Maciej Zawadziński: Today, GDPR and similar laws set down the rules of the game for businesses wanting to collect customer data. But how was personal data online protected before 2018? How did businesses behave then? I like to call that time a sort of “Wild West” – would you agree?
Karolina Iwańska: GDPR was not the first law to regulate the use of personal data. For over 20 years before that, businesses were bound by the EU data protection directive. It was not very different from GDPR in terms of basic principles applying to the collection and use of people’s data.
However, the data protection directive didn’t apply to big tech headquartered in California or include the threat of fines reaching into the millions of euros. As a result, companies’ approach to data protection was much less serious. It was also more focused on formalities like registering databases rather than on regularly analyzing real risks that people faced.
It is only with the introduction of GDPR that data protection has made headlines and increased people’s awareness about their rights. This, in turn, has pushed this issue higher on the list of priorities for many businesses, including the dominant online platforms.
It is only with the introduction of GDPR that data protection has made headlines and increased people’s awareness about their rights.
– Karolina Iwańska
Maciej Zawadziński: The introduction of GDPR in 2018 was a big milestone. The act sparked both hope and uncertainty among all those affected. What are your memories from that time?
Karolina Iwańska: As an organization, we were heavily involved in advocating for the best possible form of GDPR since 2012. When the European Commission announced that GDPR would come into effect on May 25, 2018, it felt rather special for us.
We were excited that the new law gave customers and citizens new tools for controlling their privacy and proud of our contributions to the final outcome. In the run-up to GDPR’s first day, we produced a number of resources on the basic principles of the new regulation and practical guidelines on how people can exercise their new rights.
On May 25, we also filed a few access requests with companies that collect our data. On the other hand, I also remember that we struggled with a number of absurd interpretations of GDPR. Many of them had nothing to do with the spirit of the law, like teachers not reading out students’ names when checking attendance in class, or the overwhelming flood of unnecessary “consent” requests.
Maciej Zawadziński: We are three years in. Are regulators doing a good job of enforcing GDPR and guarding people’s online privacy? If not, what would be the best direction for them to go in?
Karolina Iwańska: Unfortunately, three years in, we still haven’t seen groundbreaking decisions that would provide answers to the most pressing questions about data protection online and stop the infringements that are happening every day. Are cookie banners designed to nudge people into consenting to tracking lawful? Should advertising companies show users all the data that they infer about them based on their behavior? Is it allowed to ask users to agree to tracking in return for a free-of-charge service? The one-stop-shop mechanism, where all complaints are transferred to the regulator in a country where the company is based, turned out to be ineffective. Most of the big tech companies have set up their European headquarters in Ireland, perceived as the most tech-friendly country in the EU. Indeed, the Irish regulator – the Data Protection Commission – has been recently accused by all the other national regulators and by the European Parliament of not doing its job. This “forum shopping” by companies like Facebook and Google makes users from other countries bear the consequences of a weak data protection authority. In fact, some national regulators have decided to stop transferring complaints to Ireland, preferring to deal with them locally instead.
To successfully enforce the law against multinational companies whose profits reach into the billions of dollars, national authorities need more staff, in particular staff with strong technical competences. We also need more serious and engaged cooperation between national regulators in difficult cases and coordination and support of the European Data Protection Board.
To successfully enforce the law against multinational companies whose profits reach into the billions of dollars, national authorities need more staff, in particular staff with strong technical competences.
– Karolina Iwańska
Maciej Zawadziński: We are still waiting for ePrivacy, but the work on it seems to be coming to an end. Will it strengthen privacy protection online, or will the opposite happen?
Karolina Iwańska: Everything depends on how well the European Parliament’s main negotiator performs. In 2017, the Parliament adopted a version of the ePrivacy regulation that prioritized the privacy of Internet users. For example, the Parliament’s version introduced a prohibition on forcing users to accept cookies to access the website and allowed users to express their preferences through browser settings, creating the potential for eradicating the deceptive cookie pop-ups that harass people on a daily basis.
Unfortunately, the governments of EU Member States (who form the Council of the EU and whose consent is needed to proceed with the law) removed all of these safeguards, prioritizing the interests of businesses that rely on tracking people’s behavior. We are currently in the stage of negotiations between the Parliament, the Council and the European Commission.
Panoptykon, in coalition with the Open Rights Group, the Civil Liberties Union for Europe, and 30 other organizations, has sent an open letter to EU institutions calling on them to reinstate strong protections for users. In particular, we hope the law will enable people to communicate or withdraw their consent through their browser or their phone. This would be a way to get rid of cookie notices designed to extort consent, and would make users’ online experience smoother.
Maciej Zawadziński: GDPR is often presented as a “gold standard” for personal data protection that many countries follow when crafting their own rules. Why is this so? Is there any other legislation that shapes the world’s data protection the way GDPR does?
Karolina Iwańska: GDPR is presented as a “gold standard” because of its progressiveness, comprehensiveness and technical neutrality. It’s the first regulation of its kind in the world. I don’t think there is another piece of law that shapes the world’s data protection to this extent. But it doesn’t mean that GDPR is bullet-proof and that the EU cannot learn from other countries. In the context of the ePrivacy Regulation, EU institutions should look for inspiration in the California Consumer Privacy Act adopted in 2019. This law created the first legally binding obligation to respect automated opt-out signals. A similar provision relating to consent and other preferences of users should be included in ePrivacy to make sure that people can take back control over their online privacy.
Maciej Zawadziński: Laws often can’t keep up with technology. Third-party cookies are being phased out, Google is testing FLoCs and other tracking technologies are becoming options to consider. Will GDPR in its current state be able to secure our privacy? Or will a new “Wild West” of data collection arise?
Karolina Iwańska: Google’s idea for a post-cookie world is a perfect example illustrating the difference between two interpretations of “privacy”.
Firstly, privacy can be understood as data security – the less access entities have to our data, the more privacy we enjoy. It’s a rather reductionist point of view. Ultimately, it comes down to how people’s data is used to influence their choices. That’s why an interpretation of privacy that is closer to my heart and Panoptykon’s mission is related to the concept of informational self-determination – whether people have control over who knows what about them and how they use this knowledge.
Google’s idea for FLoCs would eliminate shady data brokers, which is good, but it will not eliminate online tracking and profiling. Inferences about people would still be used by Google to show them ads related to their online behavior. GDPR’s role will still be important, because – at least in my interpretation – Google would have to collect people’s consent for this new method of behavioral observation.
The question is whether GDPR will be enough to allow people to find out why they have been categorized into particular FLoCs or question the logic of this categorization. In this context, the package of new regulations for online platforms that the EU is working on – the Digital Services Act and the Digital Markets Act – might provide some answers.
Karolina Iwańska – lawyer and policy analyst at Panoptykon Foundation, specialized in the intersection between human rights and technology. Author and co-author of reports on the use of data for online tracking and targeting. Coordinator of Panoptykon’s policy engagement at the EU level in the context of data protection, platform regulation, and AI. In 2019/20 she was a Mozilla EU Tech Policy Fellow working on privacy implications of behavioral advertising and a regulatory approach which would support alternative, privacy-friendly advertising models.