23 Jul 2018
The age of GDPR cometh: exploring our post-GDPR world
As the General Data Protection Regulation (GDPR)’s zero hour approached on May 24th 2018, fear gripped the marketing world.
Misinformation and confusion abounded, and no-one seemed quite sure exactly what was about to go down. To hear the marketing blogosphere tell it, we either stood on the precipice of a digital marketing armageddon, or a complete non-event barely worth considering at all.
As we approach the 2-month mark of the GDPR’s reign, it appears (as is so often the case with such things) that the truth lies somewhere between these two extremes. Probably a fair bit further toward the “non-event” end of the spectrum than most expected, but somewhere in the middle nonetheless.
Now, as the terror fades, it’s time to take stock of how the implementation of the GDPR has played out thus far, and how it has (and hasn’t) changed the world we live in.
Here’s what we’ve learned so far…
The Jehovah’s Witnesses feel the GDPR’s wrath
Despite the Jehovah’s Witnesses challenging a 2013 Finnish ban on collecting personal information during door-to-door visits without consent on the basis that preaching should be considered a personal religious activity, the Court of the Justice of the European Union (ECJ) in Luxembourg ruled on July 3rd that “A religious community, such as the Jehovah’s Witnesses, is a controller, jointly with its members who engage in preaching, for the processing of personal data carried out by the latter in the context of door-to-door preaching”, and that “The processing of personal data carried out in the context of such activity must respect the rules of EU law on the protection of personal data.”
It seems as though Jehovah’s Witnesses operating across the EU will now need to gain explicit consent before mailing EU residents any more pamphlets.
No word yet on how things will play out in post-Brexit Britain.
Whois? None of your biz!
US non-profit firm ICANN, which manages the global Whois database of registered domain names, has hit its own GDPR speedbump. After demanding that German domain registrar EPAG collect personal data from anyone buying a domain name in Germany – a demand which EPAG refused – ICANN filed a lawsuit to force EPAG to collect and hand over the data ICANN wanted.
However, the German court ruled that under the GDPR, ICANN has no legal standing to force an EU company to collect personal data, and the European Data Protection Board (EDBP) stated that “The EDPB’s predecessor, WP29, has been offering guidance to ICANN on how to bring Whois in compliance with European data protection law since 2003.”, and that ICANN was warned some time ago that its GDPR plans were “fundamentally flawed”.
The long-term implications for Whois and the domain registry industry as a whole remain somewhat unclear.
The world is taking note… and it likes what it sees
The implementation of the GDPR has acted as a catalyst for several other countries, including Japan, Argentina, and even some US states to begin aligning their own data legislation with the GDPR’s framework.
On June 19th of this year, the government of Canada began its own data regulation consultations and is expected to implement GDPR-style regulations in the not too distant future. As data misuse scandals continue to make headlines worldwide, it seems to be just a matter of time until even more nations begin drafting legislation of their own and fall into line with the rules laid out by GDPR.
A world where the citizens of every country can count on some level of protection from bad actors collecting and processing their data without consent may be coming sooner than many might think.
People be snitchin’
Since the GDPR came into effect, French data protection regulator CNIL has reported a 50% increase in the number of complaints it has fielded from citizens who felt their data has been misused.
This trend may be indicative of a larger trend spurred on by proliferating revelations about the ways user data is actually being exploited, like the Facebook/Cambridge Analytica scandal earlier this year, but the increased sense of personal empowerment the GDPR has given EU citizens about their personal data privacy has certainly played a major role as well.
While the GDPR’s impact has not been as massive as some had expected thus far, it is a safe bet that there will be plenty more changes and precedent-setting legal battles in the months and years to come.
And, with more countries jumping on the GDPR and data protection bandwagon by the month, the long-term effects of the implementation of the GDPR remain to be seen.