About this time last year your inbox was probably flooded with emails asking for your consent to new terms and conditions. This is how most of us where exposed to GDPR in the first place. Today, exactly one year after GDPR entered into force, we have asked lawyers savvy on privacy matters around the world to share their insights on GDPR’s first year of life. Are users more protected? Is data better managed? What privacy measures, that work, can we implement to improve our privacy? Let’s find out.
Sara Fernandez, Privacy Strategy Director at Liberty Global:
1) What is your take on the first year of GDPR?
Most companies made a great effort to implement GDPR, mapping their systems, transforming their processes and cleaning unnecessary data that had been retained for ages.
The GDPR has been translated into great improvements in terms of data governance, strategic decision making regarding the use of data, monitoring and awareness.
The risk of big fines made companies take privacy and security seriously.
However, there’s still a lot to do.
Companies should now move from a pure compliance and ‘tick in the box’ approach to privacy to a more purposeful one. From the ‘I have to (comply)’ to the ‘I want to (give my customers control of their data)’. That is what will really move the needle.
As customers are more privacy conscious, many companies are starting to realize that privacy and the user experience around privacy an even become a competitive advantage, and they’re investing in creating tools that can help customers manage their data easily.
2) What has been the impact of GDPR in your jurisdiction? Do you think that users and their data have a greater protection as well as it was intended when passing GDPR?
Since I work for a global company, my experience is that there’s still a lot to do in terms of harmonization, since national authorities tend to interpret GDPR in light of their different historical frameworks. The European Data Protection Board (EDPB) will be very helpful in aligning interpretations.
Users are definitely better protected than before GDPR entered into force, although there are some provisions that might be having the opposite effect to what was originally intended. Especially the ones dealing with information about how and why their data are being processed. The GDPR has set out the principle of transparency, but at the same time article 13 requires companies to provide so much information that in the end customers get lost in endless privacy statements that are like contracts that no one really reads. Less is more. Companies should make an additional effort in make privacy communications simple.
3) If you were able to implement a measure that protects user privacy and their data effectively, what would it be?
Even if we all use a clear and simple language, the fact is that digitalization is so extended that most of the products and services that consumers purchase today involve the processing of data. Managing our privacy is becoming a burden. Most of the times we’re in a hurry and we don’t want to take the time to manage our privacy settings in all our apps and digital interactions.
The solution to this privacy fatigue could be some kind of ‘privacy passport’ or digital wallet, where the user could insert his preferences in terms of purposes, interests or categories of providers for which he agrees to his data being processed. He could manage it on a single point, and that passport would later interact with any app he installed or service he subscribed to. This would really make a difference. Otherwise we’ll keep seeing a contradiction between what customers claim (privacy concerns) and how they actually behave (as if they were privacy careless).
Ivana Bartoletti, Head of Privacy and Data Protection at Gemserv and Co-Founder of Women Leading in AI Network:
1. What is your take on the first year of GDPR?
It has been an interesting year! I’d say three things: first, it is great to see privacy back into the public debate, from facial recognition to Facebook – and GDPR has helped raise the bar. Second, still a lot to do in the age of big data and machine learning. And third, it is good to see how GDPR has influenced legislation all around the world.
2. What has been the impact of GDPR in your jurisdiction? Do you think that users and their data have a greater protection as well as it was intended when passing GDPR?
Partially. There has been a hype last year, with companies trying to meet the deadline and sending customers (way too many!) emails. The ICO has not issued any fine under GDPR yet but has done a great job at raising awareness and supporting organisations. Users have more understanding but cases like Cambridge Analytica / Facebook which are rocking the UK right now will also further the awareness and demand for meaningful control over personal data.
3. If you were able to implement a measure that protects user privacy and their data effectively, what would it be?
Measures to protect privacy in the age of big data and algorithms. Privacy is a culturally bound concept, and it evolves with technology, too. I would want to see a legal framework around AI, including kite marks and a redress mechanism for decisions made by machines so we can ensure they are fair and transparent.
