Two years ago, on 25/05/2018, the General Data Protection Regulation (GDPR) started to be applicable in the EU. Although this regulation entered into force 2 year earlier, in 2016, it caught many companies by surprise. Initially, there was panic around it. Some even thought that it would send ripples all along the Internet, which would change forever. Has this really happened?
Before I start with my opinion on GDPR, I wanted to give you a warning about this law.
My family has been law business for more than 50 years. I am the black sheep, the outlier who decided to work in technology. This means that I am not an authoritative source of information. In this post, I am not going to explain the details of the law, only my point of view. I would probably make some fundamental mistakes if I tried to provide any legal advice.
And this is where my warning comes from. You should never try to provide answers to any questions related to GDPR, unless you are absolutely sure about it. Even if you are just trying to be helpful, by providing some basic answers, you could easily get into trouble. Your client or manager can take any information you provide about this law as a statement and implement what you suggest. There can then be unintended consequences or side effects you were not aware of, which could make the company breach the law. Remember that violators of the GDPR may be fined up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year.
In summary, always, always, always refer to a lawyer in anything related to GDPR.
What has happened
Back to the post. You do not need a crystal ball to know that GDPR has not changed that much the Internet as we know it. In reality, there were many EU laws that were already protecting the privacy and the data of the consumers. GDPR just consolidated those other laws under a single framework. In other words, the changes that this law should have added to the previous situation should have been small. However, we all know that, previously, many companies cared little about privacy and only GDPR has forced them to take it seriously.
Some visible things that I am sure all of you have noticed:
- We all now get annoying overlays the first time we visit a website.
- Since this law applies to all companies offering content or services to EU citizens, we (Europeans) have lost access to some websites, which did not want to implement any changes related to GDPR.
- Web analytics code has become more complex to implement.
- Companies have invested a lot of money to become GDPR compliant.
- Display advertising is still there, generating millions (billions?) of dollars every year.
- Other countries and regions have created their own law, taking many aspect from GDPR.
- The EU has already fined some companies due to data breaches.
- People do not feel more protected than before.
As I said, in my opinion, very little noticeable has happened.
Quantity over quality
There is one area, I think GDPR has been a good thing. The main concern with this law was that it would make marketing efforts very difficult, if not impossible. If digital marketing relies on data and GDPR prevented companies from getting consumer data, the logical consequence would be that many digital marketing activities would be impaired. In a world dominated by spam, there was a tendency to hoard as much information as possible, no matter the quality.
But there is another side to this coin. One of the main premises of this law is that you have to opt-in, rather that opt-out. In other words, by default, your personal data cannot be used for marketing purposes, unless you give explicit permission to it. The interesting point here is that, those opting in are actually saying “yes, I want to hear from you, your products/services interest me!” I would argue that a smaller marketing database, but full of people willing to be contacted, is much more valuable than a large database, but no knowledge of who wants your communications and who will click on the spam button.
Winners and losers
I am not sure that the lawmakers thought about the following point. There are many small companies that rely on 3rd party data to survive. They either sell their data or buy someone else’s data. With GDPR, they will have less options to use this data and try to make a profit. On the other hand, big brands like Google or Facebook rely mainly on 1st party data, their own data. These companies already amass huge amounts of data (the probably know the colour of the underwear you are wearing today) and, with GDPR, they are more legitimised to keep it. We have already provided a lot of our personal data to them and they can use it internally. In summary, some big companies will be bigger and some small companies will struggle.
I have to admit that I am not a big fan of laws. I believe we have too many laws, regulating too many aspects of our lives. What is even worse, lawmakers regulate areas that do not seem to require regulation, but other areas, which a majority of the population feels that should be more regulated, are not addressed. Besides, lawmakers have very little knowledge of technology, which is a very bad thing. I know they have aides and technical specialists helping them, but I think this is not enough: lawmakers should get to the bottom of the issue. And GDPR is a typical case where the lawmakers have not taken into account all sides.
In my humble opinion, one of the biggest issue that this law has ignored is the problem of paid vs free content. Nobody wants to pay to access content in the Internet. The only way that many online companies have to make a living is through selling the data they have about the consumers and I cannot blame them. I find very short-sighted to expect free content in exchange of nothing. We all need to know that nothing is for free and, if we want content and are not willing to pay money, we will have to pay with a different currency: data.
I also do not agree with the change from opt-out to opt-in. With GDPR, you cannot leave any checkbox checked. It must be the user who selects to receive marketing communications. I know I may be contradicting myself a bit, but, still, opt-out still gives the user the opportunity to decide. Also, the law has created winners and losers, as I explained above. The problem is that, in my view, it has created the wrong balance of winners vs losers.
On the other hand, I know very well how many unscrupulous companies have abused their position of dominance to use our data at will. Many privacy groups have raised their voice on the amount of information companies know about us. The industry has become more mature over the years and spam filters are now everywhere, but companies have been slow adopting best practices. I understand that a law is sometimes needed to push companies to do what they must do. And, when it comes to security, I definitely agree that personal data should be secured with the utmost protections.