GDPR - 2 years on

25 May 2020 marks the 2nd anniversary of the General Data Protection Regulation. Two years on, where are we now?

Key points
  • For the past two years we’ve been investigating and taking action against the hidden data ecosystem.
  • Enforcement action by Data Protection Authorities is urgently needed.
  • We need action to strengthen not weaken GDPR, including closing any loopholes at national level and supporting frameworks that bolster these rights, such as ePrivacy.
  • We’ve joined civil society across Europe to call on the Commission to take steps to make the rights and protections of GDPR a reality.
  • We’ve also written to the UK regulator, the ICO.
News & Analysis

GDPR was hard won. PI, together with other civil society actors, fought from the beginning for a version of the law that offers the strongest rights and protections in the face of intense industry lobbying.

Holding the hidden data ecosystem to account

Two years ago, we committed to using GDPR to seek to hold to account the hidden data ecosystem - those companies that amass and exploit large amounts of our data for profit.

Here’s some of the action we’ve taken:

  • In Nov 2018, after months of investigation we complained to data protection regulators in the UK, Ireland and France about the practices of seven such companies - Acxiom, Criteo, Equifax, Experian, Oracle, Quantcast and Tapad. The regulators’ investigations are ongoing.
  • In December 2018, following up in March 2019, we exposed how 1000’s of apps were sharing data with Facebook, leading to many companies changing their practices. Although, challenges remain, including with the share of intimate data from menstruation apps.
  • In September 2019, we revealed that mental health websites are sharing data with a range of third parties and we continue to push for improvements.
  • Elections are increasingly data driven, with the often hidden industry complex facilitating the exploitation of data in political campaigns. Cambridge Analytica was the tip of the iceberg and we continue to use GDPR to demand change.
  • Data intensive companies are increasingly becoming intwined with public services. We are using GDPR to help scrutinise data practices in the context of welfaremigration and sexual and reproductive rights.

Enforcement action is urgently needed

Two years on our main concern is the lack of implementation of GDPR and the enforcement gap. Our work shows numerous infringements of GDPR but controllers are not being sufficiently held to account. These infringements do not only further exacerbate the opacity surrounding the online data ecosystem but also constitute a major obstacle to the effective exercise of data subjects’ rights, effectively undermining the protection afforded by GDPR and people’s trust in the law to protect their fundamental rights.

Urgent action by data protection authorities is needed to make GDPR a reality in practice.

Strengthening not undermining the GDPR

We are deeply concerned that GDPR protections are being undermined by the way that Member States have implemented derogations (the parts of GDPR which could be changed at national level).

Of particular concern are:

  • Lawful basis, stretching the interpretation of the conditions set out in Article 6 and introducing broad conditions for processing special category personal data under Article 9 which are open to exploitation, including for example loopholes for political parties.

  • Exemptions, introducing wide and over-arching exemptions under Article 23 removing the protections of GDPR from huge amounts of processing with consequences for people’s rights. For example, is the immigration exemption introduced in paragraph 4 of Schedule 2 to the UK’s Data Protection Act 2018.

  • Collective redress, the majority of Member States decided not to implement the derogation in Article 80(2) of GDPR, with hugely damaging consequences for the protection of personal data. Many of the infringements we see are systemic, vast in scale and complex and thus impossible for an individual to challenge. Yet without Article 80.2 there is no effective redress in place.

GDPR does not and cannot operate in a silo. Just as the right to data protection interacts with other rights, it is essential that other legal frameworks bolster the protections of GDPR. A key example of this is the draft ePrivacy Regulation. Civil society has consistently called for delivery of a strong Regulation.

Going forward

Today, we join civil society across Europe, in writing to the European Commission to call for enforcement, the closing of loopholes and the bolstering of other legal frameworks to support GDPR.

We’ve also written to the UK regulator, the ICO to express our disappointment at the lack of enforcement action and encourage action on ad tech, data brokers, political data exploitation and the use of mobile phone extraction by law enforcement as well as close scrutiny of responses to Covid-19.

In this time of crisis a strong data protection framework like GDPR should facilitate the trustworthy use of data where necessary and limit the exploitative responses of governments and companies to Covid-19. Sadly, this is not always the case. We see companies already infamous for their data practices taking advantage.

It’s still just the beginning and we will continue to fight with partners around the world to make data protection a reality in practice.