1466 days.
data rights non-profit organization NOYB initiated its first complaint after the promulgation of GDPR in Europe, 1466 days ago.
GDPR refers to General Data Protection Regulation, the full English name of General Data Protection Regulation, it is the European Union regulations, predecessored by European Union 's Computer Data Protection Law enacted in 1995, protecting the privacy rights of 740 million Europeans.
and NOYB is a non-profit organization headquartered in Austria with the goal of protecting the data security of EU citizens.
On May 25, 2018, the first day of GDPR's entry into force, NOYB initiated a complaint involving Google , WhatsAppp, Facebook and Instagram forcing people to hand over their data without proper permission.
Now, four years have passed, NOYB is still waiting for the final decision about those complaints.
Since GDPR came into effect, there are many pending complaints besides NOYB.
Although it is called the "strictest data protection law in history", the performance of both complaint handling efficiency, corporate compliance, and the actual operation of GDPR are disappointing.
1, complaint rulings are inefficient
According to statistics from Irish regulators, 400 of the complaints involving cross-border decisions have been still under processing since May 2018. As for other complaints initiated by NOYB against Netflix (Netflix), Spotify (Swedish ) and PimEyes (Polish ), all have been delayed for several years.
In addition to the slow processing time, from a global perspective, GDPR has not eliminated the most serious problem: data intermediaries are still storing user information and selling it, and the online advertising industry is also full of abuse risks.
As early in 2012, GDPR lawmakers first proposed reforming European data rules and passed the final law in 2016, giving companies and organizations two years as a buffer.
Based on previous data regulations, GDPR requires enterprises to change the methods of processing user data and set up 7 core principles, providing guidance on processing, storage and use.
However, GDPR weaponizes these principles. The
GDPR regulations authorize data regulators in every European country to impose fines of up to 4% of global turnover on companies and order companies to stop violations of GDPR principles.
orders a company to stop processing people's data, which can be said to be more influential than fines.
However, four years after GDPR came into effect, the number of processing targets to the world's most powerful data companies was distressingly low.
According to a series of intensive provisions of the GDPR, complaints against a company operating in multiple EU countries are usually transferred to the country where the company's main European headquarters are located. The so-called one-stop processing process,
, requires that the country take the lead in conducting the investigation. For example, Luxembourg is responsible for handling complaints about Amazon , the Netherlands is responsible for Netflix, Sweden is responsible for Spotify, Ireland is responsible for Meta's Facebook, WhatsApp and Instagram, as well as all Google services - Airbnb, Yahoo, Twitter, Microsoft , Apple and LinkedIn.
It is precisely because of such a complex processing process that the work of regulators has been backlogged, and the processing speed is naturally greatly affected.
2. Technology giant enterprises with poor execution results
. In accordance with the requirements of GDPR, they should strictly abide by the regulations.
However, from the actual situation, the execution of giant companies is not enough. For example, Facebook, which is now Meta, is still difficult to comply with GDPR.
An internal Facebook document obtained by foreign media Motherboard hinted that the company itself is not very clear about how user data is processed.
According to Facebook engineers, they are working to track where user data goes in their systems. However, regulations such as the EU’s GDPR limit how platforms like Facebook use their user data. GDPR law provides that personal data must be collected “for specific, clear and legal purposes and must not be further processed in a manner that does not match those purposes”.
This means that each piece of data, such as the user's location or religious orientation, can only be collected and used for specific purposes, but not for other purposes. Facebook has been criticized for using its user's phone numbers in its "People You May Know" feature. After being discovered, the company eventually had to stop this practice.
When describing Facebook's dilemma, its engineers used a figurative metaphor to illustrate:
Imagine that you are holding a bottle of ink in your hand.
This bottle of ink is a mixture of various user data (3PD, 1PD, SCD, Europe, etc.).
When you pour this bottle of ink into a lake (open data system, open culture), it will... inevitably... flow everywhere.
How do you put the ink back into the bottle?
How do you organize it again so that it only flows to where it is allowed in the lake?
In this metaphor, 3PD refers to third-party data, 1PD refers to first-party data, and SCD refers to sensitive category data.
But then Facebook denied this statement.
3. Improve and improve
One-stop mechanism is based on GDPR. Four years later, GDPR itself has exposed many parts that need improvement.
Last year, calls for changing the way GDPR operates are getting higher and higher.
politician Viviane Redding, who proposed GDPR in 2012, said when talking about this topic in May last year, "For major events, law enforcement should be more concentrated." Under the call of
, Europe has successively passed two major digital regulations: the Digital Service Law and the Digital Market Law.
These laws focus more on competition and Internet security, and the law enforcement methods are also different from GDPR. In some cases, European Commission directly investigates large tech companies.
From this perspective, GDPR law enforcement does seem to be unable to keep up with the mainstream of the times, and it also confirms the inefficiency of execution raised by politicians before.
Civil society groups also warned that without some strong enforcement changes, GDPR may ultimately fail to stop the bad behavior of large tech companies, let alone raise awareness of privacy.
A person in charge believes that: "The direct object that needs to be solved most is large technology companies. If we cannot handle these technology companies, people's privacy and data rights will never be guaranteed."
Perhaps GDPR did not bring people the expected surprises, and the country has also established a series of data protection systems under the influence of GDPR.
Maybe disappointment is always inevitable, but what we need to do is not to deny everything about it. Only by constantly improving and innovating can we meet the ideal beam of light.
Reference materials:
1, How GDPR Is Failing?
2, The state of the GDPR in 2022: why so many orgs are still struggle
text | Muzi Yanni
Hi, this is the black technology, in front of the future, we are all children.
If you want to see more technology stories, please click → WeChat official account: Qianhei Technology.
