Freight trains take time to build steam. That’s your metaphor for what’s to come in 2019 for the General Data Protection Regulation.
“I think people were expecting a massive fine on Day One,” said Forrester principal analyst Fatemeh Khatibloo, “[but] these investigations take time.”
Data protection authorities (DPAs) across Europe have their hands full fielding an influx of inbound grievances. The number of data breach, consent and privacy-related complaints have increased since the law took effect in May. Over the summer, the United Kingdom’s Information Commissioner’s Office reported a 160% uptick in data breach complaints from the year before. Whistleblower reports on company data breaches in the United Kingdom have almost tripled.
“There is clearly increased awareness within the general population about the GDPR,” said Ronan Tigner, an associate focused on data privacy and security at law firm Morrison & Foerster.
Consumer advocacy groups are also filing complaints on behalf of consumers, primarily directed at the big tech set, under a new collective redress or class action mechanism introduced through Article 80 of the GDPR.
With all that activity, it makes sense that member state DPAs took their time to get the lay of the land in 2018 before ramping up closer to the end of the year.
“For a reform of this scope and magnitude, it’s only expected that several months will pass before enforcement comes into focus,” said Omer Tene, VP and chief knowledge officer at the International Association of Privacy Professionals. “2018 wasn’t even a full year for GDPR.”
But there was still a lot of groundwork laid this year and many hints dropped about what DPAs will prioritize in 2019. Data security and consent, particularly as it pertains to advertising and location tracking, top the agenda, Tigner said.
France’s data protection authority, the Commission nationale de l'informatique et des libertés (the CNIL), issued a series of four warnings against French geolocation-focused ad tech companies in the latter half of the year for failing to collect the proper consent. Three of the companies – Teemo, Fidzup and SingleSpot – have made changes to their systems and been cleared.
The most recent warning, which was issued in November against a Paris-based location data company called Vectaury, name-drops the IAB Europe GDPR Transparency and Consent Framework, a mechanism created by the advertising industry that allows publishers and vendors to share consent strings. Reading between the lines, the CNIL appears to be questioning the viability of consent strings if users don’t have a clear and obvious way of giving their consent to every party touching their data.
2019 will likely be the year that industry standards are put to the test.
“I expect individuals’ consent and the propagation of data protection requirements along the digital supply chain will be areas of intense scrutiny,” Tene said.
On the docket
With the grace period to comply far in the rearview – GDPR has been in effect for nearly seven months now and companies had a two-year transition period to prep before that – European enforcement agencies will start laying down the law.
But the DPAs aren’t looking to fine companies out of existence if there’s any alternative.
In September, during a DMEXCO panel in Cologne, Armand Heslot, a privacy and security expert with the CNIL, said that enforcers “will be more gentle and take the time to first explain to companies how they have to do things” if anything about the new law is still unclear. “Fines will come afterwards,” Heslot said.
To their credit, the DPAs “are not trying to be immediately punitive,” Khatibloo said. They’ve given most of the firms they’ve investigated an opportunity to come into compliance. That was the case with the geolocation warnings in France.
That doesn’t mean, however, that European data protection authorities have eternal patience, and the kid gloves will be off for any companies that don’t make a good faith effort to comply.
“It’s one thing telling a regulator and the public, ‘We did our best, but still suffered a breach,’ and it’s quite another to say, ‘Sorry, we just weren’t prepared yet,’” Tene said. “It’s in those latter cases that we can expect to see the large 4% of annual global revenue fines.”
But while getting in line with the law is of great importance to any company under its jurisdiction, Khatibloo hopes that advertisers and marketers will start to move beyond GDPR as “a compliance exercise” in 2019.
“Our industry tends to be the worst violators of ‘fair and ethical’ when it comes to data use – it’s not malicious, it’s just that our data and technology capabilities have exploded,” she said. “This is the year to start asking, every single day: ‘Just because I can, does it mean I should?’”