The European Union's General Data Protection Regulation was celebrated as a revolution in how internet privacy could be legislated. It was a reaction to long-term concerns in the EU about information collection by tech giants like Facebook, Alphabet and Apple.
Known as GDPR, the regulation gave sweeping new powers to individuals in how they can control their data, including the right to demand that companies tell them how their data is used, and to ask corporations to destroy their data, a tenet of the law known as "the right to be forgotten."
The law also imposed the world's stiffest potential privacy fines: Up to 20 million euros or 4% of a company's global annual revenue for the previous year for the most egregious violations. For Facebook, such an upper-level fine could therefore feasibly reach $1.6 billion.
But one year later, GDPR hasn't lived up to its potential.
Among some consumers, GDPR is perhaps best known as a bothersome series of rapid-fire, pop-up privacy notices. Those astronomical fines have failed to materialize. The law has created new bureaucracies within corporations, and with those, tension and confusion. And it's unclear if the EU data authority that oversees the law is adequately staffed to handle its demands.
"It's offloading too much responsibility to the individual," to understand the notices and take action on them.
The notices were meant as a jumping-off point where people could begin the journey of understanding how each of their applications and the websites they visit use their data. But, they have probably had the opposite effect, Jehl said. "If you have a job, or kids, or hobbies, or a life, you can't do that, keeping track of all that. It would be a full-time job to protect your privacy in a notice and consent model."
Consumers are often confused as to how they can actually take advantage of GDPR's privacy powers.
"I think it has given consumers a greater awareness of what data is being collected about them, and a greater ability to control that data," said Scott Pink, special counsel in the data security and privacy practice at law firm O'Melveny & Myers. "But now, I think there's still some lack of clarity from consumers on exactly what they need to do."
"Consent fatigue" may be an unfortunate adverse side effect, said Odia Kagan, chair of the GDPR compliance program at law firm Fox Rothschild.
"I think that the importance of people understanding what is going on with their data, and not having a surprised reaction that somebody has their information. When you need to click 329 toggles, that is also a problem, because you won't want to do it. The actual process is something we still need to work on so we don't get consent fatigue."
Google was hit with a $57 million fine in January over how it uses data for ad-targeting, but the company is fighting it. Facebook was fined about $645,000 fine over the Cambridge Analytica scandal, which involved the alleged misuse of customers' personal information for election research conducted by Donald Trump's presidential campaign.
"In the beginning, a number of [EU] regulators informally said 'we know you guys aren't ready for GDPR, and to be honest, we're not really ready either,'" said Jehl. That informal grace period is, however, likely coming to an end, she said.
"The enforcement is just getting started," said Kagan. "The higher fines are very likely going to be in connection with very large companies with very complex structures. We haven't seen them because they aren't done yet."
The data protection authorities have other tools as well, which might be even costlier than fines, Kagan said.
In some cases, EU regulators can tell companies, "You have 90 days to rectify the thing you are doing wrong with the data, or after 90 days you cannot use the data." Sometimes, even the big fines won't make or break them, but the data will if it is a core component of their business.
GDPR introduced something new to many corporations that do business with European clients: a data protection officer.
To be compliant with GDPR rules, companies had to hire (or outsource) someone to lead a data protection office. This is a tricky proposition at many companies, especially the biggest ones, where this new role -- and the bureaucracy that goes with it -- often overlaps with existing executive functions, such as cybersecurity, privacy, legal, audit and technology risk, among others.
"They have a lot of special protections that regular [executives] don't have," explained Jehl. The data protection officer's duty is to protect customers' data, even if that protection goes against other business objectives, meaning there are often different rules on how the executive can be disciplined or dismissed, she said.
The new role is a positive step in terms of "increasing the importance of data and privacy management, and privacy professionals," said Pink.
"But there is still somewhat of a tension between serving those requirements and making sure the business can make a profit, and also ensuring that the expense of complying is adequately funded but not too expensive."
GDPR instituted a new 72-hour breach reporting guideline -- a far tighter reporting timeline than other regulations. It apparently panicked so many companies that they flooded -- and completely overwhelmed -- the U.K. data privacy regulator by September 2018.
"The U.K. commission office basically issued an SOS saying 'you're overreporting, we're drowning here,'" recalled Jehl.
The issue highlights another potential problem with GDPR: Most regulatory agencies in the EU are not staffed deal with the legislation and its sweeping new requirements. The total budget of Ireland's Data Protection Commission, which oversees implementing GDPR, was about $18 million for 2019, and that's a 30% increase from 2018.
"I still feel like unless there is a very significant increase in staffing, they are probably going to have to pick and choose the enforcement actions that they bring," said Kagan.
EU regulators have also found themselves dealing with a huge influx of GDPR "rumors," or large-scale panics spreading across social media, misinterpreting how the law applies to everyday life events.
For instance, one recent blog entry from the Irish Data Protection Commission discussing events at schools borders on the absurd:
"Take the scenario whereby a school wants to take and publish photos at a sports day – schools could inform parents in advance that photographs are going to be taken at this event and could provide different-coloured stickers for the children to wear to signify whether or not they can be photographed," the Commission suggested. The post goes on to discuss the possibility of schools banning photographs at a high school musical, but suggests that might be unwieldy.
Kagan said, "a lot of things that are said about what GDPR is doing are myths. There are tons of misconceptions."
As a result, regulators have had to spend a great deal of time undoing myths, explaining the law's broad language and providing guidance. She predicts they will eventually shift this time investigating and enforcing the law.
"In the end, GDPR is all about consent and it's an approach to privacy that is very European," said Kagan. "That's not a mistake. It's a values statement."