Alexis N. Chun, Co-founder at Legalese:
1. Whats your take on the first year GDPR?
The enforcement activities (e.g. employment context — cameras in the workplace; high profile fines — Google’s €50M fine in France) have been illuminating on at least 2 fronts:
i. for organisations — filling in the blanks of what’s OK and what’s not;
ii. for data subjects — whose rights being in effect (and in general) honoured suggests greater control on their part, rather than simply greater protection.
2. What has been the impact of GDPR in your jurisdiction? Do you think that users and their data have obtained the increased protection intended by the passing of GDPR?
The Singapore Personal Data Protection Commission has done a stellar job in helping organisations in Singapore understand what is expected of them (to the extent that the GDPR folks have clarified it, of course). Singapore is, after all, the EU’s largest trading partner in ASEAN. The factsheet our PDPC have provided is helpful: https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/eu-gdpr-factsheet–041017.pdf More practically, I’ve found that their FAQs and scenarios (in which GDPR is likely to or unlikely to apply) (https://www.pdpc.gov.sg/Resources/EU-GDPR) have been invaluable in easing the GDPR transition. It’s comforting and reassuring to have a local regulator give its perspective/advice on an organisation’s compliance with a foreign regulation (GDPR). It’s the kind of laudable effort which brings law from the generic and semantic (i.e. this is what the law says) to the pragmatic (i.e. this is what it means for you).
On the second part of your question, I’d repeat point 1ii above.
3. If you could implement a measure that effectively protects users and its data, what would it be?
Doing it! Building an ISMS (Information Security Management System), helping folks understand how to involve and protect their employees, how to perform a legitimate interest assessment, etc.
In the longer term, I’d slightly abashedly tout Legalese’s innovation premise — to build a domain-specific language for law — so that one can build machine-readable and machine-consumable law (i.e. contracts, statutes, business process logic). To get us from syntax to semantics to pragmatics. To move the practice of law and commodification of it from simply using technology to help with the manual labour (MS Word), to use it to also help with the thinking. With the DSL-for-law, you’ll allow those different components of law to talk to each other. This means that you can then apply software tools (that programmers have at their disposal but lawyers don’t even have names for) to law: compliance checking, scenario testing / outcome modelling, static analysis, unit testing, self-updating packages (every time a new guideline is issued or enforcement case is decided), dependency management, etc.
Jorge Morell, Jurist and Legaltech, Founder at TyC:
1. Whats your take on the first year GDPR?
In the beginning, there was a lot of paranoia and bewilderment, to the point legal issues already known were seen as not known. In any case, over time, both companies and users have adapted to the latest developments the General Data Regulations have implied. So now, in that sense, there is more calm In any case, it’s an uneasy calm, the first resolutions and sanctions of the data protection agencies were not known according to the new regulations since a few months ago. Something that again generates uncertainty and moments of doubt.
2. What has been the impact of GDPR in your jurisdiction? Do you think that users and their data have a greater protection as well as it was intended when passing GDPR?
According to the information published by the Spanish Data Protection Agency, the number of claims filed with the Agengy has increased significantly (more than 33%). Notices of data breaches have also increased, given that this is a new regulatory requirement. There have been more that 400 notice of data breaches since RGPD came into force almost a year ago.
As for whether a greater level of users and data protection has been reached, maybe it is still soon to assess it. In any event, it is true that thanks to RGPD we have been able to knoe new details about many data management that remained unknown up until now (for instance, how long much data was kept or the legal basis for its management). This is something that in the long run will benefit transparency in the management of personal data.
3. If you were able to implement a measure that protects user privacy and their data effectively, what would it be?
Mandatory clases at schools, high schools and universities on protection of personal data. There is a big need for education in this área, given that if the user does not know its onligations and duties in this matter, present and future regulatory developments will be of little use.
