I think the accusation that the GDPR has no teeth is not about the magnitude of fines. The GDPR promised great enhancements to privacy and freedom in the text of the legislation (opt-in data processing consent not conditional on service; right to data erasure; data portability). In practise, enforcement has been focused on punishing poor security, rather than lack of privacy or freedom.
That's fair, although even if they still only focus on breaches I think it might improve privacy indirectly: the database that's hardest to hack is the one that doesn't exist. If companies get in the mindset that storing client data is a big liability they might decide that archiving everything and anything forever might not be such a clever decision after all.
This is, as I understand it, the goal. I mentioned this in a different comment, but getting companies to think of unsecured consumer data as a liability is absolutely key to getting them to take privacy seriously. Companies need to consciously decide if the risk of accruing this data is worth the downside. Pre-gdpr there was functionally no downside at all.
If companies get in the mindset that storing client data is a big liability they might decide that archiving everything and anything forever might not be such a clever decision after all.
I think this would be a stronger argument if other EU laws didn't actively require the collection and long-term retention of some of the most important personal information, including identity and financial details, for other purposes such as VAT audits. Such obligations often preclude otherwise reasonable data management strategies like encrypting all personal data with a per-account key that can be easily deleted and thus render everything connected with a given account permanently inaccessible in the event of an erasure request etc.
Instead, data controllers are in principle supposed to keep track of every possible purpose for which personal data could be processed, even those originating in theoretical legal requirements that are rarely if ever used in practice, as they applied at the time each item of personal data was first collected and at all times since; to retain each individual data point for as long as any purpose for which it might be needed continues to apply; and then to delete that data promptly once its final purpose is no longer relevant.
I suggest that few if any data controllers are actually doing this. Instead I suspect almost everyone who is trying in good faith to comply with the GDPR is using sufficiently generic purposes and blanket provisions to simplify their position to a manageable level of complexity. (How many privacy policies have you read since GDPR came out that actually stated a concrete time period for retaining each category of personal data being processed, and how may have you seen that rely on abstract wording about keeping the data for as long as any stated purpose applies or something similar?) No doubt many other organisations are simply not complying with the GDPR rules about retention and deletion at all, perhaps through ignorance, or perhaps as a deliberate choice that they hope to get away with.
>opt-in data processing consent not conditional on service
I see this violated so often with full-screen popups requiring you disable adblock or exit private mode. The EU really needs to fine these companies into oblivion, I should not have to create an account just to look and see if they have a disabled tracking toggle (and they usually don't, so the only way to prevent tracking is private mode/adblock).
> In practise, enforcement has been focused on punishing poor security, rather than lack of privacy or freedom.
That's not true in the slightest. One bank (ING) in The Netherlands implemented an opt-out for analyzing customers data. Quite a bit of outrage. PR spokeperson said: "all is fine, this is all good, we follow the GDPR".
Local privacy authority sent a general letter informing that such behaviour is very likely not according to the GDPR. ING quickly backtracked. Other banks said they'd obviously comply with GDPR.
No fine was given.. it was not needed. I don't particularly care if companies are fined. I do care that they take my privacy into account. The latter is what (slowly) is happening.
There have been 50,000+ complaints filed with various data protection authorities since G-Day (1), Google recently got a hefty fine for a non-conformant consent implementation (2) and a lot more are rolling in country by country as bureaucracy grinds (3).
There have been a few fines, including the large 50M EUR fine against Google. Despite this, compliance has fallen short of many peoples' expectations. Being presented with consent dialogues where it is not possible or practical to decline consent is still commonplace.
Hopefully the rate of enforcement will further increase and compliance attitudes will improve.
Despite this, compliance has fallen short of many peoples' expectations.
Indeed. Are the following two statements true or false?
1. Major data hoarders, including online giants like Facebook and Google and traditional data brokers like credit reference agencies, are still hoovering up huge amounts of personal data and processing it in ways that some or all of the data subjects don't understand and to which they can't therefore have given their informed consent (assuming they are aware of any processing and have given any consent at all).
2. Governments and organisations with ties to governments are still hoovering up huge amounts of personal data allegedly for purposes involving security with little meaningful oversight and little need to demonstrate effectiveness or proportionality.
Until statements like these are false, data protection and privacy law isn't really protecting people from the biggest threats anyway, and the main positive effect of the GDPR is just to give the regulators the ability to impose fines for things that were mostly prohibited anyway but now on a scale that is significant to large businesses. That in itself is probably no bad thing, but if that's all it achieves then it's far from clear that it's been worth the huge implementation costs and the uncertainty it has brought even to honest organisations.
