most of these technologies are not homemade in Europe.
Ireland has a continuous list of investigations of who are technological titans to see if they comply with GDPR. The goals include Twitter, Apple and Facebook (as well as Facebook's Instagram and WhatsApp services). None of the companies were willing to comment on the post about the open surveys.
It may seem that in the interests of the EU, in the early days, secure a large number of high-profile fines intended to ensure that technology companies across Europe and the globe continue to take seriously compliance. But even the European Commission is more concerned about how than when.
"Compliance is a dynamic process and does not happen overnight," Věra Jourová, the European Justice Commissioner, and Andrus Ansip, CEO of the EU Digital Internal Market, said in a joint statement this week. "Our most important priority in the coming months is to ensure proper and equal implementation in the member states."
The large technology companies are also waiting for more clarification on how the regulation is to be implemented. "As lawmakers adopt new privacy rules, I hope they can help answer some of the issues that GDPR goes out," wrote Facebook CEO Mark Zuckerberg in a blog post in March. "We need clear rules when information can be used to serve the public interest and how it should apply to new technologies such as artificial intelligence."
GDPR's International Implications
Perhaps the biggest success of GDPR so far is that it is kick-starting a worldwide privacy conversation. In a speech this week, Jourová welcomed the requirement to imitate GDPR as proof of success.
"Last year we heard complaints and criticism, today we hear conversations around the world for extensive data protection rules similar to GDPR," she said.
The following in Europe's footsteps are international efforts by countries, including Brazil, South Korea, Japan and India, to bring in privacy-like rules similar to GDPR. Meanwhile, in the US, and in Silicon Valley Heartlands, no less, lawmakers are preparing to bring the California Consumer Privacy Act into effect.
More and more Facebook, Apple and other tech giants have called for regulation in the blood of GDPR and promised their support for privacy protection in the United States. Microsoft helped business users comply with the GDPR and will proactively help shape US privacy policies. It's called a law that puts the burden on tech companies.
The USA will no doubt be interested in how EU regulations are transposed across borders between European countries. The United States will face similar problems in harmonizing federal and state laws.
And there seems to be little doubt about it: US regulation comes.
"One year in the GDPR, the pressure to find a similar solution in the US has only intensified," wrote Shane Green, managing director of private sharing platform digi.me, in an email. "When the United States passes its own version of GDPR, it will be a privacy sign."