Statement on 4 Years of GDPR
GDPR did not change a culture of non-compliance. When the GDPR became applicable on 25 May 2018, it was perceived as a watershed moment. Comments were somewhere between the EU getting serious about privacy and the internet breaking down at midnight. The past four years have shown that a law alone does not change business models that are based on the abuse of personal data and a culture within the privacy profession that is often focusing on covering up non-compliance. After a first moment of shock, large part of the data industry has learned to live with GDPR without actually changing practices. This is mainly done by simply ignoring users’ rights and getting away with it.
The GDPR culture: open mocking and hostility. This often translates into fundamental rights are belittled. The fundamental right to data protection is not respected and perceived as a result of a long democratic process, but mocked as crazy or “impossible to comply with”. Authorities and non-profits that try to enforce the law as it stands experience open hostility and accusations, like that enforcement would “kill innovation”. Hardly any other area of law is politicized to that extent – at least I have never heard that building or tax codes were openly ignored with the argument that compliance would “undermine the business model” of a company. The privacy bubble accepts such narratives as a legitimate argument.
GDPR compliance dynamics. The GDPR has not (yet) managed to get out of a pre-existing condition: a downward spiral of more and more non-compliance and non-enforcement. Just like when parts of a city become a criminal “no go” zone that are abandoned by police, it seems that many data protection authorities have lost the upper hand on many areas of the digital sphere. Companies realize that competitors do not comply and that acting legally does not pay off. The wider non-compliance spreads, the harder it will get for authorities to gain back control with limited resources.
Lack of enforcement by DPAs. The lack of any real enforcement and hence the lack of a deterring effect on other companies puts more oil into this fire. Of about 50 cross-country cases that noyb has filed in the last four years, none have seen a final decision yet. Month by month without proper enforcement it will get harder to get this situation back on track. While some authorities seem to worry more about public perception if they actually would enforce the law, others seem to have realized the situation and do their best to get going. Nevertheless, the time is pressing and it seems that we are approaching a situation in which the GDPR will be fully ignored – just like the previous EU Data Protection Directive of 1995.
Technical problems. On the ground, authorities (and data subjects) often suffer from very technical problems created by different national procedures, limited resources, a lack of trained personal or courts that are quick to overturn decisions. These issues do not grab headlines, but are the reasons why by now noyb has to deal with procedural matters more than with privacy issues.
noyb: First they ignore you, then they fight you, then you win. Within this larger context, the role of noyb has seen a very interesting shift in 2022. Many players in the industry see it as an insult that users may actually demand compliance with the GDPR and may actually dare to go to courts over their rights. While the courts are usually the natural habitat of any lawyer, we see lawyers being increasingly outraged about our work. I personally see this as a sign of our outstanding success as a small organization that was still ignored one or two years ago.
The way forward. For many fundamental rights it took centuries to establish, defend and implement them. All of them are continuously under attack and need to be worked on every day. It should not come as a surprise that the same is true for the right to data protection. Authorities will need to learn that no one likes enforcement bodies – but that their role is crucial for our digital societies. Companies have to learn that there are consequences. Industry lawyers will have to learn that their views will be challenged before data protection authorities and courts. Privacy activists will have to learn that just passing a law is not enough – but we need to enforce it too. We are very much looking forward to work on this for the years to come.