GDPR Regulation Long-Term Implications
The General Data Protection Regulation (GDPR) was created on 14 April 2016 but the new regulations were enforced starting 25 May 2018. So far, the new laws and regulations focus on protecting personal data, yet the long-term impact i.e. GDPR Regulation Implication is still relatively unknown.
However, it provides more control to the users over their data, potentially create a different digital infrastructure and new businesses will be established following its introduction.
In this article, I’ll shortly introduce the GDPR regulation, why the European Union wanted such regulations and the long-term implications for businesses as well as the long-term implications for EU citizens, once all the dust has settled around its introduction.
Let’s get started.
What Is the GDPR?
The European Parliament's intentions by introducing the GDPR is to enhance the privacy protection of European citizens by making sure the people and businesses that handle personal data do so in a proper and secure way.
The GDPR is a regulation enacted by European countries and it therefore, applies to any data subject who is residing in the European Union, but it doesn’t stop there. Any cross-border and internationally operating company that processes data of EU residents are obliged to comply with the new GDPR regulations. For example, Facebook, Google, Twitter and Aliexpress are included but also a digital marketing firm in the U.S. handling social campaigns targeting German customers.
Why was the GDPR Introduced?
This GDPR was introduced as most businesses failed to protect data properly and personal data was abused by companies without the customer even having the slightest idea about it.
Something similar occurred during the 2006, 2007 and 2008 financial crisis attributed to the banks. The banks also “promised” to self-regulate, the banks didn’t need any third-party influence or regulations, they could do the regulations alone - not.
Europe is experienced and saw banks fail to self-regulate. Internet companies are now in the same position roughly 10 years later. The amount of legal jibber-jabber in privacy and terms of service statements on websites was the norm. It was specifically designed so that only a person with a legal background could make something of it. It was so vague that any legal action against the website owner could be avoided.
Thus, the EU decided that companies needed the GDPR in order to comply with a certain set of laws and regulations as they wouldn’t do this by themselves. The fines for not following the GDPR regulations are pretty serious too.
There are two different levels: lower level and upper level. GDPR EUs website stated the following in regards to the fines:
Lower level
Up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher.
Upper level
Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher,
To put that into perspective, Facebook generated an annual revenue of 40.653 billion USD. So, in any case of infringement, Facebook would receive a 1.63 billion USD in fine.
Businesses Shift Focus
An important aspect of the long-term implications of the GDPR regulation is to emphasize on the outcome of the legislation.
Simply put, the focus will most likely shifting in the direction of giving the internet-users more power and control over their own data. And in return, individuals and businesses must in fact improve their privacy statements, compliance and governance procedures and terms of service.
Many companies have already made the required changes to their privacy and terms of service statements, which many of us received emails about - yet editing some statements is just the beginning.
This means that new companies will also rise from the implementation of the GDPR regulation in order to help customer to select a service or product tailored to their specific privacy needs. I’m talking about services such as an internet explorer or a phone contract that doesn’t only depend on quality, speed or price but also your privacy values.
Online Advertising Market
Online advertising will definitely change in the future, especially if the GDPR regulation model is adopted by more countries - the U.S. could have a huge impact.
Currently, the major players in the advertising field like Facebook, Instagram and Google Adwords are dependent on data sharing of their users, tracking cookies, shadow profiles and other tracking techniques that create profiles of each user. These profiles are then used to offer the most relevant ads to the customer.
However, that model might need innovations and improvements once people start to block tracking cookies. At this point, Facebook is still creating shadow profiles of people who don’t even have Facebook, but this might change in the future. Also, people could disable companies to use their data to target relevant ads.
ePrivacy in GDPRs Footsteps
Shortly after the enforcement of the GDPR regulation, the European Union started working on a new set of regulations called ePrivacy. But what is ePrivacy exactly?
AtInternet defines the new ePrivacy regulation as follows:
“The proposed Regulation on Privacy and Electronic Communications, also known as the ePrivacy regulation, is a proposal from the EU Commission designed to strengthen the protection of EU citizens' private lives, and create new opportunities for business.”
The regulation will follow closely after the GDPR regulation and will regulate electronic communications, non-personal data (cookies law) and it has different legal precedents. The regulations will mostly battle against browser cookies, their function and controls - from websites to the browser.
The ePrivacy regulations aren’t enacted yet, however, it’s expected to be introduced rather sooner than later. As this is only the first set of new regulations to follow the GDPR, I won’t be surprised if more regulations follow. And, especially if other countries follow Europe’s example of designing new privacy laws because most countries have extremely outdated online privacy laws and regulations.
Privacy Groups Exploit GDPR
As briefly mentioned before, new businesses will establish themselves following the introduction of the GDPR regulation. The new legislation also provides the ability to file class-action complaints, which is a rather uncommon style of filing complaints in Europe. These type of court filings are mainly common in the U.S.
Simply put, people or groups can join forces and file data privacy complaints as a group rather than as an individual. I expect companies to establish themselves as mediators for these groups and they’ll carry the legal workload for a certain percentage of the fine.
For example, take a look at flight compensation businesses like AirHelp. As stated on AirHelp website:
“Flight delays happen, but that doesn’t mean you have to accept them. You may be entitled to as much as $700 in compensation if your flight has been delayed, canceled or overbooked within the last three years.”
99% of the people won’t be able to or don’t have time to file a case against an airline to receive compensation. But it’s incredibly easy through a company like AirHelp, where you input the flight details, your story and it’s processed through already established funnels to get your money back. It’s almost like an automated machine.
Who Might Get Caught: Enforcing Legislation
Facebook has been on the news relatively often in the wake of the GDPR regulation and especially Mark Zuckerberg’s performance in front of the U.S. Congress and European Parliament, which was, well... interesting. Many people might consider Facebook as one of the first to receive a huge fine by the GDPR regulators. I believe this to be incorrect.
Facebook has “limitless” resources for legal teams and other experts who can help the company to comply with all the new rules and regulations. Therefore, I think the first companies to be fined are small U.S. webshops, cloud tools, advertising application vendors and so on.
These businesses handle, store and use a lot of EU citizens’ personal data to either run their business or optimize their business models. Due to the large quantity of EU data involved and potentially little budgets to follow the new regulations, the first victims may fall in this industry.
It’s going to be interesting how companies are going to be fined, how quickly, how many and how often in the future. It’s yet to be seen how many regulators are going to go after businesses that fail to comply.
My Final Thoughts
At the of the day, it’s a bit too soon to tell what’s really going to happen in the future. It might not really provide a satisfying answer to the very core of this article, however, it’s simply too hard to predict right now and it’s mostly speculation.
There are also a lot of other factors at play that may or may not have a huge impact on the further development of the GDPR regulation, and potentially other regulations by the European Union as well as other countries.
Personally, I’m especially interested to see whether the U.S. government is going to take any actions in regards to U.S. data privacy and data protection. If so, what regulations might be introduced? Also, it’s hard to tell whether the new regulations are going to strengthen the tech-giants or weaken them.
It’ll largely depend on how strictly EU regulators enforce the new regulations and whether they’ll get bigger budgets in the future.
Yet, are people prepared to trade their online privacy for convenience, and if so, up to what point? Only time will tell.
Bill here from PixelPrivacy.com. My blog is all about making the world of online security accessible to everyone. I pride myself in writing guides that I’m certain even my own mom could read! Be sure to head over to my blog if you’re interested in keeping your private information just that: Private!
ECOMPLY is a GDPR compliance management software that assists in building and maintaining compliance documentation. Check out our website or contact us for more information.