Elizabeth M. Renieris, Founder at hackylawyER:
1. What is your take on the first year of GDPR?
On the surface, it looks and feels like a year of mass confusion and chaos. For many individuals, the Web suddenly had a different look and feel, with European and rest-of-the-world versions of websites (with some sites wholly unavailable in certain jurisdictions), an increasing number of paywalls and subscription offerings, and myriad updates to terms and conditions and privacy policies. Businesses took a new or renewed interest in their customer-facing notices and disclosures, in compliance tools and professionals, and in privacy and data protection events and conferences. It’s no coincidence that the International Association of Privacy Professionals’ 2019 Global Summit was its largest yet, with more than 4,000 privacy professionals in attendance. Finally, for governments around the world, there was a recognition that they were next, and that their citizens were looking for the same or similar kinds of protections as those afforded to European citizens by the GDPR. It feels like the first year that we had a truly global conversation about data protection and privacy, and data governance-related issues more generally.
2. What has been the impact of GDPR in your jurisdiction? Do you think that users and their data have a greater protection as well as it was intended when passing GDPR?
In the US, and particularly in Washington, DC where I am based, the GDPR has forced a long overdue conversation about privacy and data protection in our houses of Congress. Despite being an early global leader on these issues through international conventions like the Universal Declaration of Human Rights and domestic measures like the Fair Information Practice Principles and the Privacy Act in 1974, Congress has done nothing meaningful on privacy in decades. This absence of action coincides with a series of devastating data breaches of both the public and private sectors, and a loss of trust in our digital platforms, with an impact on nearly all Americans. The question of whether we are better or worse off in light of GDPR is the subject of much debate in our legislature, with the answer depending on preexisting political agendas and biases. Overall, it feels like we have a deep lack of understanding in this country about what the GDPR is and how it’s intended to work that impedes our ability to make such a determination. For example, there seems to be this idea that the GDPR is only about click-box consent. That’s just false.
3. If you were able to implement a measure that protects user privacy and their data effectively, what would it be?
Perhaps the hardest truth to confront in this arena is that there is no silver bullet. There is no single measure—no piece of legislation, administrative action, technology, or market solution—that can give us a better relationship with our data as individuals, corporates, governments, and as a global society. Progress will be incremental and will require a tapestry of laws, market adjustments, and behavioral changes. The most important thing is to not accept a defeatist version of the future where we have no control over how data is used to impact our choices or decisions, and where we lack any privacy in our communications, thoughts, actions, and lives at large. If we think it’s game over, it is. As Margaret Atwood recently said at the IAPP Global Summit, we must remember what it was like to have a private life.
Oscar Montezuma Panez, Director at Niubox Legal:
1. What is your take on the first year of GDPR?
GDPR was the result of raising substantially the levels of protection of the existing legal framework in an attempt to address concerns on digital privacy expecting this will solve for once and for all such a complex global matter. Even though GDPR has been an international hot topic in its first year and EU DPAs (Data Protection Authorities) are imposing high fines full level of compliance with the law has not been achieved. High supervision and enforcement costs may be one of the biggest challenges for GDPR. Ongoing concerns on the impact this regulation may have in terms of innovation and free flow of information in digital entrepreneurship still remain.
2. What has been the impact of GDPR in your jurisdiction? Do you think that users and their data have a greater protection as well as it was intended when passing GDPR?
The extraterritorial scope of GDPR its been the main impact in my jurisdiction. We have received many inquiries from clients on whether GDPR applies to Peruvian based e-commerce and digital platforms of global reach (i.e. hotels). On the other hand many multinational corporations (i.e. IT companies) have been submitting addendas to the services’ agreements requesting their Peruvian counterparts full compliance with GDPR.
3. If you were able to implement a measure that protects user privacy and their data effectively, what would it be?
It will be too ambitious and self sufficient to pretend that such a complex phenomenon as privacy will be solved only with regulation. For example I would explore using tools such as legal design thinking for drafting more transparent and user friendly/plain language privacy policies so that users are more aware of their rights.
