It has been two years since the general data protection regulation (GDPR) promised European citizens greater transparency between the data controllers and online users that had unwittingly become data subjects. Although it's easy to look back at our past through the rose-tinted virtual glasses of nostalgia, online privacy has arguably taken a turn for the worst.
The biggest casualty of how businesses have interpreted GDPR is the user experience of the web. In a digital world of online demand entertainment and one-click checkout options, almost every industry is desperately trying to jump on the experience bandwagon. But manipulative cookie "consent" notices have succeeded in taking all the fun out of browsing the web while also undermining the European Union's privacy rules.
Dark pattern design
The arrival of the so-called "cookie walls" forced users to jump through a series of hoops via additional clicks. Ultimately, the viewing of content is contingent on users consenting to be tracked. Unfortunately, none of this is by accident. Dark pattern design combines friction, manipulative timing, and persuasion techniques to ensure that it's business as usual for data controllers.
Time is the new currency, and instant gratification is our ideal destination. When we need information quickly, we don't have time to read through a long list of terms and conditions. Most of us will admit to skimming through notifications or popups before furiously clicking and tapping yes to everything to get where we want to be.
Another example of deception and dishonesty by design is the dreaded task of trying to unsubscribe from an email mailing list. Multiple clicks later while navigating through confusing menus and having to reaffirm your desire to opt-out is not a task for the faint-hearted. Cookie alerts were supposed to improve our privacy online. But there is an increasing argument that many implementations are designed to do the opposite.
Is GDPR inadequate for contact tracing apps?
Gathering data for contact-tracing should be protected by the fundamentals of GDPR. What data is captured? Who can access the information? Finally, how will the data be deleted once the system is no longer needed? At a time when the global community is uniting to beat the Coronavirus, many will deem their safety as more important than privacy. But others will see this an opportunity to make a power grab.
When it first came into force, GDPR represented the toughest data protection laws we had ever seen. But two years later, there is an argument that it's unfit-for-purpose because it cannot protect citizens against the increasing privacy concerns and risks of contact-tracing apps in its current form.
What happens in the post-pandemic world when the contact tracing app has been deleted? In the U.K., it has been suggested that the app data will be kept for research purposes. Governments harvesting data of its citizens for use beyond the global pandemic should set off a few alarm bells about the dangers of stumbling into pervasive state surveillance.
More bark than bite?
In September 2018, British Airways notified the ICO of a cyber-incident that that enabled hackers to compromise and harvest the personal data of approximately 500,000 customers. Investigations resulted in a fine of £183.4 million ($230 million). The Marriott group also reported a breach in November 2018 resulted in a £99 million ($124 million) penalty against the company.
However, constant delays in the payment of the fines have prompted some analysts to label GDPR as a toothless tiger. A study published on the second anniversary of the data protection regulation reveals it's a lack of resources that prevent greater enforcement of the GDPR. Something needs to change.
Despite the negatives, we shouldn't underestimate how the arrival of GDPR ushered in much-needed change across multiple industries. Implementing sanctions against companies that violate our right to privacy was a huge step forward in the name of progress.
The challenges ahead for GDPR
During the last two years, we have witnessed the demise of the web user experience in the name of user privacy. Ironically, it's now governments rather than tech companies or businesses that are advising its citizens to download apps that will track their every move for the greater good.
Cookies, consent, and user experience have become the biggest disconnect of our digital world. The friction and frustration of tediously clicking "I accept" has no place in the so-called experience economy. The good news is that Google has vowed to remove third-party cookies from its Chrome browser within the next few years. Media owners and the digital ad industry will be forced to reinvent themselves and explore innovative ways to monetize their content.
Finding a user-friendly and identity-based alternative is going to take much longer than many initially thought. GDPR was undoubtedly a great starting point and has had a significant impact on businesses by getting them to tackle the elephant in the room. How we all view human security and online privacy has completely changed in two years, and for the most part, that can only be a great thing.
Looking to the future, individuals, businesses, and indeed legislation such as GDPR, must continuously evolve and adapt to thrive in a digital age. As emerging technology continues to change the online landscape, we are also unwittingly creating further challenges that will require a regulatory response.
Contact tracing apps and the building of smart cities are just a couple of examples that highlight how we need to take responsibility for our tech creations. We are a long way from global citizens becoming the owners of their personal data, but maybe this is a timely reminder that GDPR is a journey, not a destination.