One Year of GDPR: How New EU Privacy Rules Have Changed the LandscapeIt has been almost a year now since the new General Data Protection legislation that was adopted by the EU in 2016 came into force. After its implementation started on May 15, 2018, many businesses rushed to take measures in order to comply with the new requirements. Widely seen as among the strictest and most comprehensive privacy laws, the GDPR aims to secure a high level of harmonized standards across the EU and beyond. But as the one-year mark is upon us, how have businesses so far responded to the new regime?
Data Protection Rises to Top of the Agenda
Data protection has always been considered a priority for the EU, which traditionally upholds a high level of legal protection when it comes to human rights - even relatively novel ones, like the right to privacy. Yet the issue truly rose to the forefront of its legislative agenda in recent years amidst growing concerns about safeguarding data security across industries. Data security strategies aim at uncovering hidden risks, like forgotten or rogue databases, and implementing appropriate cybersecurity measures to protect data from external and internal threats. These include hackers, malicious insiders, and even negligent or compromised users with access privileges. Having a sound internal data security strategy also helps businesses comply with regulatory requirements - like those included in the GDPR.
Safeguarding the privacy of clients and protecting business data have become top priorities for both businesses and the general public, as news of data breaches and leaks continue to plague news headlines around the world. This has prompted action on part of states, governments, and international organizations like the EU. The European Union decided to take action and pass a comprehensive regulation intended to replace previous rules, which were largely outdated in light of modern developments like big data analytics and the Internet of Things. The GDPR mandates businesses to take technical and organizational measures to protect personal data. In this context, organizations must comply with the principles of privacy by design and privacy by default - and within a few months of the GDPR being put into effect, it seems that the new system was already yielding results.
News Websites Move Away from Third-Party Ad Tracking
According to a report by Reuters published on Statista, in the period from April to July 2018, namely one month before the GDPR came into force and within the next couple of months, news websites across the EU started abandoning third-party trackers and cookies. Up till then, third-party trackers would run in the background without the user even noticing, but the GDPR supports a state of transparency with regard to the collection and processing of data from individuals. Data subjects must be informed and give their consent, unless the collection falls under specific exceptions such as aiding law enforcement. As the research indicates, news pages in Germany used 6% less third-party cookies, Finland used 19% less, and Italy and France used 32% less. Spain used 33% less such cookies, and the UK showed the most impressive results with a 45% cut.
Meanwhile, Italian news websites saw a decrease of 4% in third-party domains, with Finland experiencing an 8% decline, Spain experiencing a 12% decline, the UK to 13%, and France seeing 16% less third-party domains. Even though Germany did not see much of a decrease and countries like Poland actually experienced a 20% increase in third-party cookies and a whopping 29% more third-party domains, the overall trend is clear and in favor of more privacy and transparency in third-party ad tracking. Interestingly, the new rules also apply to companies based outside the EU, as long as they offer goods and services to individuals on EU soil or monitor their behavior. The implementation of the GDPR has had a ripple effect on organizations across the globe. Many non-EU news sites updated their websites to ask for consent from EU-based users wishing to visit their webpage, informing them on the collection of data and subsequent uses.
Over 95,000 Complaints Submitted under the GDPR Regime
The EU Commission has recently revealed an infographic with key takeaways from how GDPR implementation has transformed the landscape. By January 2019, national data protection authorities had received a total of 95,180 complaints lodged under the new legislation, most of them relating to CCTV, telemarketing, and promotional emails. By that same point, they had also received over 41,500 data breach notifications, in line with the new rule that all companies must report relevant incidents within 72 hours of discovering a breach.
While 23 EU member states have already transposed the Regulation in their national legislation, five members are still adapting their laws - including Greece and Portugal. The GDPR also provides for hefty fines for companies that do not adhere to their obligations. The biggest fine imposed to date was EUR50 million, which Google was called to pay by the French DPA. France's privacy watchdog found the multinational giant in violation of the requirement of consent when it came to ads. Two further fines have been issued so far, amounting to EUR20,000 for inadequate security for a social network operator in Germany and EUR5,280 for unlawful CCTV by a sports-betting café.
As more and more companies become aware of their obligations under the GDPR, along with the reach of the new rules, we are bound to see even more developments in the long run - which, in the case of privacy rights, were long due.