Europe’s GDPR – One Year Later

A year ago, we wrote about Europe’s General Data Protection Regulation, or GDPR.

See: GDPR – Is Your Organization Ready?

This legislation was passed by the EU in 2016, establishing new rules for how companies manage and share consumer data, and came into force on May 25, 2018. Industry players expected quick enforcement of the regulations. They anticipated that large technology firms, like Facebook and Google, would be among the first to feel the impact of the aggressive policies and fines and that smaller organizations would have more freedom to compete against these technology giants.

A year later, little has come to fruition as under-resourced European regulators are still struggling to comprehensively define their mission as they simultaneously attempt to pursue investigations they know will end up in front of the courts. At the same time, smaller firms are less willing than large corporations to push the boundaries of GDPR. As a result, they are suffering from high compliance costs.

The challenges being experienced in the implementation of Europe’s data protection overhaul have stimulated industry experts in other regions to moderate similar efforts outside the European Union. Lobbyists worldwide have worked tirelessly to cast GDPR as burdensome, especially for smaller companies. They seek to grant citizens control over personal data without causing undue onus on small and medium-sized businesses.

The intention of GDPR was not to burden businesses, rather it was to champion consumers amidst the public’s growing awareness of how their personal data has been used and misused. But since the enforcement of the regulations began last year, few companies have been fined or forced to change their practices. The big tech companies have finessed the new privacy regulations to work to their advantage.

There have been widespread government efforts to increase the annual budgets of European national agencies but they struggle to readily enforce the regulations. According to the International Association of Privacy Professionals, despite almost 100,000 privacy complaints having been filed with national privacy regulators, few have led to meaningful penalties. Government officials are asking for patience and emphasizing that it will take time for a consensus to be reached on how data should be processed and, subsequently, for GDPR privacy rules to fully take effect.


Big Tech

Big Tech companies, like Facebook, prepared for months to finesse their services to meet the European Union’s new standards. Because users are actively given the choice to opt into various services, there has been a more positive reception to technology such as Facebook’s facial recognition service. That being said, some privacy regulators are not convinced that Facebook is necessarily collecting and using the data in the manner it openly states or that people truly understand how their data is being used.

Prior to GDPR becoming law, the search giant Google contacted all websites that rely on its advertising services to inform those publishers they must now solicit user’s consent to collect data on Google’s behalf. Google told websites they would not be allowed to utilize its advertising services if they did not comply with the request to obtain consent.

This practice allows Google to obtain user’s data from publishers and then, theoretically, utilize it for its own, unspecified purposes while still, technically, having sought people’s permission to target them with digital advertising. Executives for publishers relying on Google’s advertising services see the tech giant’s request as a land grab for profitable data that would, in the past, have belonged to the publisher collecting it. The powers that be are expected to investigate the legality of this practice of secondary data use.


Beyond Europe

The European Union was first to focus on reining in technology companies’ use of citizens’ data but the rest of the world is not far behind. Tech executives and lawmakers in the United States agree that a need for stronger privacy rules exists. They disagree, however, on how to go about protecting United States citizens.

Negotiations continue in Congress regarding wide-ranging data protection regulation, signaling an increase in interest in the topic. There is a lack of consensus on whether federal law should override existing state legislation. There is also disagreement on whether or not individuals should be given the right to file suit against technology firms over violations of privacy rights. Many states are unwilling to wait for the Washington gridlock to release and are contemplating a wide range of privacy legislation that, in many cases, parallels portions of the GDPR.

In our blog, California Dreaming of Privacy, written in August of 2018, we shared information about the California Consumer Privacy Act of 2018 (CCPA) that was signed into law on June 28, 2018, and will take effect January 1, 2020.

The CCPA is a sweeping consumer privacy law that establishes additional regulations to be followed when processing personal data of California residents. It is predicted to have a widespread impact due to the global nature of California’s economy. The Act, essentially, provides consumers more insight as to what personal data is being harvested and what is being done with that information.

Lobbyists are working tirelessly leading up to the 2020 implementation date to soften the impact of the legislation on companies such as Google and Facebook. A battle was won when the California Attorney General removed the right for the state’s citizens to sue firms for illegally collecting their digital information.

In the CCP Act and other U.S. proposals, there is a noticeable difference from Europe’s GDPR. In Europe, people are given the right to opt IN to having their data collected, the default is an absolute “no” unless the user explicitly gives consent. In the U.S. versions, companies are automatically given the right to collect personal data and users must opt OUT of having their information harvested. Critics have been vocal about what they see as a disservice to U.S. citizens and want to see the GDPR approach considered the global standard.


The transition year for the GDPR is being hailed as a success as well as a failure. The breach notification portions of the regulations have worked well to bring more transparency to situations that impact large groups of Internet users. The sections of GDPR that impose fines of companies that fail to protect consumer data are largely seen as a failure. Other countries should heed the accomplishments and challenges as they consider implementing their own consumer data protection regulations.

The experts at Strategy Driven Marketing are keeping their thumb on the pulse of data protection to benefit the work of our clients as well as our own work. Wondering if your marketing falls safely within other privacy and compliance best practices? Contact us today for a free 30-minute strategy consult.

Cover photo by Fox from Pexels