Avatar (Fabio Alessandro Locati|Fale)'s blog

GDPR - 1 year later

May 25, 2019

One year has passed by the 25/05/2018, the day that the GDPR started to be enforced. Today I’d like to see how this first year of GDPR went and what we could be expecting for the future given what we have seen so far.

The first consideration that I think is obvious but interesting is that the Internet did not close down on the 25/05/2018 as many were worried. In fact, not much changed on that day. A thing that did change a lot is the number of banners asking the authorization to give some cookies to your browser. This increase of cookie banners is an interesting phenomenon since the differences between the EU cookie law and the GDPR on cookies are minor. I think this phenomenon can be explained by the fact that now companies are more worried about violating those regulations than before, thanks to the massive fines that they can incur into with the GDPR.

Speaking of cookie banners, we are very far from having banners aligned with the spirit of GDPR. Those banners are often full of text, with unclear options and with the default option being “track me”. I think those banners will be further regulated over time with new rules that will empathize with some technical limitations to align with the spirit of GDPR.

A crucial aspect that will make or break the success of GDPR is its enforcement, mainly using fines. So far, very few companies have been fined (around 40), with all fines being relatively small, with the biggest one being a 50M€ fine given to Google from France. The second biggest one is a 400K€ penalty to a Public Hospital from Portugal. It is interesting to notice that from Enforcement Tracker data, it seems like the total amount of fines is 51'429'345€. This number means that all the given fines, except for the most prominent 2, average to 25/30K€ each. I’m using non-exact numbers since external trackers collect those fines based on newspaper articles, and they are not an institutional website fed directly by the courts, which means that the data can be non-exact or non-complete. Many countries have not yet fined anyone, and since I don’t believe that they don’t have any company that is violating the GDPR, this is not something I see favorably. Those fines are small fines from my point of view, and I hope that this is a transitional year and that in the next year, we will see far more fines, more significant fines and that all countries will enforce the GDPR in their countries.

All in all, I think this has been a sort of adaption year for the GDPR. We are pretty far from a situation where the GDPR is enforced in all its parts, but I expect more sensible cookie banners and more (and more significant) fines in the next year.