It’s been over a year since the GDPR came into effect, and at least five since it was first debated seriously. For much of that time it was discussed as a global game-changer, yet the predicted earth-shaking effects of its implementation — billion-dollar fines, the end of data exploitation by rogue firms, high-profile court cases — have largely yet to materialize. Instead, the landscape of the internet has changed in more subtle and complex ways which could not have been predicted by pundits, and it’s affecting businesses of every size.
The high cost of compliance and relatively low impact of fines so far seems to have built a two-tiered internet. Small organisations have found themselves forced out of the European market entirely, while large and wealthy businesses have simply ignored calls to develop and adapt to new regulatory standards.
The political will for regulation of large tech companies — for stricter enforcement of GDPR penalties — continues to grow in European Parliament. All signs point to a significant second act for GDPR’s influence on the global internet in the coming months.
One significant issue that has gone mostly unexamined is the difficulties faced by small and medium-sized organisations that simply lack the resources or technical knowhow to comply with new regulations. This has prompted many American firms to simply block all access from Europe, a response which was initially a quick and dirty means to buy time while companies made the transition. One year on, however, it’s calcified into common practice.
The United States’ local news ecosystem offers a perfect example of this. These websites are a perfect storm for GDPR compliance for several reasons:
They’re not EU-based, so they may not recognise the need to comply.They’re often legacy organisations which predate the internet by over a century, meaning they’re culturally unwilling or technically unable to work on their data protection.They’re being economically squeezed by the growth of Big Tech companies and changing news consumption patterns across age demographics.
The results are predictable. In May 2019, Top10VPN.com examined the GDPR compliance status of over 500 U.S. news sites. We found that 42% have opted to block all connections from Europe, while a further 9% offer European users a significantly reduced experience compared to their American counterparts, with less content and minimal features.
This has clear implications. U.S. citizens travelling abroad are unable to access news from their local area. European journalists looking to stay aware of grassroots movements or regional politics in the runup to the 2020 election will be locked out unless they use a VPN.
Overall, the US local news ecosystem provides a strong example of a larger structural problem with GDPR compliance in the United States.
The state of compliance with GDPR in the USA is shaky at best at the present moment, in part due to economic incentives. Smaller organisations like local newspapers have an obvious disincentive: there are simply not enough resources available to implement the required systems of protection, and crudely blocking connections from Europe is a cheap way of getting around the problem entirely. However, larger non-compliant organisations have a more nuanced set of motivations.
For some larger organisations it is actually cheaper to run the risk of fines than to implement full compliance. The past year has seen European governments relatively unwilling to use the full power of GDPR’s fines. It’s difficult to know exactly why — doing so would involve speculating about the politics of a trading bloc that spans an entire continent — but governments may have been discouraged by the hype around GDPR’s huge potential fines. Using the law to its fullest potential could harm investment confidence in an individual nation.
Before GDPR was implemented, some pundits were speculating that fines could cost the financial sector alone the equivalent of $5.3 billion USD in the first three years. Of course, there have been a few major fines; the French government fined Google €50 million for their lack of transparency about European data handling and for failing to obtain clear consent for personalised advertising. That being said, this works out at just 0.14% of Alphabet’s Q4 2018 income — far from the maximum potential figure of 4% of annual revenues.
Of course, plenty of American companies are motivated and willing to comply with GDPR, but the lack of major fines may contribute to a perception that GDPR compliance can be neglected or worked around. If the internet is going to reach full GDPR compliance, the situation will have to change.
The introduction of GDPR, then, has had more complex results than may have been initially imagined. Although many organisations are compliant, GDPR has thus far failed to be the regulatory stick that Europe was to beat Big Tech with. Rather, the legislation has had a mixed reception amongst tech giants that can afford the relatively insignificant fines that European governments have thus far doled out, and has even driven some smaller organisations out of the European market entirely.
Part of this is down to an attitude in the US that since GDPR is a European law, firms based in America need not care about it. Of course, the globalised nature of the internet makes this kind of bordered thinking unrealistic in practice, and compliance with GDPR should be viewed as the price of doing business in the European market. However, this does speak to a problematic culture at the board level when it comes to technology and the law. Issues surrounding tech and the handling of personal data are often understood as separate to the ordinary running of businesses, when these issues should actually be incorporated into the decision making process as a key concern.
In the runup to GDPR’s implementation, it was found that just 31% of technology decision-makers had governance sponsorship for GDPR compliance from their organisation’s C-suite. Although these numbers are likely to have risen in the year since the GDPR actually came into force, it says a lot about a culture of technological ignorance in many C-suites. Realistically, this issue cannot be ignored or pushed back in the long term.
So then, what will it take for GDPR compliance to be forced to the top of the agenda for those companies that haven’t already embraced it?
The GDPR was created to institute real regulatory power over companies that exploit user data in dishonest ways. To achieve this and urge further compliance, there needs to be widespread political willingness to properly use GDPR powers to their fullest extent.
Recent events in Ireland, England, and Germany all suggest a growing will to fight Big Tech companies on the social impact of their products. As the ire of European parliament increases, it seems likely that larger GDPR fines will also be levied. An early symptom of this has appeared with the record-setting £183 million fine that the UK Information Commissioner’s Office levied against British Airways over its improperly handled data breach last year. It seems sensible to expect more in the coming months.
Another force that spur the rate of compliance in the United States is the growth of state-level laws like the California Consumer Privacy Act. Data privacy acts have recently passed in Nevada and Maine, and similarly comprehensive bills have been tabled across the USA, including in New York and Washington DC. These laws are just as comprehensive as GDPR — indeed, they’re often directly modelled in its image — but they’re closer to home, and therefore are more likely to occupy the thoughts of key decision makers.
These forces will push up the rate of compliance for organisations of all sizes in the United States. Larger organisations will be forced to take notice of a choice that may otherwise have been put on an eternal backburner: the choice between full GDPR compliance and leaving the European market entirely.
However, smaller organisations will also gain increased compliance, albeit on a slower time-frame. As regulatory compliance with European and similar state-level laws start to be seen as the inevitable price of doing business, it’s likely that data privacy solutions will become cheaper and more accessible as the market grows and expensive solutions are competed out of existence. Although there will be a lag until the market settles, even marginalised organisations like rural newspapers will eventually be able to afford GDPR-compliant data protection solutions.
What we’re seeing with GDPR is not the sudden shakeup that pundits predicted, but a slow series of shocks and aftershocks rippling out across the internet and the globe. Lawmakers around the world have realised that the internet can be regulated, and the online landscape will not remain lawless for long. While US compliance remains sporadic right now, it’s likely that the next two or three years will see a wave of data privacy regulations break across the country. GDPR is as significant as pundits claimed; it’s just slower. Eventually, businesses will be forced to take notice.