Has GDPR failed because of a lack of will to enforce it?
'The Commission is not serious about it; the member states are not serious about and activists aren't serious about it either' says Johnny Ryan of the Irish Council for Civil Liberties during a roundtable debate
GDPR has failed to protect personal data, and that failure is killing the media and social institutions.
That is the conclusion of Dr Johnny Ryan, a senior fellow at non-profit the Irish Council for Civil Liberties, as voiced during a round table debate organised by the Brussels Privacy Hub this week.
Ryan's contention is that the GDPR is good legislation, but it's nothing more than a 'beautiful dream' because no-one is interested in prosecuting it.
"The Commission is not serious about it; the member states are not serious about it because no-one enforces it. And activists aren't serious about it either because we're not taking cases. No one is serious about it," he said.
This lack of seriousness is allowing a hollowing out of the media industry, and by extension society, he continued, in a race to the bottom.
Ryan, who was previously chief innovation officer at The Irish Times, said that publishers are chasing the "false science and illusion" of customer 360, and lacking the where-with-all to do their own data science have got into bed with the myriad players that make up the adtech industry, a move which he argued could ultimately destroy them.
"Publishers became integrated with the tracking industry. They became incapable of protecting their own data. For the last decade the tracking industry has been finding desirable audiences on a publisher's site and then moving to very cheap websites and retargeting those audiences there as well. This arbitrage enables the bottom of the web to make money and makes it impossible for legitimate publishers to charge at the same price that they had for their own audience."
Ryan, who described the current situation as "a dystopia", said the host has become dependent on the parasite.
Both advertisers and publishers are trapped in a crippling conservativism, Johnny Ryan, Irish Council for Civil Liberties
"We've got this crazy situation where both advertisers and publishers by attempting to embrace what you might call innovation and data are trapped in a crippling conservativism. And they have both railed against the privacy protections that could have reformed the advertising industry and saved their businesses."
A society without a quality media is in danger, Ryan went on, and there is no point in the EU working on new data protection, consumer and competition law such as the Digital Markets Act (DMA) designed to control the power of big tech, and the Digital Services Act (DSA) which aims to regulate online content since it has shown itself unprepared to act on GDPR, for which he blamed the influence of tech lobbyists and the weakness of the Data Protection Authorities.
The debate was centred around whether data protection could be seen in the same light as environmental protection, with a sweet spot of 'sustainability' in which all parties - business, individuals and institutions - could thrive.
The GDPR came too late, that's the problem, Massimo Attoresi, EDPS
Massimo Attoresi, deputy head of the Technology and Privacy Unit at the European Data Protection Supervisor, which regulates data processing by European institutions, argued that some of the acknowledged issues with the practical outcomes of GDPR would be resolved when it became part of a larger framework of legislation, including the incoming DMA and also agreements with the OECD and the USA.
"The GDPR came too late, that's the problem" Arroresi said. "It was a very thorough piece of law enforcement, it was also very well [thought through] and I have the impression that it is the best thing we could have [come up with] at that time.
"The problem is that the time was late and all the business models we are finding ... which are not legal at the end of the day [were already in place]."
It was never the DPAs' primary duty to be enforcers, he went on, rather to help more sustainable practices develop.
You've got to innovate to show brands and show people that there are alternative models, Luke Mulks, Brave
Representing the business side of the equation were Luke Mulks, director of business development at browser company Brave and Isabella de Michelis CEO of mobile privacy app ErnieApp.
Mulks said Brave is working on a new model for advertisers in which users' attention is rewarded with the BAT (Basic Attention Token) cryptocurrency. This model can see users viewing far fewer ads which are also better targeted, he explained, adding that Brave is now working with some of the biggest ad agencies and is growing rapidly year-on-year.
"You have to lead by example. There's always hope in waiting for the regulation, but you've got to innovate to show brands and show people that there are alternative models that don't require all the data collection that the marketing and advertising industries will try and tell you is the only way of effectively serving ads."
We have a law but it's meaningless for consumers, Isabella de Michelis, ErnieAPP
For De Michelis the answer is to distil the key elements of GDPR into an interface so that they are easy to digest by app users via a process she calls Privacy Knowledge Management (PKM).
"We have a law but it's meaningless for consumers; we have solutions, but they're so complex that the users might not understand it, or simply they will not be aware of them because the big tech is dominating the narrative around what the solutions are.
ErnieApp engineers GDPR Article 6A "into four clicks, opt in, opt out, delete and transfer," she explained, allowing users to understand what is happening with their data and act on it.
However, Ryan said that while welcome, such efforts amount to tinkering around the edge.
"Europe has so few jewels left in her crown and one of them was GDPR. Europe used to be incredibly important but it no longer is, but one of the areas where it can claim some importance is as a regulatory superpower. Fewer people will say that today than would have said that yesterday and that will continue," he said.