Marie Potel-Saville, Founder & CEO Paris office at Dot. Legal Innovation:
1. What is your take on the first year of GDPR?
I’m probably biased when it comes to GDPR, because in one of my previous lives, I was project manager in charge of setting up the global data privacy compliance programe: I used to “think, eat and drink” GDPR!
My first impression was that, overall, during the first year of GDPR, awareness of the importance of the topic was high. And that so was awareness on the obligation to set up adequate processes sooner rather than later. Not just within large groups, but also amongst SMEs.
It was a bit of shock for me to see the results of the study conducted by Editions Legislatives, Dalloz and AFJE, in partnership with Data Legal Drive: the first RGPD Barometer.
According to respondents, in May 2019, about a third of them haven’t started setting up necessary measures.
On the brighter side, 59% of respondents nominated a DPO and 26% nominated a “person in charge of data privacy”, even if not officially a DPO.
This being said, an interesting shift occurred in the course of the first year of GDPR: from privacy by design to designing privacy. The French regulator, CNIL, had already announced this shift early 2018, putting design among its priorities.
Early 2019, the CNIL’s innovation lab (the “LINC”) dedicated a 30-page long study on “Shaping Choices in the Digital World, i.e. the impact of design on GDPR compliance.
The LINC goes as far as calling for a “regulation triangle” composed of law, tech and design, namely to avoid the manipulation of our cognitive bias to “consent” without fully willing to. The CNIL also calls for designers to be more aware of their key role in protecting personal data, hence civil rights and recently launched the “Design Factory”, a community of designers equipped and committed to personal data protection. Lawyers and designers are now fully encouraged by data protection authorities to collaborate.
2. What has been the impact of GDPR in your jurisdiction? Do you think that users and their data have a greater protection as well as it was intended when passing GDPR?
A positive impact that I’ve seen in France and other jurisdictions relates to cookie policies: some websites now offer the possibility to easily set up cookies upfront, clearly distinguishing between indispensable functional cookies, and other cookies. Even before reading the policy itself. That’s a great step towards empowering the users to get control back.
Besides, we’ve been working for international clients to redesign their global privacy policies and interestingly, GDPR does not only have an impact in the EU or in jurisdictions where EU citizens’ personal data are being processed: in some large listed groups, GDPR is becoming the new global standard.
GDPR as a global “best practice” is definitely a progress towards greater protection.
Obviously, articulation between GDPR and local laws around the world remains tricky, but we’ve seen in some of our global privacy projects a principle that “the higher protection applies”.
The mindset is changing.
3. If you were able to implement a measure that protects user privacy and their data effectively, what would it be?
The best protection is education and awareness. We’re working every day to make privacy policies intelligible, accessible and engaging: more protective because users want to read them.
Blind signing has been plaguing online “consent”- not just in privacy matters. And clearly, lawyers and companies are to blame: the New York Times spotted that it would take 76 days to read all T&C’s users agree to online in the span of 1 year
We’re implementing workshops and an education programme for lawyers, designers and businesses at large to help them drafting and designing privacy policies that convey key messages effectively give the control back to users.
The measure I would like to implement is simply spreading the word: Law – including data protection- is not doomed to be gloom and incomprehensible.
Ana Paula Rumualdo, Senior Associate Hogan Lovells México:
1. What is your take on the first year of GDPR?
This first year has involved the necessary adaptation of personal data processors and controllers from all over the world to the European legislation.
Companies operating under national regulations suddenly began to ask themselves if GDPR applied to them or not, according to the type of processing they carried out.
Moreover, another problem that had to be faced was the 72-hour noticd to report authority violations. On the past, these actions had to be alligned with the laws of each Member State.
There is now a proposal to unify the post-violation response protocols. There are of course more background modifications, butthese two in particular have provoked the revision and reinforcement of the data protection controls.
