GDPR celebrates 5th birthday as EU faces down Meta

Published: 25 May 2023
Last updated: 27 May 2023
Robot hand clutching phone with GDPR/EU flag on it, Meta logo in background
Image by Cybernews

It’s been five years to the day since the EU enacted the groundbreaking General Data Protection Regulation (GDPR). And though there is still a ways to go before Big Tech loses its invasive control of our digital private lives, experts seem mostly positive about its impact.

“The rock in the pond that is the GDPR continues to cause ripples that affect everything in the vicinity. Five years after enforcement began, it is difficult not to see the results of the regulation.”

ADVERTISEMENT

That’s the verdict from Jeff Reich, who runs a firm called Identity Defined Security Alliance and is based in Texas. Of course, he’s far from the EU, where the GDPR was first enacted on May 25th, 2018. But that’s precisely what has made the GDPR a landmark regulation: its far-reaching strictness.

As its own dedicated website explains: “The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.”

That explains why to date, the law has hauled in a hefty sum of fines: €2.8 billion garnered across 1,700 cases as of May 22nd, and that total doesn’t even include the whopping €1.2 billion levied against Facebook owner Meta that was coincidentally disclosed on the same day.

That brought the total GDPR fines against Mark Zuckerberg’s beleaguered tech empire to €2.5 billion, and means the total across all offenders, both individuals and organizations, sits at a staggering €4 billion.

The message is clear: if Big Tech intends to make big money off our data without our express consent, a cornerstone caveat of GDPR, then the EU will not be slow to ask for some of that money back.

Meta has announced that it will appeal the latest sanction against it, describing the penalty as “unjustified and unnecessary,” but clearly, big tech firms are rattled by what some see as mainland Europe’s increasing dominance of their once-undisputed mastery of our data.

Such sentiments even led the Guardian to ask recently if the “growing online muscle of the European Union” would lead to the creation of a “splinternet” or an internet with digital international borders.

GDPR: reasons to be cheerful

ADVERTISEMENT

But despite the fears raised by some, many industry experts that Cybernews has heard from in the run-up to May 25th seem confident that GDPR has had a beneficial impact on data privacy and are optimistic that it will continue to do so.

“Starting in the EU by law, behavior is spreading to other countries and jurisdictions,” Reich says of the influence GDPR has had on entities that record, retain, or use our digital data worldwide. “In the United States, any state or territory creating privacy regulations models them after the GDPR. Merchants and vendors know what they need to do, even when they do not know how to do it yet. The best behavior change is with consumers.”

He clarifies this last point: “Although we have yet to complete the journey, more and more consumers are seeing the value of their identity and the security that protects the privacy of their identity. That may be the biggest long-term benefit. I look forward to the next five years to see what changes continue to ripple across the pond.”

Considering the revelations brought to light by the Edward Snowden leaks in 2013 and the resultant backlash against Google, Microsoft, and Yahoo, who were revealed to have been sharing unthinkable amounts of private user data with the National Security Agency (NSA), it’s hardly surprising to find cheerleaders in the US for the EU’s tougher stance on data-sharing.

"GDPR has been driving the notion of data privacy across the globe."

Larry Whiteside, CISO at RegScale, a US-based software solutions provider

“GDPR has been driving the notion of data privacy across the globe,” says Larry Whiteside, chief information security officer at RegScale, a software solutions provider based in Virginia.

He cites as examples two subsequent pieces of legislation that were passed in North America, the California Consumer Privacy Act of 2018 and the Personal Information Protection and Electronic Documents Act approved in Canada two years later.

Citing the steady increase in fines levied against organizations over the past couple of years including Meta and New York-based facial recognition software company Clearview AI, which was fined around $20 million in 2022 by French regulator CNIL under Article 83 of the GDPR, Whiteside adds: “To me, it’s a good example of what potential global policy could look like.”

Paul Trulove, CEO of passwordless protection provider SecureAuth, thinks legislation to regulate data usage was inevitable from the beginning of the internet, which was noted as a key enabler of the kind of mass surveillance programs that the Snowden leaks and subsequent investigations revealed.

Praising the GDPR as “the first truly wide-reaching attempt to codify and enforce consumers’ and employees’ rights to privacy,” Trulove adds: “Aside from the obvious security concerns, people started to realize that their personal information was a commodity that was being monetized and exploited by large corporations, sometimes of dubious integrity.”

ADVERTISEMENT

Not all plain sailing

That said, there have been bumps along the way since the law was enforced across relevant organizations and other entities in 2018, two years after being first approved by the European Parliament.

A study published by computing firm Usenix in 2019, ahead of the 15th annual Symposium on Usable Privacy and Security in Santa Clara, California, found that it was possible for threat actors to target organizations subject to the GDPR and trick them into handing over personally identifying information by pretending to be genuine claimants.

This rather nasty twist on the classic social engineering or business email compromise scam meant that, in theory at least, the GDPR could in effect be used against itself, undermining data privacy and security.

Researchers conducting the study targeted 55 organizations and pretended to be genuine data subjects (DS) — an industry term for people whose data is being processed by a given platform, company, or service — requesting to see what data was being held on them. Researchers in the Usenix study obtained prior consent with the genuine DS claimants before carrying out the social experiment.

