Meta had been waiting to hear about its GDPR fine for many months. But even its representatives must have been surprised by the €1.2bn figure revealed in May. It’s the largest ever fine to a single business over the five years the GDPR has been in place.
When it first became law in 2016 (although it would take a further two years to come into force), the GDPR was hailed as something of a privacy superhero. It replaced the Data Protection Directive (DPD), which had been in place throughout Europe since 1995. The DPD had governed the way personal data could be collected and used but was enforced inconsistently across the bloc. And, with the acceleration of technology, it was quickly becoming out of date.
The GDPR set out to stop the rampant personal data misuse associated with surveillance capitalism and achieve greater protection for EU residents. It gave individuals new rights over their personal data, including the right to be forgotten and the right to object to automated decision making.
Johnny Ryan, senior fellow at the Irish Council for Civil Liberties and the Open Markets Institute, writes in The Economist that it was the revelations of the American whistleblower Edward Snowden that spurred the EU on to do something. “Enforcers gained formidable powers, including the authority to raid companies like Google, Meta and Amazon, and to force them to change how they operate. This showpiece regulation was hailed as the new global standard for data protection and privacy.”
Since 25 May 2018, regulators have issued more than 1,600 fines to organisations and individuals for breaching GDPR regulations. They total £2.5bn (€2.78bn), not including Meta’s latest sanction. The company has certainly been in the firing line – seven out of the 10 highest fines for GDPR breaches are attributed to Mark Zuckerberg’s company. Vodafone España has been fined on 63 separate occasions, and Google and its subsidiaries have been fined more than €215m.
Has the GDPR succeeded in its mission? Here are some of its accomplishments and the work still left to do…
1. There is much more awareness of privacy and data protection
Where the GDPR has certainly succeeded is in raising public awareness about the importance of privacy and data protection. Individuals are much more aware of the risks and their rights. Three in four consumers have concerns about how companies are using their data, and almost half (46%) would no longer use or buy from a company they were previously loyal to if it failed to protect their data from a breach.
2. But enforcement is patchy
Despite the EU-wide nature of the GDPR, not every regulator applies the rules in the same way. Indeed, it seems to be the big technology companies that get most of the fines. Yet Ireland, which is perhaps the EU’s most visible data protection watchdog by virtue of so many of the world’s biggest tech giants having their EU headquarters there, has been criticised for being soft on big tech. Almost two thirds (64%) of the 159 enforcement measures by late 2022 were merely reprimands, and a study of GDPR decisions in Ireland revealed 75% of the Irish regulator’s recommendations were overturned by Europe in favour of stronger action.
3. GDPR has become the standard that other countries follow
Countries around the world have taken their lead from the GDPR. More than 70% of countries now have data protection regulations in place and a further 9% have legislation in development, according to the United Nations Conference on Trade and Development. Even recent calls for a federal privacy law in the US can be traced back to the GDPR. Some of the decisions made by regulators under the GDPR have also benefited people worldwide. OpenAI, the owner of ChatGPT, for example, was given a to-do list by the Italian DPA in order to have its suspension in Italy lifted. This forced it to make changes to the way data is used in its product which benefit everyone wherever they are based. Similarly, the introduction of the ICO’s Children’s Code resulted in the likes of Facebook, Instagram, YouTube and Google implementing changes to the way children interact with their products as well as inspiring increased protection for children’s personal data in other jurisdictions. For example, the California Age Appropriate Design Code Act is heavily based on the ICO’s Children’s Code. The global nature of the internet means a huge divergence in laws is unlikely to happen. Gartner predicts by the end of 2024, the majority of the world’s population will have its personal data covered by privacy regulations.
4. It’s still seen as the purview of lawyers and consultants
Too often, the GDPR is still seen as something to be outsourced to lawyers or data protection consultants. That breeds resentment. Companies should be able to comply without feeling overwhelmed, turning to specialist advisers only when they’re facing difficult, complicated questions. Everyone in a given organisation will interact with data in some way. So privacy should be something that everyone in the organisation understands and acts to protect. Done right, you’ll create a culture of responsible data handling and build customer trust.