Europe’s General Data Protection Regulation, which celebrates its first birthday on Saturday, has achieved a lot for an infant. The GDPR changed the rules…
Europe’s General Data Protection Regulation, which celebrates its first birthday on Saturday, has achieved a lot for an infant.
The GDPR changed the rules for companies that collect, store or process information on residents of the EU, requiring more openness about what data they have and who they share it with. The law is hailed as the global standard for privacy in the digital age, in which data is a precious commodity.
The GDPR came into effect a few months after the news broke that political consultancy Cambridge Analytica had gotten ahold of personal data on 87 million Facebook users without their permission. The timing emphasized the need for the GDPR and highlighted that it was overdue.
The law has forced Facebook and its Silicon Valley neighbors to make sweeping changes to their privacy and data-handling policies, such as asking users to consent to new terms and bringing in pop-ups to inform them of any changes. Importantly, it introduced special protections for teenagers. So far, only one US company, Google, has been hit with a major fine.
For the big US companies, the real effects of the GDPR are still to come. The EU’s move to update its privacy regulation has spurred other countries around the world — including Silicon Valley’s home turf — to consider following suit. And because it’s been used so little in its first year, tech companies big and small still haven’t felt the force of the regulation.
According to EU figures, citizens, privacy organizations and others have filed 144,376 GDPR complaints since the regulation came into force. (Complaints can be submitted by any people who feel their privacy has been impacted.) Companies have reported 89,271 data breaches, which they’re obligated to report within 72 hours of discovery.
Fines, however, have been much smaller than expected. Under the GDPR, companies can be fined 20 million euros ($22.4 million) or 4% of their total annual worldwide revenue in the preceding financial year, whichever is higher.
In January, Google earned the only landmark GDPR penalty thus far when French regulators handed out a 50 million euro fine to the tech giant for not properly disclosing to users how their data is collected and used for targeted advertising. Google still faces an open probe, announced this week by the Irish Data Protection Commission (DPC).
