Last week's New York Times ran an article titled ‘Europe’s Privacy Law Hasn’t Shown Its Teeth, Frustrating Advocates’, where the author, Adam Satariano, opines on the effectiveness of Europe's privacy law, the GDPR. I found it to be typical coverage of the field of privacy and cybersecurity – the facts are right, the conclusions off. In the immortal words of Sirius Black: "Once again you've put your keen and penetrating mind to the task and as usual come to the wrong conclusion!"
In my experience, laypeople – including newspaper reporters who write about these issues are anxious to get clickbait with headlines touting huge fines – assumed GDPR would turn into a revenue generating machine based on the past behaviors of companies monetizing personalized advertisement. But these companies did not scoff in the face of regulators when the laws were passed rather they made significant investments in privacy and operations to implement both the spirit and the letter of the law, while applying it to the business models they had in place. When companies adjusted their operations to anonymize, pseudonymize, and categorize data to avoid the identification of individuals from the data they held, the investigations and enforcement mechanisms didn’t come as expected. Is this because Supervisory Authorities are under resourced? Well, that depends on what one believes the purpose of GDPR is.
Is the purpose of GDPR to generate income for governments? Or is it to create a level competitive field by precluding certain business models? If one believes those are the purposes of the GDPR, then, yes - the Supervisory Authorities seem to be under resourced. However, if you believe the purpose of the GDPR was to modify the prior behavior of companies, then perhaps not. If the latter is the purpose, then those Supervisory Authorities may simply be resourced in accordance with the prioritization of enforcement within their respective governments based on already observed changes in behavior.
That said, it's not a surprise some consider the level of enforcement to be disappointing. Companies running competitive search engines and services to Google and Microsoft would prefer to change the entire business model of ad-based services and the operating requirements for them. Their goal, however is less on the protection of personal information and personal privacy as it is to reset the requirements for business and thereby eliminate any advantage held by an early entrant in the market. This is because these emerging companies know that large, well-capitalized organizations had far more resources to adapt to GDPR, so they had an advantage when it came addressing privacy issues while not scrapping a business model. But addressing those types of disparities is the realm of competition law, not privacy.
The difficulty, of course, is accepting the fact that governments are, in fact, satisfied with at least the direction that companies are moving in when it comes to protecting privacy. Is every citizen wholly satisfied? Of course, not - such is the nature of democracy. But citizenship satisfaction versus government satisfaction often simply comes down to timing.
The wheels of justice turn slowly. In today’s culture of instant gratification, patience to see through the legal process is definitely in short supply. But having a desire for schadenfreude frustrated is not evidence of the ineffectiveness of the law.
Opmerkingen