A year and a half have passed since the GDPR entered into force in May 2018, after some very busy times for many companies, including Aditro and our customers, and not least for many consultants and legal advisors. So, what has happened during this past year?
So far, we have seen less drama than imagined by some before that dreaded date 25 May 2018. The world didn’t end, and the sun has kept rising every morning… We all remember the flurry of e-mails in May last year, seemingly from every company we had ever interacted with, informing us of how they deal with our personal data (I wonder if anyone actually took the time to read all that information…). But what else?
Most companies certainly still have work to do, and that work continues. In Aditro our GDPR project has continued in a next phase, with continued implementation and development of internal processes, documentation, product functionality, audit, and, of course, continued training.
Before May 2018, a lot of focus was on the risk of potentially substantial administrative sanctions at up to 4 % of annual turnover, which certainly helped in getting everyone’s attention! But what has been the outcome so far? A few sanctions have been issued around the EU, most notably Google’s 50 million EUR fine, but most of them a lot smaller. But the authorities have not (yet) come knocking on the doors of every company, armed with the threat of expensive sanctions. There are however a number of significant investigations ongoing throughout the EU, including in the Nordic countries and by the Irish DPA, so time will certainly tell us more on this topic.
But is privacy and the topic of personal data now less in the spotlight than it was a year ago? Absolutely not!
It seems every week there is a new major data leak, or a new scandal or legal case reported in the media, with the story involving Facebook and Cambridge Analytica being just one example (If you have not seen it already, I warmly recommend the Netflix documentary “The Great Hack”). Given the number of people on Facebook, it’s not hard to imagine the potential impact of using all that data to manipulate consumers or voters.
Number of Facebook users (from Facebook’s website):
• 1.59 billion daily active users on Facebook on average for June 2019
• 2.41 billion monthly active users on Facebook as of June 30, 2019
• More than 2.1 billion people use Facebook, Instagram, WhatsApp, or Messenger every day on average
• More than 2.7 billion people use at least one of our family of services each month
It’s not just the annoying and somewhat creepy fact that every time I do something online, whether it involves travel planning, shopping, or just doing research into some topic, I instantly get bombarded with advertisements targeted around exactly that destination, gadget or topic.
It’s also, and more importantly, the fact that we all also get targeted with information, posts and news based on collected personal information about us and our online activity. Even worse, a lot of this content contains “fake news” or disinformation, which has been defined as “false and/or manipulated information that is intended to deceive and mislead audiences, either for the purposes of causing harm, or for political, personal or financial gain”. It has been concluded that such disinformation played a role in elections like the latest US presidential election and the Brexit referendum, and in many other elections, but also in the increasingly polarised public political conversation in many countries. It is also clear that this content is to a large extent produced and distributed by Russian “troll factories” with the clear intent of destabilizing western democracies, or by powerful but invisible political interests. A report issued by the UK Parliament concluded that “Democracy is at risk from the relentless targeting of citizens with disinformation” and directed severe criticism at Facebook both for how they handle their users’ data and their refusal to cooperate with the parliamentary inquiry (Report).
When dealing with the sometimes challenging details of the GDPR and its implications in our daily professional and private lives, it’s easy to lose track of the bigger picture and why we need legal protection for our personal data in the first place. We need to remember that privacy is a human right, and that lack of protection of personal information has implications for our democracy, our integrity and our possibility to make independent choices and decisions without being manipulated.
Aditro General Counsel