Europe's data privacy law will be tough to enforce

The cost for an EU member state could be billions of euros, he says.

By Jon Van Housen and Mariella Radaelli

Published: Mon 28 May 2018, 10:13 PM

That sound you might have heard at midnight on May 25 could have been a collective sigh of relief as notices on something called the GDPR stopped flooding e-mail inboxes and popping up on your favourite websites. Most users likely clicked "agree" to everything the notices said without reading the long, detailed announcements.

In a virtual world where attention spans are measured in seconds, how could your average user take the time to read it all?

Yet the annoyance is very much in our own interest, at least according the European Union, the political behemoth that drove the flood of announcements. Years in the making, the General Data Protection Regulation is the biggest-ever change since the Internet began on how your personal online data is collected and used.

Though it covers EU citizens, it affects the global Internet because sites ranging from Google and Facebook to your favourite newspaper and recipes likely collect data from Europeans as well as the wider world.

But however well-meaning, questions remain whether even the EU can comply with the new rule. As the deadline for implementation passed, only a handful of EU countries had geared up to meet and monitor compliance.

Vera Jourova, the EU justice commissioner, says she is worried that data protection authorities (DPAs) across Europe are understaffed.

"We want the DPAs to be well-equipped for the job, not only for sanctioning, but also for consulting, and I don't like to see the DPAs being in trouble," she said. Monitoring agencies from a range of European countries have said they are awaiting additional funding to increase staff.

And as the Friday deadline arrived, an unexpected result hit English-language readers in Europe: Those visiting US newspaper websites including the Los Angeles Times and Chicago Tribune found a message that their services are no longer available in Europe. Facing stiff fines for non-compliance, a range of US sites have blocked their services or deleted European users for the time being. The costs and effort to comply can be enormous. Luca Bolognini, attorney at law and president of the Italian Institute for Privacy think-tank, says "a big company needs huge amounts to comply with the GDPR - hundreds of thousands euros for lawyers and millions for the implementation of technical security measures".

The cost for an EU member state could be billions of euros, he says.

In fact, the cost and complexity means not only US newspapers cannot meet the standards right now - even European agencies are struggling. "It has been difficult for two reasons: first, public administrations almost everywhere in Europe are not compliant with the new rules due to the low digitalisation of public processes," says Bolognini. "Secondly, these matters - even if they are key for the future of citizens, institutions and companies - are still seen as technicalities without relevance by many politicians."

But many beg to differ. The regulation formally approved two years ago now seems prescient following disclosure that personal data from 87 million Facebook users was employed by British consulting firm Cambridge Analytica to influence voters. Your likes, habits, interests and biographical information can actually be used to influence you whether you are aware of it or not.

And that Orwellian possibility has many concerned. Stefano Zanero, Cybersecurity professor at the Politecnico di Milano University, says the GDPR offers a firewall against future abuses.

"The GDPR allows citizens to have leverage to protect their data from abuses while engaging in business transactions with companies across the globe," says Zanero. "It projects internationally the concern of EU citizens about abuses in data collection and analysis."

Bolognini says the issue transcends mere technicalities and faces up to a core concern: The importance of trust in today's world. "Better data protection will mean more trust, and trust is the fuel of the data-driven society and economy," he says.

As the deadline for compliance loomed, Facebook CEO Mark Zukerberg was coincidentally in front of the EU parliament to answer questions over data breaches and the Cambridge Analytica scandal. His answers and length of time spent before the body appeared to garner few "Likes".

So, the EU will likely feel even more justified in its bid to protect the vast online population. "It surely is a huge undertaking for everyone, but the GDPR is the last installment in 20 years of privacy protection regulations in the EU," says Zanero.

And while the new disruptive requirements will continue to make waves in the months and even years ahead, its early days have been sometimes chaotic and confused.

Bolognini says "the storm of privacy notices is a required compliance step, but the bitter reality is that nobody will read such policies".

"In this sense, the GDPR is still chained by an obsolete approach, thinking of preliminary notices and consent statements as they were effective safeguards, and they are not," he notes.

Yet the regulation has serious teeth. Violators face fines of up to 10 million euros or 2 per cent of annual revenues. It has also spawned yet another Internet niche - compliance.

At this juncture it's safe to say many memos and computer code have yet to be written.

Jon Van Housen and Mariella Radaelli are editors at ?the Luminosity Italia news agency in Milan

More news from OPINION