GDPR privacy concerns still brewing on law's first birthday

The first year of the much-debated EU data protection rule was subdued. High-profile fines for privacy breaches have yet to come, but regulators are starting to take action.

On the first anniversary of the enactment of the GDPR, worried Silicon Valley entrepreneurs with big data dreams can take some solace in this: European Commission data privacy regulators are moving slowly.

The General Data Protection Regulation's first birthday, May 25, marks a year without a particularly high-profile move against the likes of Facebook or Google. Instead, GDPR privacy concerns have been bubbling up via complaints from individuals. Regulators have been fielding European Union citizens' objections to high-tech's use of their data.

Such submissions and objections -- almost 150,000 in the first year by the count of German weekly news magazine Der Spiegel -- now proceed through individual data protection commissions within each EU member state for adjudication.

A fair amount of individuals' objections have centered on ad-serving technology fed by software recommendation engines that go to the heart of much of what is now being sold to these as "AI."

The "right to be forgotten" -- to have personal information about you scrubbed from the internet record upon request -- was the highlight before the debut of the GDPR privacy edict. But the use of data in advertising and the "right to explainability" -- to inform data subjects about how a company's machine learning models work -- is beginning to emerge as an area of litigation.

Waiting for action

[GDPR] is starting slowly. People have been becoming aware of their rights.
Paul NemitzPrincipal advisor, European Commission

The GDPR calls for EU member states to form public authorities responsible for monitoring the application of the regulation. An example is Ireland's Data Protection Commission (DPC).

In Ireland, where numerous U.S. high-tech players have European headquarters, critics have lambasted the DPC as slow. Such critiques are not entirely fair, according to noted data privacy advocate Daragh O Brien, managing director of the Castlebridge data governance and privacy consultancy in Dublin.

In a recent blog post, O Brien said the DPC's need to hire more staff complicates its mission and should evoke critics' sympathy. But O Brien, who is among those eager to see action on data privacy, said the DPC needs to do better.

Slow to take hold

Slow uptake may give tech giants a brief reprieve. But lack of clearness has drawbacks, according to Andrew Burt, chief privacy officer and legal engineer at data governance tool maker Immuta in College Park, Md.

"What seems true today is that there are many bureaucracies involved, in the form of national supervisory authorities," Burt said. "And that is certainly contributing to a lack of clarity in some of the more complex areas of the GDPR."

GDPR compliance is still in transition, Burt said. So far, penalties have been minor, and the EU still seems to be working out many of the GDPR's details, he said, "with most companies still far from full compliance."

Cutting through bureaucracy

"It is starting slowly. People have been becoming aware of their rights," Paul Nemitz, a principal advisor at the European Commission in Brussels and one of the architects of the GDPR, said in an interview.

Appearing last month at a meeting of the AI World Society held at Harvard University, in Cambridge, Mass., Nemitz said AI-influenced automated decision-making associated with internet commerce will become a phenomenon that GDPR will come to cover.

A lot of the big tech companies ... are actually OK with the regulations Europe has put in place.
Erik BrynjolfssonProfessor, MIT

He told the society that he would be surprised if the GDPR does not ultimately cover the right to discover the reasoning behind machine learning predictions.

Still, Nemitz said in an interview that implementing the GDPR has been challenging so far. Data protection authorities have struggled with a new workload brought on by GDPR-related complaints of citizens, he said.

But, Nemitz said, in January, a French data protection agency lodged a 50 million euro fine against Google (about $56 million) for poorly informing consumers on how the company's personalized search applications worked.

That decision arose in response to complaints filed by European privacy advocacy group None of Your Business and others.

And the week of May 22, the Google Ad Exchange was at the center of the Irish DPC's long-awaited opening of a formal inquiry related to GDPR. Taken together, these moves could point toward future litigation aimed at AI-infused ad technology.

The lifeblood of machine learning

"Data has been the lifeblood of data science, and machine learning in particular," said Erik Brynjolfsson, MIT professor and director of the school's Initiative on the Digital Economy.

Organizations and countries that have a lot of data have gained an advantage, but Europe is seeing particular tension around data privacy, Brynjolfsson said in an interview at the 2019 MIT Sloan CIO Symposium in Cambridge on May 22. That tension is not altogether off-putting to some tech players, however, Brynjolfsson said.

"It's interesting -- a lot of the big tech companies I have talked to are actually OK with the regulations Europe has put in place," he said.

But a cynical reason for that could be that regulations could serve to entrench the incumbents, Brynjolfsson added.

Tech giants reach some acceptance

The leaders of Google and Facebook have spoken publicly in recent months about their professed acceptance of some tenets of data privacy.

Clearly, their eyes are not on the European GDPR only. Facebook, for example, recently disclosed it had set aside $3 billion in anticipation of U.S. Federal Trade Commission fines for data-related activity the agency is scrutinizing.

These big players understand that, although somewhat slow to date, GDPR is having an effect. As more big data and AI applications move out of development and into production, GDPR actions will continue to bear watching by IT industry participants at all levels, big and small.

Dig Deeper on Data governance