European regulators have spent the last few years trying to determine how much you’re worth in data–beyond your email, name, and location, that includes race, religion, opinions, and evenmental state. Anew reportby the global law firm DLA Piper has found that, since Europe’s General Data Protection Regulation (GDPR) went into effect in May 2018, EU Member States have fined companies a total of $126.5 million for at least 59,430 personal data breaches. The policypromisedto go out for scalps, but it’s still unclear how much the policy has delivered. Is $126.5 million a lot? I don’t know, and regulators don’t either.
“The point we’re making is that the requirements, criteria, and methodology for imposing fines are high level and open to widely different interpretation,” DLA Piper partner Ross McKean wrote in an email to Gizmodo. For example, while France fined Google nearly$57 million last yearfor enshrouding privacy disclosures under a bulwark of legalese, the UK’s Information Commissioner intends to fine British Airways and Marriottnearly $313 millionfor allowing personal information to slip into the hands of hackers. (Currently, the GDPR policy stipulates that the maximum fine is 20 million euros or four percent of a company’s annual global revenue.) “Are the underlying infringements really so much worse than the Google infringement of GDPR?” McKean wrote.
That’s a hard no. It’s pretty bad that British Airways lost customers’credit card information. But let’s consider Google’swholely intentionalstrategy to slice and dice users’ information down to your conversations and whereabouts, as well asyour depression and smoking habitandlab results and radiology scans.
Another unknown is how regulators plan to abate the cascades of data pouring through apps and platforms and untold zillions of potential breaches. (Notably, the report’s estimation of 59,430 breaches, which are self-reported by companies, is likely much lower than reality–they’re “at best approximations,” in part because regulators don’t publicize them, and DLA Piper had to rely on data only from select regulatory bodies that agreed to provide it.) The report notes that regulators are “stretched and have a large backlog of notified breaches in their inboxes” and are honing their efforts on top-level cases.
As we’re seeing with California’s similar data protection law (chaos ensuing), certain companies (AmazonandFacebookexcluded) are scrambling to comply with data privacy regulation, which takes money and restructuring. A February 2019surveyof 250 companies, commissioned by the privacy compliance company TrustArc, found that 81 percent of respondents had spent over $100,000 to get compliant with GDPR. Although, over a year after the GDPR’s implementation, it’s unclear how many are there yet; arecent reportby MIT, UCL, and Aarhus University found that only 11.8 percent out of 680 websites hit the minimum GDPR requirements of gathering clear consent for data collection. (The GDPRstipulatesthat users must be notified what data is being collected and why, to provide legal justifications for processing data, and keep a list of their processing activities.)
Past serving the most basic user-facing duties, though, willing businesses are struggling to figure out the extent of “compliance.” Jasmit Sagoo, senior director at the data protection company Veritas Technologies told Gizmodo via email that because companies can’t be accredited for compliance by audit, both businesses and regulators are unsure of what compliance looks like.
Sagoo said that while many companies at first did the “bare minimum,” more are waking up to the realization that they likely still fall outside GDPR’s regulations and are “trying to get ahead of compliance by implementing solutions to understand what data they have, how it’s being processed and stored, and what sort of protection and retention policies there are around it.”
“People are in a lot better position now than they were before this whole thing started,” Sagoo added, “though there’s a lot more work still to be done.”
The heavy-lift isn’t so much informing users of their rights but more in the backend. Judy Zhu, researcher at the cybersecurity company Security Compass, listed the tasks of “updating legacy IT systems, mapping your data and understanding your data processing practices, and setting up the appropriate policies and procedures in order to fulfill individuals’ data subject rights.”
Unfortunately, Zhu added, smaller companies would probably feel the pain from GDPR fines and reputational damage more than larger ones; the duopoly doesn’t need to save face for its captives, nor do six-figure finesmake a dent.
Yes, a $57 million fine is pocket change for Google. And yes, a lot of your data isalready out there. And yes, Estelle Masse, a senior policy analyst at the privacy advocacy organization Access Now,told Gizmodothat the first year of the GDPR has “been quite slow.” But the combination of the GDPR and the California Consumer Privacy Act (CCPA), which went into effect on January 1st, is at least forcing companies to pay attention. (Notably, Facebookinitially foughtthe CCPA tooth and nail before reversing course and declaring that they already take your data very very seriously.) TrustArc executive Hilary Wandall tells Gizmodo that companies are erring on the side of over-reporting their fuck-ups, “[s]ince the breach reporting obligations are much broader under GDPR than under prior laws, and enforcement actions have been taken where companies have failed to report or to timely report.”
And here we are, with more ammo than questions from befuddled senators, and Facebook could be staring down a$2.2 billion finefrom Irish regulators. If data privacy laws aren’t yet toppling the giants, they’re