Awin Thoughts: GDPR: a year on, what’s happened?

Unlike most new-borns, the regulation came into being 12 months ago bearing a sharp and fully developed set of teeth. Fines of up to €20m or 4% of global annual turnover suggested the EU wasn’t messing around when it came to data protection, and many privacy champions salivated at the prospect of the Googles and Facebooks of the world being hit with multi-billion dollar fines.

After the initial blizzard of consent emails, satirical tweets and memes died down though, that’s not quite how it has played out.

So, a year on, what has actually happened?

Well, although the anticipated headline fines haven’t taken place there has been plenty of action from local regulators enforcing GDPR’s principles. Most notably, the French regulator CNIL did impose a €50m fine upon Google in January for making it difficult for users to take control of their data.

That was the most significant penalty we’ve witnessed so far, but there have been others.

Authorities in Germany, Poland, Denmark, Austria and Portugal have all announced fines for organisations judged to have contravened the regulation, and there have been thousands of complaints issued to bodies across Europe, forcing review panels onto the backfoot.

Although some may view GDPR’s impact as being relatively light in terms of fines and case law so far (and increasingly heavy from a bureaucratic perspective), the more immediate effect of the regulation has been to initiate privacy discussions and actions around the wider world.

In the US, the California Consumer Privacy Act comes into effect from January 1^st 2020 with principles largely based on and influenced by GDPR. Though only applicable at a state-level, many fellow states are watching acutely with a view to drafting their own subsequent versions. It may follow that a federal data law is drafted with the newly-formed coalition of trade bodies, Privacy for America, advocating for national legislation that would curb data collection and its use by advertisers there.

Meanwhile, Australia and Brazil have both updated or initiated their own data protection laws in the wake of Europe’s example too.

Yet, these regional versions of the regulation are only small, local pieces of a global legislative puzzle which are arguably leading to a ‘Balkanization’ of the web. With disparate local authorities struggling to harmonise data laws, global internet companies operating across borders will find it increasingly difficult to function properly and offer the services users around the world have enjoyed accessing for so long.

Perhaps then, the most important consequence since GDPR came into effect last year has been its influence upon some of these companies themselves. In being forced to take data privacy seriously and create solutions that are sensitive to this requirement, whilst still allowing them to function globally, we’re beginning to witness a new frontier in the development of the web.

Apple’s ITP updates have already sounded a warning shot for the wider ad tech industry around the use of unnecessary consumer data and tracking. Combined with Google’s recent announcement that it plans to make its Chrome browser far more robust in terms of allowing third party cookies and fingerprinting, and that Microsoft’s new Chromium-based Edge browser will give users better control over their privacy settings, GDPR’s principles are clearly being heeded.

A year in, ‘privacy by design’ is increasingly becoming a fundamental tenet of how internet companies plan to operate in the long-term.   

Happy Birthday GDPR.

*GDPR and its likely effects upon the affiliate and digital industry was just one of the issues we discussed with our legal counsels in Italy, the UK and the US in this year’s Awin Report. Read more on their insights and opinions here.