General Data Protection Regulation (GDPR) established the EU as a leading actor in data protection issues around the world, but to what extent was it able to achieve its objective of empowering European citizens on data privacy and transforming the way organizations handle users’ personal data?
The European Union’s General Data Protection Regulation (GDPR) entered into force in May 2018 amidst profound discussions over its possible impact on businesses and european citizens’ rights.
In the first eight months of the application of GDPR throughout the European Union, 91 fines were issued with the regulators, according to the latest report of DLA Piper. The only tech giant which has been penalized for non-complying with GDPR so far is Google, which got fined by the French data protection regulator (CNIL) a sum of 50 million euros as a result of failing to obtain consumers’ consent for personalized ads.
Before GDPR came into force, there was a consensus that its significant impact on the advertising revenue would pose a threat to the main business model of online platforms such as Facebook and Twitter. Yet, tech companies continue to monetize citizens’ data, with their main business model still heavily reliant on the use of personal data. Thus far, Youtube remains the only social media network to try out a paid-subscription model for an ad-free experience.
Citizens lack a true control over their personal data
Despite enabling people to access their personal data, many of the data files provided by tech companies under the new GDPR rules fail to showcase how users’ data is gathered and used in an easily understandable manner. Correspondingly, the European NGO noyb recently filed a series of strategic complaints against eight tech companies including Amazon Prime, Netflix, and Spotify for non-compliance with the Article 15 of the GDPR on the right to access. A reporter on The Verge recently came to the same conclusion after putting Apple, Amazon, Facebook, and Google’s right to access services to the test.
An unexpected result of GDPR has been the bombardment of users with consent forms, displayed each time they access a new website, urging them to agree with the processing of their personal data. This overflow of alerts during the dynamic activity of browsing leads to an “opt-in fatigue” phenomenon among users.
The complex layout of most consent forms prompt citizens away from making privacy-friendly choices, as those who want to opt for better protection of their data must undergo a significantly longer process. The somewhat default status of the “I accept” button in consent forms – which comes as an indirect result of the requirement of GDPR for companies to differentiate between various purposes of use while collecting consent – is problematic and far from being user-friendly.
Social media platforms use different strategies to get users to share more personal data
Tech companies employ diverse tactics such as interface design, symbols and wording to nudge citizens towards sharing as much personal data as possible. This is demonstrated in the findings of a recent report of the Norwegian Consumer Council, which show that the platforms of Facebook, Google and Windows 10 give users solely an illusion of control over their personal data. Despite still complying with GDPR in theory, these platforms manipulate users through privacy intrusive default settings and misleading wording.
While GDPR can be reckoned with the empowerment of the engaged citizen, it falls short of emancipating ordinary citizens whose personal data remains the main revenue driver for tech companies such as Facebook and Google. As the rapid advances in digital technology and artificial intelligence (AI) are disposed to pose further challenges for the practical application of the GDPR, it is necessary for EU lawmakers to enhance the current rights of data protection and commit to keeping the regulation up to date with the fast-moving technological development.