One year later, EU privacy law faces tough questions

Europe’s sweeping data privacy law, the General Data Protection Regulation (GDPR), is facing tough questions at its one-year mark as regulators and industry giants intensify the fight over its enforcement.

The rule rolled out last May sparked big expectations from privacy activists who hoped it would force the largest tech companies like Facebook and Google, and the even murkier world of third-party data collectors, to fundamentally alter their business practices.

{mosads}Tech watchers say that a year in, many of the lofty goals of the bill’s supporters have not been realized because companies have yet to make major changes to their data practices. But experts add that the law’s full effects are still taking shape.

“A year is too early to say that it’s been an obvious success or obvious failure,” said Lindsay Barrett, a staff attorney and fellow at Georgetown Law’s Communications and Technology Clinic.

Whether the law will force a real shift in the tech industry will largely depend on the next stage, in particular on how European courts rule in privacy cases and how data regulators pursue investigations and enforcement actions. Barrett said that establishing those legal precedents is a slow process.

“We have to consider the inertia that both the GDPR and privacy laws here are working against. I’m optimistic is the short answer,” she said. “It takes a lot to move the status quo to where the GDPR is hoping it will go.”

The law set new transparency standards for companies handling personal data, required sites to minimize the amount of information they collect and give users more control over their own data. The GDPR came at a critical point in the privacy debate, when the general public and government authorities were becoming more cognizant of data privacy issues.

As it took effect, attention was focused on Facebook’s Cambridge Analytica debacle, in which the right-wing political consultancy obtained data on millions of users without their consent, throwing Silicon Valley’s handling of user data into the spotlight and drawing scrutiny from regulators around the world.

The first anniversary of the privacy law comes as the U.S. rethinks its own legal framework governing data collection. Congress is exploring what could potentially be the nation’s first federal consumer data protection law, but lawmakers involved in the negotiations have reported little progress after nearly a year of talks.

The tech industry has backed the push for a national privacy law, in hopes of overriding a tough new California privacy law set to go in effect in 2020. Businesses of all stripes have asked Congress to set a federal standard that would block states from imposing their own regulations.

Daniel Castro, the vice president of the industry-backed think tank Information Technology and Innovation Foundation, said that the first lesson Congress can take from the European law is to establish a unified framework for businesses to abide by before other states try to set their own laws.

“The point of the GDPR was to create a single digital market,” Castro said. “The U.S. is moving towards the opposite of that.”

But Castro argued that the GDPR has failed to make much of a difference for consumers and warned that it has actually strengthened the largest tech companies.

“The net effect has been that there’s been an entrenchment in the largest ad networks, which is ironically decreasing competition,” he said.

Privacy advocates disagree and see plenty of potential for the GDPR to curb what they see as Silicon Valley’s excessive data collection.

“Regulators are only starting to enforce the GDPR and it will take years to have full effect. But already, things are looking bleak for our colleagues at Google and Facebook,” Johnny Ryan, the chief policy officer at Brave, a company that operates a privacy-focused internet browser, told the Senate Judiciary Committee last week.

“Their year-over-year growth declined steadily in Europe since the GDPR — despite a buoyant advertising market,” Ryan added. “They face multiple investigations, and it is very likely that they will be forced to change how they do business.”

In January, the French data protection authority known as CNIL fined Google about $57 million, ruling that the search giant is not transparent enough with users about its processing of their data, a decision that could have far-reaching implications for its privacy practices.

Google is appealing the ruling, setting up a court fight with high stakes.

And the Irish Data Protection Commission (DPC), which is thought to have authority over many U.S. tech companies that base their European operations in the country, has more than a dozen investigations open into Silicon Valley firms.

Last week, ahead of the anniversary, the DPC announced that it was launching an investigation into allegations that Google’s advertising system is broadcasting vast amounts of information about users to dozens of companies on each of the 8.4 million websites that operate its ad exchange — a practice that could potentially be a massive GDPR violation.

“We will engage fully with the DPC’s investigation and welcome the opportunity for further clarification of Europe’s data protection rules for real-time bidding,” Google said in a statement in response. “Authorized buyers using our systems are subject to stringent policies and standards.”

The investigations highlight how tech companies have not made major changes to their practices a year after the GDPR took effect.

Ryan, who had lobbied the DPC to look into Google’s practices, says a major reason is that the industry is still trying to see what they can get away with under the law.

“Up until now, most of the industry that I’m involved in has been playing a game of chicken with regulators,” Ryan told The Hill.

But he added that companies should brace themselves for what’s ahead as the fight shifts to the courts and regulators ramp up their probes.

“I think we’re only now at the point where it’s clear to the industry that they’re going to lose this game,” Ryan said.