(The New York Times)
When Europe enacted the world’s toughest online privacy law (the General Data Protection Regulation, or GDPR
) nearly two years ago, it was heralded as a model to crack down on the invasive, data-hungry practices of the world’s largest technology companies.
Now, the law is struggling to fulfill its promise.
Europe’s rules have been a victim of a lack of enforcement, poor funding, limited staff resources and stalling tactics by tech companies, according to budget and staffing figures and interviews with government officials. Even some of the law’s biggest supporters are frustrated with how it has worked.
In addition, the response to Covid-19 is raising new questions about the role of privacy safeguards, as digital tools for tracking health and location information, once viewed warily by the European authorities, are now crucial parts of containment strategies.
GDPR has certainly had an impact: I’m sure we’ve all witnessed a pop-up or received an explicit opt-in request due to its implementation. To say it hasn’t made the sweeping changes once envisioned for big tech is a fair critique. Google, to date, has been the only tech giant to feel the law’s teeth (a fine of 50 million euros, worth roughly $54 million today, or about one-tenth of what Google generates in sales each day).
Ireland has shouldered the bulk of the influence over the law’s enforcement (Apple, Facebook, Google, LinkedIn, and Twitter are all based Ireland). Accordingly, it’s easy to see how outcomes pertaining to the giants are slow-moving: the country’s budget for enforcing GDPR comes in at €16.9 million, a number dwarfed by the quarterly revenue of any of these companies. Adding to the challenge of enforcement is the COVID-19 pandemic, which has altered the debate about how to leverage existing technologies. Techniques that were once seen as intrusive, like collecting location and health data, are part of many governments’ plans to scale contact tracing.
We’re still in the early days of GDPR’s enforcement, but perhaps it’s not the regulatory stick we thought it would be for big tech. Instead, we should consider measuring its success to date by the new expectations it has instilled in consumers with regard to being mindful of their own data. - Tyler Farmer