At least the emails have stopped.
It was just a month ago that Europe ushered in a new age of online privacy by enforcing the General Data Protection Regulation (GDPR), arguably the most extensive revamp of privacy rules in 20 years — and the trigger for a deluge of emails, many of them pointless.
But, already, the world is a different place.
Across the European Union, data protection watchdogs now have greater powers with which to take on tech giants such as Google and Facebook.
Privacy activists have more powerful legal instruments with which to take on companies they suspect of misusing data.
And companies around the world — effectively, any that do business within the EU — are exposed to fines of as much as 4 percent of their annual revenue, or €20 million, whichever is greater, if they mishandle Europeans data.
In the words of European Justice Commissioner Věra Jourová, the arrival of the GDPR opened “a new era for many companies.”
Yet so far, what has really changed? Here is our guide to whats new, and whats not, in Europes new era of online privacy.
1. Complaints flood in
On May 25, the day GDPR came online, companies large and small were ready to receive an onslaught of complaints designed to test the new standards. And, like clockwork, those legal complaints flooded in, with most of them targeting large tech companies like Google and Facebook.
The best-known of all such complaints came from well-known privacy advocates, notably Max Schrems. He and others spent years preparing to use new legal tools to force companies like Facebook and Google to change their data collecting practices.
Beyond such high-profile complaints, early figures from national regulators and the European Data Protection Board, a pan-regional group of national watchdogs, show an increase in complaints filed and cases opened.
“The general public is interested about all the transparency obligations, consent and all the new rights,” said Isabelle Falque-Pierrotin, French chief data regulator and one of Europes most powerful watchdogs.
Google and Facebook were already dominant in this market before Europes new rules came online. Now, they are even more so.
In Austria, 128 complaints and almost 500 questions have been filed to the local data protection authority under GDPR. There have also been 59 breach notifications, which is about the number the Austrian data protection authority would receive in the span of eight months before GDPR, according to the regulator.
In France, complaints are up by more than 50 percent compared to the same period last year, according to national regulator CNIL.
And at a European level, there are now also 29 cross-border cases under investigation.
“The European Data Protection Board machinery is up and running,” said Andrea Jelinek, chair of the board, which coordinates the work between DPAs. “Nobody can ignore the GDPR anymore.”
These complaints will push the regulators to start probing companies and open investigations into misuse of Europeans data — a quest that could quickly end up in courts across the Continent.
2. Google and Facebook extend dominance
In the run-up to Europes new privacy rules, experts warned that one of the industries likely to be most affected is online advertising, which relies heavily on harvested data to show people targeted ads.
Google and Facebook were already dominant in this market before Europes new rules came online. Now, they are even more so.
Smaller advertising players and publishers have run into difficulties in complying with the often onerous legislation, with several U.S. companies making public statements about pulling back from Europe because of the new standards.
In contrast, Facebook and Google, which spent millions of dollars over the past two years to prepare, have expanded their online advertising footprint as these other companies have pulled back, according to industry statistics.
So much for Europes privacy rules helping to increase online competition.
3. The inevitable US pushback
With Facebooks data scandal pointing Americans to the weaknesses of privacy protections, theres a growing call for Washington to reboot its own privacy rules, some of which date back to the 18th century.
But amid claims that Europes new standards are fast becoming global de facto norms, U.S. policymakers have pushed back, claiming the EU is over-reaching and the rules break some of the fundamental elements that power the internet.
Wilbur Ross, the U.S. commerce secretary, led the charge with a broadside arguing that Europes privacy standards would likely reduce global trade and create barriers for international law enforcement to share data. Tech executives have followed suit, suggesting that the data protection overhaul is making Europe more like China when it comes to policing the digital world.
“The work is not stopping here, we are still waiting for all countries to fully adopt their national laws” — European Justice Commissioner Věra Jourová
“They wanted to say this is Europe being aggressive and developing a kind of protectionist tool,” said Falque-Pierrotin, the French regulator.
Some voices in Washington, though, are calling for new American privacy standards.
Privacy “is becoming more of a mainstream issue for the traditional consumer,” said Norma Krayem, senior policy adviser at law firm Holland & Knight in Washington, though she noted “it has been at a slower pace here than in the EU.”
4. Countries are still catching up
The Commission is keeping tabs on countries that have not yet finalized their national implementation laws, which transpose the EU rules into legislation. The new standards leave much fine-tuning up to EU capitals, and national data protection authorities also need these legal frameworks to do their job, and budget for it.
But Commission data shows that less than half of EU member countries — only 12 countries — have adopted final versions of the laws.
The laggards: Belgium, Bulgaria, Czech Republic, Estonia, Cyprus, Greece, Italy, Latvia, Lithuania, Luxembourg, Romania, Finland, Hungary, Slovakia, Slovenia, Spain.
Above all, online ad companies are still figuring out what legal basis they can use to keep doing what theyre doing.
Some of those countries are waiting for the publication of national legislation in the official journal. But others are not nearly done drafting national laws.
Jourová said the Commission would keep up the pressure. “The work is not stopping here, we are still waiting for all countries to fully adopt their national laws,” she said. “We will then work on a assessment on the impact of the GDPR on the ground, including on SMEs, for the one year anniversary in May.”
5. Website banner boom
Days into the new rules, it already appeared that the biggest effect was the near constant flood of emails that people were bombarded with asking to reconfirm consent — often unnecessary requests.
In the past weeks, the same has been happening with website banners asking to drop cookies on users devices.
The online ad industry has warned about the boom in these so-called cookie banners. The banners “will become more intrusive because more information needs to be provided and an affirmative act needs to be given,” Matthias Matthiessen, an expert at the online ad lobby Interactive Advertising Bureau Europe, previously told POLITICO.
Above all, online ad companies are still figuring out what legal basis they can use to keep doing what theyre doing. To be on the safe side, that means websites have expanded their banners and increased the numbers of clicks a user has to go through before accessing content.
6. Experiments with freemium
The new privacy rules have made it harder for companies — especially publishers and news organizations — to make money from targeted advertising.
Publishers are in a struggle with Google and other ad-tech companies about who has to ask readers for consent: websites or the ad-tech sector. Internet users also are becoming more aware of the privacy implications of cookies, trackers and targeted ads, increasing the likelihood that they refuse to give the consent on which the ad-tech industry has grown reliant.
Some have taken other, arguably more radical, approaches. The Washington Post is perhaps the largest publisher to test new “freemium” models (in which a “free” model includes advertising while “premium” access does not) that would allow their services to continue without ads — a new product they call the “Premium EU Subscription.”
However, other media brands like the Los Angeles Times owned by the U.S. publisher Tronc, are still blocking EU users. After a month, its increasingly looking like a policy rather than a short-term solution to not complying.
7. GDPR: Global standard?
Whisper it quietly, but Europes privacy rules are gradually being felt worldwide. Japan and Argentina already have overhauled their domestic rules to comply, mostly to ensure they guarantee so-called adequacy agreements, or data-sharing deals, with the EU. Others like Canada, South Korea and Colombia are similarly tweaking domestic legislation with an eye to the EUs new standards.
The same, though, cant be said for many of the global tech companies, many of which have so far limited the data protection rules to their European customers, according to an analysis by Assembly, a regulatory research company. Amazon, LinkedIn, Facebook and others have not extended the rules across their worldwide operations, though Spotify and Sonos, the digital speaker manufacturer, have made the EU rules their global default, according to Assemblys report.
