The European Union’s General Data Protection Regulation (GDPR), now approaching its first anniversary, has been seen as the world’s best hope of bringing privacy back from the dead – reversing, or at least slowing, the seemingly inexorable march of ever-more-intrusive corporate surveillance by major tech companies.
Its provisions provide for mega fines – up to 4% of a company’s annual global revenue – for misuse of data or violations of users’ privacy. That could easily reach into the billions – Google’s annual revenue is closing in on $140 billion and Facebook’s is around $55 billion.
So amid the blizzard of first-anniversary stories, the most obvious question is: Is it working? How well it is fulfilling its promise so far? And, perhaps not surprisingly, there is a clear mix of opinions on that.
Nicholas Vinocur, technology editor in France for Politico, recently presented the “not so well” case, based on what regularly tends to emasculate the best-intended legislation – what he called a “significant loophole.”
Specifically, the law provides for the “lead regulator” (chief enforcer, in other words) of multi-national firms to be within the country in which those firms have their “main establishment.”