Where will you be celebrating the third birthday of the General Data Protection Regulation (GDPR) tomorrow (Tuesday 25 May)? A bar with privacy-enhancing booths? That restaurant where everyone eats in the dark? Or perhaps simply by offering a friend a cookie they’re not sure they want, then making them sign a series of confusing forms in order to accept it?
Three years ago, the EU implemented its data protection law, which led businesses to send many millions of emails asking for permission to send billions more emails (my personal favourite invited me to “stay engaged with radioactive waste”).
These emails proliferated because GDPR was, and still is, scary for businesses. It introduced the risk of enormous fines – up to 4 per cent of annual global turnover, or €20m, whichever is higher, for the most serious infringements. These fines, with the rest of the GDPR, are retained in UK law post-Brexit.
At the time, there was a good argument for making cyber security a more frightening risk for businesses. Before the law was implemented, companies faced a relatively small fine for trying to keep a data breach quiet, or the greater reputational risk of admitting they’d been hacked.
For example, when TalkTalk lost the personal details of 157,000 (and the bank details of 16,000) customers, the UK Information Commissioner’s Office levied a penalty of £400,000. Dido Harding told me at the time that she thought other companies had covered up their own data breaches (she also suggested the TalkTalk breach might have been the work of a “state actor”; it was later shown to be the work of a 16-year-old from Norwich). But under GDPR, there would have been no doubt about what was the greater risk: TalkTalk could have been fined more than £70m for the breach.
Similarly, when Tesco Bank lost £2.26m to hackers in 2016, it was eventually fined a heftier £16.4m by the Financial Conduct Authority (FCA) – but it could have been much bigger still under GDPR. Four per cent of Tesco’s £48.4bn turnover that year would have been more than £1.9bn.
What’s less scary for businesses is that in the three years it’s been possible to incur such fines, they haven’t really materialised. In 2018, British Airways was threatened with a £183m fine after hackers accessed the personal and financial details of nearly half a million customers through its website, but this was dropped last year to £20m – about 0.15 per cent of the airline’s 2018 turnover. Across the EU, the total fines from more than 600 enforcement actions over three years comes to just over €283m.
This is part of the reason critics of GDPR say it has handed more power to Big Tech – the few companies that can afford to navigate the legislation well, and which ad buyers know won’t expose them to GDPR’s legal risks. The biggest GDPR fine levied so far is the €50m that France fined Google, but this is still less than 0.03 per cent of the company’s 2020 turnover.
Will the power to make an example of a big multinational ever be used? In the UK, it’s looking less likely. In its new data strategy, published in December, the government is clear that it sees “data and data use… as opportunities to be embraced, rather than threats against which to be guarded”. When the UK’s new Information Commissioner is picked later this year, it will be someone aligned with this view.
But as recent big events such as the Colonial Pipeline hack and the announcement of the Air India data breach show, companies have an ever increasing responsibility to defend their customers against an enemy that is only becoming more persistent. If companies are going to take security more seriously, GDPR may yet have to live up to its fearsome reputation.