European regulators have spent the last few years trying to determine how much you’re worth in data–beyond your email, name, and location, that includes race, religion, opinions, and even mental state. A new report by the global law firm DLA Piper has found that, since Europe’s General Data Protection Regulation (GDPR) went into effect in May 2018, EU Member States have fined companies a total of $126.5 million for more than 160,000 personal data breaches. The policy promised to go out for scalps, but it’s still unclear how much the policy has delivered. Is $126.5 million a lot? I don’t know, and regulators don’t either.
“The point we’re making is that the requirements, criteria, and methodology for imposing fines are high level and open to widely different interpretation,” DLA Piper partner Ross McKean wrote in an email to Gizmodo. For example, while France fined Google nearly $57 million last year for enshrouding privacy disclosures under a bulwark of legalese, the UK’s Information Commissioner intends to fine British Airways and Marriott nearly $313 million for allowing personal information to slip into the hands of hackers. (Currently, the GDPR policy stipulates that the maximum fine is 20 million euros or four percent of a company’s annual global revenue.) “Are the underlying infringements really so much worse than the Google infringement of GDPR?” McKean wrote.
That’s a hard no. It’s pretty bad that British Airways lost customers’ credit card information. But let’s consider Google’s wholely intentional strategy to slice and dice users’ information down to your conversations and whereabouts, as well as your depression and smoking habit and lab results and radiology scans.
Another unknown is how regulators plan to abate the cascades of data pouring through apps and platforms and untold zillions of potential breaches. (Notably, the report’s estimation of 160,921 breaches, which are self-reported by companies, is likely much lower than reality–they’re “at best approximations,” in part because regulators don’t publicize them, and DLA Piper had to rely on data only from select regulatory bodies that agreed to provide it.) The report notes that regulators are “stretched and have a large backlog of notified breaches in their inboxes” and are honing their efforts on top-level cases.
As we’re seeing with California’s similar data protection law (chaos ensuing), certain companies (Amazon and Facebook excluded) are scrambling to comply with data privacy regulation, which takes money and restructuring. A February 2019 survey of 250 companies, commissioned by the privacy compliance company TrustArc, found that 81 percent of respondents had spent over $100,000 to get compliant with GDPR. Although, over a year after the GDPR’s implementation, it’s unclear how many are there yet; a recent report by MIT, UCL, and Aarhus University found that only 11.8 percent out of 680 websites hit the minimum GDPR requirements of gathering clear consent for data collection. (The GDPR stipulates that users must be notified what data is being collected and why, to provide legal justifications for processing data, and keep a list of their processing activities.)
Past serving the most basic user-facing duties, though, willing businesses are struggling to figure out the extent of “compliance.” Jasmit Sagoo, senior director at the data protection company Veritas Technologies told Gizmodo via email that because companies can’t be accredited for compliance by audit, both businesses and regulators are unsure of what compliance looks like.
Sagoo said that while many companies at first did the “bare minimum,” more are waking up to the realization that they likely still fall outside GDPR’s regulations and are “trying to get ahead of compliance by implementing solutions to understand what data they have, how it’s being processed and stored, and what sort of protection and retention policies there are around it.”
“People are in a lot better position now than they were before this whole thing started,” Sagoo added, “though there’s a lot more work still to be done.”
The heavy-lift isn’t so much informing users of their rights but more in the backend. Judy Zhu, researcher at the cybersecurity company Security Compass, listed the tasks of “updating legacy IT systems, mapping your data and understanding your data processing practices, and setting up the appropriate policies and procedures in order to fulfill individuals’ data subject rights.”
Unfortunately, Zhu added, smaller companies would probably feel the pain from GDPR fines and reputational damage more than larger ones; the duopoly doesn’t need to save face for its captives, nor do six-figure fines make a dent.
Yes, a $57 million fine is pocket change for Google. And yes, a lot of your data is already out there. And yes, Estelle Masse, a senior policy analyst at the privacy advocacy organization Access Now, told Gizmodo that the first year of the GDPR has “been quite slow.” But the combination of the GDPR and the California Consumer Privacy Act (CCPA), which went into effect on January 1st, is at least forcing companies to pay attention. (Notably, Facebook initially fought the CCPA tooth and nail before reversing course and declaring that they already take your data very very seriously.) TrustArc executive Hilary Wandall tells Gizmodo that companies are erring on the side of over-reporting their blunders, “[s]ince the breach reporting obligations are much broader under GDPR than under prior laws, and enforcement actions have been taken where companies have failed to report or to timely report.”
And here we are, with more ammo than questions from befuddled senators, and Facebook could be staring down a $2.2 billion fine from Irish regulators. If data privacy laws aren’t yet toppling the giants, they’re at least levying a time suck and a pain in the ass.
Correction: A previous version of this article stated that DLA Piper reported a total of 59,430 breaches. The correct figure is 160,921. We regret the error.