The study’s findings were quite stark, revealing that of the targeted organizations, "15 leaked sensitive and personal information from the targeted individuals participating in our experiment, including but not limited to financial transactions, website visit histories, and timestamped locations."

Cybernews reached out to experts to learn more about where the GDPR has been since then, and whether it has addressed the disturbing findings of the Usenix investigation.

Shashi Prakash, CTO of Bolster, doesn’t seem overly concerned about its findings, and remains confident that the GDPR is fit for purpose. “The Usenix study, while interesting, was a controlled experiment and we haven’t seen any news of a major security breach resulting from GDPR fraud from impersonated DS,” he says.

Praising the recent fines against Meta, he adds: “GDPR continues to have exponential net benefits to DS and data protection.”

"It's a cat-and-mouse game between regulators and threat actors, and the journey to perfect data protection is still ongoing."

Jon Mack, managing director of tech startup SwiftComm
ADVERTISEMENT

“GDPR, like any regulatory system, does have the potential to be exploited,” allows Jon Mack, managing director of SwiftComm, a tech startup based in the UK, which has transposed its own version of the GDPR since leaving the EU, subject to oversight by the Information Commissioner’s Office (ICO).

He goes on: “This is particularly true when organizations aren't vigilant enough in verifying the identities of individuals requesting data. Remember, the idea of GDPR was to protect and empower data subjects, but if threat actors pose as these individuals, they can indeed turn the regulations against the system.”

That being said, Mack thinks that the EU, to its credit, has not been caught nodding on the job, and has done well to address the issues raised by the Usenix report.

“It has pushed for tighter identity verification processes, while also encouraging businesses to implement privacy-by-design principles. This has involved better training for staff handling data requests, as well as stronger technical safeguards.

“While these measures aren't foolproof, they signal a commitment to continually improving the GDPR framework in response to emerging threats. At the end of the day, it's a cat and mouse game between regulators and threat actors, and the journey to perfect data protection is still ongoing.”

Not everyone is a fan

Not everyone shares Mack’s optimism. Some of the experts Cybernews spoke to believe that the GDPR is stifling innovation and preventing smaller companies from scaling up their operations.

“GDPR has created several consequences for data privacy, including limiting the ability of data subjects to use their data for legitimate purposes, such as scientific research, and can place limits on the ways in which businesses can use the data they collect,” George Gerchow, IANS Faculty and CISO of Sumo Logic, tells me.

He adds: “GDPR can sometimes be overly restrictive, preventing organizations from using the data they have collected to improve their services or innovate new products [and] has turned out to be less beneficial than we expected.”

Gerchow also criticizes the regulation’s lack of agility and clarity, which he says is making life more difficult for organizations as they struggle to comply with it.

ADVERTISEMENT

“Without having a formal certification by a third party and so much ambiguity, it has slowed down some businesses' ability to scale while not doing much for the data subjects. The EU was slow to move in getting GDPR out and constantly struggles with updating regulations,” he says.

"GDPR has created several consequences for data privacy including limiting the ability of data subjects to use their data for legitimate purposes, such as scientific research."

George Gerchow, IANS Faculty and CISO of Sumo Logic

Alastair Parr, senior vice president of global products at Prevalent, echoes these sentiments, suggesting that some entities based outside the EU will inevitably try to bypass the GDPR to avoid confusion and friction, which they would rather do without.

“As a regulation, GDPR can still be seen as granting better protections for individuals, with the aims of transparency and accountability being the core driver in how personal data is used,” he says.

“However, misinterpretation between this and other laws — for example, the EU E-Privacy Law, which governs the use of cookies on websites — and the complexities around implementing sufficient policy, process, and awareness practices, mean that some sectors or industries will always try to navigate around the rules, including where transfer, access and storage of data outside of Europe is concerned.”

That said, Parr does think that on the whole the GDPR has been an effective guardian of personal and private data.

“Overall, GDPR has and continues to play a core part in giving individuals a greater say in how their data is used,” he confirms. “Many sectors have adopted good practices in protecting user data, and have become more mindful of how much data is actually needed when developing or providing products and services. The challenge will continue to be where actions are needed to address breaches of the regulation, and the speed at which actions are enforced or resolved.”

Most notably, Parr says, more work needs to be done to ensure greater data privacy in regards to the much-criticized partnership between big tech platforms and advertisers. Starting with making “verification on what data is being used, shared, stored, and transferred” easier to obtain.

While the journey to complete transparency about how, why, and where our data is being used is far from complete, the general verdict from the tech community appears to be one of cautious optimism. It’s a step in the right direction, but GDPR still has a long way to go and the battle with Big Tech for control of our privacy is far from over.

“GDPR, for all its flaws, has substantially shifted the conversation around data privacy and brought about increased transparency,” Mack sums up. “It's sparked a global recognition of data as a personal asset, and this is a monumental step. In my book, despite the potential for misuse, the positives outweigh the negatives.”

ADVERTISEMENT

NB: This article was updated a day after first publishing to include George Gerchow's full job title.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT