GDPR - 3 years later
May 31, 2021
Three years passed from the moment the GDPR become binding law in the European Union. On the one hand, I’m happy that it has already been three years, but on the other hand, I’m impatient to see GDPR fully applied.
Federated Learning of Cohorts
I think the emphasis that the GDPR puts on cookies should not have been there in the first place. In the GDPR, it should be clearer that the problem is not tracking people using cookies but tracking people in general, no matter the used technology. I hope this will be an aspect changed in the GDPR so that in the future, it will be immediately clear that any new technology created to track users will encounter the same limitations as the old ones.
With the advent of the COVID-19 pandemic, the GDPR had to face many governments wanting to create various tools to control the pandemic without caring about privacy. The GDPR passed this test and demonstrated that any project could have privacy by design embedded if the project creators keep privacy in mind while designing the project. We are not yet out of the woods on this part, but having seen the first 15 months of this, I’m confident that the European Data Protection Authorities will continue the great work they are doing in this area.
In this last year, Apple has started to implement better privacy features within iOS. This move is excellent since it is great for their users, stockholders, and even Android users since Google will now be forced to implement similar features. Google has announced changes in this direction, but Google does not have an excellent track record on privacy-related features, so we will need to see exactly how Google will implement those features before cheering them.
We see such changes in the mobile OS market because Apple, one of the most prominent mobile OS players, has no business selling user’s data. The browser market is mainly owned by Google, whose main business is the advertisement one. Sadly, until this situation changes, it will be hard to have privacy-first browsers.
Last year I predicted that both the number of fines and the average fine would have increased. Assuming the data from the GDPR Enforcement Tracker are correct, last year (01/06/2019-31/05/2020), we have seen 206 fines with an average fine of 275k€. This year (01/06/2020-31/05/2021), we see a total of 394 fines with an average fine of 444k€. This growth is very positive, even though the trend is not as positive. In fact, the year before (01/06/2018-31/05/2019), there were 48 fines with an average fine of 1m€. Comparing the data to the previous year, we can notice that in 2020 the number of fines more than quadrupled, while this year did not even double. Overall, I think those trends are reasonably good; even though more time passes, less acceptable becomes for companies not to comply with the GDPR.
Next year predictions
Looking at the coming year, I expect that:
- the cookie banner situation will start to improve, but it will not get wholly solved
- there will be clarity around the legality status of FLoC
- both iOS and Android will add additional privacy-related features
- browsers will not gain any significant privacy feature
- fines number and size will continue to increase
I hope that this year will positively surprise me, mainly in the browser space!