As GDPR turns one, its limitations have become increasingly visible. Permitting Facebook to deploy facial recognition across the EU, exempting most businesses around the world that harvest and mine EU citizens, a failure to take any meaningful action against violations, massive exemptions that cover almost any conceivable behavior: it seems GDPR has been more hype than reality. Indeed, even the European Commission, asked what it sees as the benefits of GDPR, could not come up with an answer. Instead, the few laws that have actually granted some degree of privacy all predate the social media era, reminding us of the futility of attempting to pass privacy legislation today.
The European Union touted GDPR as the ultimate protection against the modern surveillance state, lavishing every announcement about it with hyperbolic claims of total consumer protection.
The reality has been nearly the opposite, rolling back almost every privacy protection that existed prior. Most notably, after years of Europe’s previously tough privacy laws largely prohibiting facial recognition, GDPR granted Facebook the right to deploy the technology continent-wide.
In the US, a once-obscure 2008 Illinois law has rocketed to the forefront of the biometric battle. The Biometric Information Privacy Act (BIPA) has emerged as critical privacy bulwark against social media platforms.
Notably it was passed more than a decade ago, at a time when few Web companies were deploying facial recognition at a global scale. In this regard, it did not face the onslaught of entrenched business interests deploying an army of lobbyists to carve out myriad exemptions for their activities.
Indeed, as Web companies have boarded the biometric bandwagon, Illinois’ law has come under intense pressure, with lawsuits attempting to strike it or carve exemptions and proposed legislation seeking to undermine it.