Opinion: Mark Leiser

Last month marked the first anniversary of the European Union’s General Data Protection Regulation (GDPR) coming into force. From news about Amazon’s Alexa listening to our private conversations, to facial recognition cameras installed in airports and taxis, the year since has been a steady drip of revelations about data collection practices of big tech firms and breaches that have exposed the personal information of millions of data subjects. 

Behind the scenes, though, reaction to the GDPR has been quite different. Businesses have struggled to come to terms with their obligations under the new law, while others have failed to conduct proper balancing tests between competing rights. The Information Commissioner’s Office has been overwhelmed with complaints, queries, investigations and enforcement proceedings. Opaque guidance from the regulator has not exactly made implementation easy. Who would have thought a fundamental right could be so difficult, requiring everything from data protection officers and impact assessments to determine the effects of processing? 

At the heart of the GDPR are data subject rights – tools that you and I can exercise against actors known as data controllers who make decisions about the way our personal data are handled. Yet for most of us outside of the data protection filter bubble, the GDPR looks responsible for nothing more than a disruption to the user experience. First it was an inundation of “consent” emails to continue marketing communications. Now it is the annoyance associated with website pop-up windows demanding users “accept to continue”. Ironically, both of these are not GDPR consent issues at all. The first issue relates to the e-Privacy Directive. Furthermore, a company does not need consent to process personal data if it has a legitimate interest in marketing to its customers.

Of course, we rarely exercise our data subject rights, and the Regulation meant to “rein in Google and Facebook” has done nothing of the sort. In the run-up to 25 May 2018, big tech doubled down, getting a fresh set of permissions for data processing. This has actually empowered big tech into processing even more data. The law of unintended consequences. Although the US regulator is expected to fine Facebook up to $5 billion for its data protection practices, it is safe to say that big tech has already internalised the costs of compliance. Last quarter, Facebook’s total revenue rose from $12.97 billion to $16.91 billion and Google reported first quarter revenue of $36.34 billion. When you are making that kind of money, it is safe to say that you can afford the GDPR’s regulatory burden. 

However, small businesses and sole traders that cannot afford data protection experts are now faced with the task of making correct decisions about compliance, under the threat of sanction. Subject access requests and right to be forgotten requests can, and often are, abused. A Glasgow-based criminal lawyer has sought advice whether a deletion request could be exercised against his firm from the very person named in an incrimination defence. Subject access requests have been lodged to gain access to judges’ notebooks from legal proceedings. Although it is easy to notch these up as vexatious requests, a legally required response takes time and money. Sometimes the request is not clear or the balancing test is confusing. Furthermore, no one really knows the extent of the definition of personal data and determining the legally appropriate response might mean extensive calls to the ICO helpdesk. 

As compliance fatigue sets in, the GDPR runs the risk of turning into the new health and safety, as in “We cannot do that because of GDPR.” Everyday activities like bin collection and taking photographs in public places have been erroneously prohibited “because GDPR”. 

What exactly is empowering in a rule interpreted in such a manner that parents are prevented from taking pictures of Junior in the school play? 

The GDPR has helped people understand the importance of data protection and provided data subjects with increased protection. It forces data controllers to think about processing and getting the proper ground for doing so. 

As time passes, new data protection norms will likely develop. Some say the next decade will bring more aggressive enforcement from national data protection authorities. 

But although heralded as a new privacy framework for data subjects, in reality it is a mess. 

The complexity of the GDPR has and will continue to be its undoing. Some have suggested that the Regulation is a living document and will help constrain the unmitigated harms associated with everything from profiling to targeted advertising. Until then, I remain sceptical.