GDPR - 3 years later

 May 31, 2021

Three years passed from the moment the GDPR become binding law in the European Union. On the one hand, I’m happy that it has already been three years, but on the other hand, I’m impatient to see GDPR fully applied.

Cookies

Cookies are always a hot theme when we talk about GDPR. I still see websites handing out cookies (first and third parties ones) without a cookie banner or to users who have not pressed the “accept” button on the cookie banner. Also, speaking about cookie banners, the majority are not compliant since they often make it hard to refuse cookies or pre-select cookie acceptance. This situation is unfortunate, but we see some movement on this (like the noyb initiative). If those initiatives continue, as I hope, next year, the cookie situation will be much better!

Federated Learning of Cohorts

Google proposed the Federated Learning of Cohorts (FLoC) to be able to do targeted advertisement without the use of Cookies. Even though Google affirms FLoC is “privacy-first”, the situation is far more complex, as the EFF explains. I see FLoC as a way to work around the GDPR, and I hope the European Data Protection Board will clarify that FLoCs are to be considered at the same level (if not worst) than cookies and should never be used in Europe or on European Citizens. I would be pleased if the EDPB clarifies that FLoC (and similar technologies) are allowed only if opt-in and not opt-out as FLoC is today.

I think the emphasis that the GDPR puts on cookies should not have been there in the first place. In the GDPR, it should be clearer that the problem is not tracking people using cookies but tracking people in general, no matter the used technology. I hope this will be an aspect changed in the GDPR so that in the future, it will be immediately clear that any new technology created to track users will encounter the same limitations as the old ones.

COVID-19

With the advent of the COVID-19 pandemic, the GDPR had to face many governments wanting to create various tools to control the pandemic without caring about privacy. The GDPR passed this test and demonstrated that any project could have privacy by design embedded if the project creators keep privacy in mind while designing the project. We are not yet out of the woods on this part, but having seen the first 15 months of this, I’m confident that the European Data Protection Authorities will continue the great work they are doing in this area.

Mobile OS

In this last year, Apple has started to implement better privacy features within iOS. This move is excellent since it is great for their users, stockholders, and even Android users since Google will now be forced to implement similar features. Google has announced changes in this direction, but Google does not have an excellent track record on privacy-related features, so we will need to see exactly how Google will implement those features before cheering them.

Browsers

We see such changes in the mobile OS market because Apple, one of the most prominent mobile OS players, has no business selling user’s data. The browser market is mainly owned by Google, whose main business is the advertisement one. Sadly, until this situation changes, it will be hard to have privacy-first browsers.

Fines

Last year I predicted that both the number of fines and the average fine would have increased. Assuming the data from the GDPR Enforcement Tracker are correct, last year (01/06/2019-31/05/2020), we have seen 206 fines with an average fine of 275k€. This year (01/06/2020-31/05/2021), we see a total of 394 fines with an average fine of 444k€. This growth is very positive, even though the trend is not as positive. In fact, the year before (01/06/2018-31/05/2019), there were 48 fines with an average fine of 1m€. Comparing the data to the previous year, we can notice that in 2020 the number of fines more than quadrupled, while this year did not even double. Overall, I think those trends are reasonably good; even though more time passes, less acceptable becomes for companies not to comply with the GDPR.

Next year predictions

Looking at the coming year, I expect that:

• the cookie banner situation will start to improve, but it will not get wholly solved
• there will be clarity around the legality status of FLoC
• both iOS and Android will add additional privacy-related features
• browsers will not gain any significant privacy feature
• fines number and size will continue to increase

I hope that this year will positively surprise me, mainly in the browser space!