2. What has been the impact of GDPR in your jurisdiction? Do you think that users and their data have a greater protection as well as it was intended when passing GDPR?
I think indeed there may be a greater degree of protection for users and its data. Given how high the potential sanctions may be, data managers and data processors have adapted their policies. However it is still early to know whether the protection has effectively improved. Even if sanctions are high, it may be the case that the benefit obtained from managing personal data in violation of GDPR would be higher that the potential fine, so that it may still be easier for companies to beg for forgiveness than to ask for permission.
3. If you were able to implement a measure that protects user privacy and their data effectively, what would it be?
I would do it in my jurisdiction and it would be that individuals that control or process personal data (in Mexico we refer to them as “managers” or “responsables”) would give compulsory notice to the authority (INAI)in the event of an incident of violation. In Mexico, the regulation says that it inmediate notice has to be given to the owners of such datain the event of a violation that may impact significantly their rights.
Sergio Miralles, Founder at Intangibles Legal S.L.P.:
1. What is your assessment about the first year in force of the GDPR?
There have been positive aspects, such as the fact that the supervisory authorities have generally opted to facilitate the application of the GDPR through the preparation of guides, interpretive documents and training. It must be remembered that the GDPR “is arguably the most complex piece of regulation the European Union (EU) has ever produced” («Europe’s tough new data-protection law», The Economist, April 5, 2018).
Likewise, the influence that the GDPR is having outside the EU is noteworthy, as it is a benchmark and model to be followed by many jurisdictions, for example, in Asia. However, the regulatory framework of data protection in Europe will not be completed until the approval of the new ePrivacy Directive, with a legislative path that has suffered several delays.
As a negative aspect, perhaps I would highlight the rigidity with which many advisors have interpreted the GDPR in compliance processes carried out prior to the entry into force of that regulation (result of the complexity of the legal standard, but also due to the high degree of standardization of most regulatory compliance processes). In this sense, we have had proof of the request for second opinions, especially by large and medium-sized companies, to verify those that strict compliance of compliance plans entailed relevant restrictions on certain processing or access to resources.
2. What have been the effects of the GDPR in your jurisdiction? Do you think that has been reached a higher degree of protection of users and their data pursued with its approval?
It is worth mentioning the broad parliamentary consensus that led the approval of the new LOPD, a statute that contains relevant exemptions and derogations of the GDPR, as well as interpretative determinations of the GDPR applicable in Spain.
Undoubtedly, the mass media coverage in 2018 of the GDPR has contributed to increasing social awareness about the protection of personal data.
The new regulations are ambitious and complex, so I think at least 3 or 4 years will be needed to make a first general assessment of their effectiveness. One aspect that will be relevant for a correct application of the GDPR will be the degree of interpretative consensus reached between various national supervisors through the European Data Protection Board (https://edpb.europa.eu/).
3. If you could implement a measure aimed at protecting privacy and data protection effectively, what would it be?
The GDPR and the LOPD are regulations that contain many indeterminate legal concepts (i.e. with relatively open definitions) that must be filled in according to the particularities of each type of processing. Likewise, the great impact that advances in information technologies have, and will have, in this legal field will require a constant review and interpretative update. For all these reasons, I think that it will be very important to offer guidance to data controllers and data processors on minimum standards of compliance. In this sense, the role of supervisors with the publication of guides and the adoption of resolutions, and of the courts in their jurisdictional review role of administrative resolutions, will be key.
Finally, I think that technical standardization for specific types of processing (e.g. for hardware used in IoT processing), as well as specific regulation for certain sectors (e.g. research with health data, online marketing, etc.) will be useful measures for a correct application of the GDPR and the LOPD.
Suscribe to our newsletter here.
I hope that you won’t stop writing such interesting articles. I’m waiting for more of your content. It’s so good that i’m going follow you.
I hope that you won’t stop writing such interesting articles. I’m waiting for more of your content. I’m going to follow you!