Time flies when you’re regulating Big Tech.
Can you believe it has already been a year since the EU’s game-changing privacy law, the GDPR (aka General Data Protection Regulation), went into effect? Just last May, we concluded the long run-up period to the GDPR, during which companies battened their proverbial hatches for the law harmonizing privacy regulations across the EU and handing consumers considerable control of their personal data. Given the uncertainty over how the law’s implementation would go, you’d have to consider the ensuing twelve months a success. In fact, as it marks its first anniversary, the GDPR is still enjoying a honeymoon phase, being embraced by international regulators, public companies and shareholders in their different ways.
Nobody even seems put out by the fact that the GDPR hasn’t delivered the big fireworks it promised—namely, massive fines against tech companies. One of the headline-grabbing aspects of the law was the fact that it allows for fines as high as four percent of the annual global revenue of a corporate violator. In its first year, however, the average fine was a paltry 70,000 euro, with the largest being a 50-million-euro penalty. The French Data Protection Authority assessed that one against Google, which—true story—has found more money under its couch cushions.
The general consensus among those in the know is that larger fines are still on the way. “We expect that 2019 will see more fines for tens and potentially even hundreds of millions of euros, as regulators deal with the backlog of GDPR data breach notifications,” a survey by law firm DLA Piper said.
In any case, the lack of large penalties has not kept countries around the globe from flattering the EU in the sincerest manner of all: imitating the GDPR with their own, similar legislation. Brazil, South Korea, Japan, and India are among the countries that have GDPR copies in the works. In the U.S., California will be rolling out its California Consumer Privacy Act in 2020. The California statute does not have the sharp teeth of GDPR; for instance, it does not set a specific time limit for notifying consumers of a data breach, nor does it impose fines for failure to notify. Nonetheless, at this point it’s clear that government authorities around the globe are looking into GDPR analogs.
Countries aren’t the only ones to embrace the GDPR model. Perhaps surprisingly, tech execs are doing it too. Apple CEO Tim Cook, Facebook CEO Mark Zuckerberg and Google CEO Sundar Pichai are all on record supporting “comprehensive privacy legislation” in the U.S.
One could accuse those corporate leaders of being reactive in their embrace of privacy, which follows the successful rollout of GDPR. At least some shareholder groups, meanwhile, are appealing to GDPR in a more proactive way. Certain shareholders of Google, for instance, just filed a notice of exempt solicitation (available on Intelligize) in which they cite GDPR enforcement activity as an argument for a shareholder proposal. Specifically, the shareholder group made note of Google’s GDPR fine (for “failing to disclose how data was gathered”) as a point in favor of adopting a shareholder proposal to create a “Societal Risk Oversight Committee,” which would “oversee, anticipate, and address the society-wide consequences—whether intended or initially unforeseen—of Alphabet’s technologies and activities.”
For now, at least, everyone is finding something to love in the GDPR. Whether the same can be said years from now, when the honeymoon is long over, is another question entirely.