EU GDPR fallout in five years’ time: Ten bold predictions

Though obviously no-one can predict the future, it is great fun thinking of what will have happened to privacy regulation in five years' time. The EU GDPR has been an agenda-setting legal instrument but its effects are still only in their infancy.

1. Privacy compliance becomes an absolute must

We've heard it a lot: consumers value their privacy and therefore shop at privacy-savvy companies. It's not really happening - yet. B2B privacy compliance requirements will also have their effect on the B2C market. Moreover, the continuous flow of data breaches and scandals (think: Yahoo and Cambridge Analytica) will eventually raise consumer awareness. Privacy certification confirming GDPR compliance will become as self-evident as a secure SSL connection is today.

2. Your equipment will be the gatekeeper

Even if consumers themselves lack awareness, their equipment will start guarding them. Today most browsers will warn you for a website without a valid SSL certificate. In five years, browsers will be actively protecting your personal data. Privacy by design and privacy by default will not be dead meat anymore. Even the total lack of privacy protection in many ‘internet of things’ devices such as IP cameras will be under scrutiny in the near future.

3. Privacy by design will include obfuscation[1] by design

One of the ways of protecting your privacy is to organise a wild goose chase. Use a different pseudonym for any service you use. Use customised e-mail addresses. In short: make it impossible (or at least a lot harder) to trace your online behaviour. Today's password manager may very well become an identity manager, fit to compartmentalise your data safely. Just as a password manager takes the chore out of maintaining safe passwords, an identity manager will do the tedious job of protecting your online presence.

4. GDPR will facilitate competition and innovation

One of the innovations of GDPR is the introduction of data portability. In five years, we will see the effects of that right. After initial resistance, it will follow PSD2 in driving competition and therefore innovation in tech. 'Lock-in' or 'stickiness' will never be the same again after you can take your personal data and just leave. Think of the possibilities to take your data from Google or Facebook to a different service provider. The data subject, also being a consumer, will benefit from increased competition and accompanying consumer surplus.

5. Even stronger co-ordination between supervisory authorities

Although the GDPR intends to combat forum shopping, companies carefully planning their activities can still do it. Google's tendencies to do everything noteworthy in Ireland will have its effect: in the future, supervisory authorities other than the Irish one might lose their jurisdiction over Google’s acts. There will be a response though - the pressure to empower individual supervisory authorities and to co-ordinate their efforts will be massive.

6. European leadership in privacy protection

It's not that the EU has the largest tech companies, or the biggest influence in foreign policy, but the merits of a combined internal market and community of values does deliver leadership in the protection of privacy. The simple reason: if that protection is closely intertwined with economic interest, the two drive each other to be effective. Let’s not forget that the goal of the GDPR is twofold: promote the internal market by removing barriers for competition and provide protection of human rights.

7. Purpose limitation is there to stay

Wouldn't it be great to collect data and decide later on what to do with them? It's the dream of any big data company but it has been specifically barred both by the good old Directive 95/46 and the GDPR. Purpose limitation is the cornerstone of privacy protection in Europe and will be guarded even more closely in the next five years. Workarounds can be detected more easily due to GDPR accountability obligations and will be penalised heavily.

8. Protection against individual ratings

China's envisaged 'social credit score' takes rewarding and penalising citizens to a whole new dimension. It would be the ideal topic for today's version of 1984. But today, in Europe, how do you feel about rating your Uber driver less than 5 stars? You might not do this, knowing it endangers their income. I envisage lawsuits against all too rigorous use of review scores relating to individuals, and I think these uses will be effectively sanctioned under the GDPR.

9. Fines, fines, fines

The most boring of predictions, but yes, I think there will be fines following the likes of the 50 million fine CNIL imposed on Google. Gartner expects a total of 1 billion euros in fines before the end of 2021.[2] I expect the total to be 10 billion by the end of 2023, similar to competition law fines imposed by the Commission between 2013 and 2017. Although the fine cap for GDPR infringements is lower than that under competition law (4% versus 10%), enforcement capacity is distributed over many supervisory authorities.

10. Software will be the linking pin

No supervisory authority currently offers an API, e.g. for notifying breaches. Driven by a huge demand for lowering compliance costs, e.g. for data mapping, we will see standardisation for automated communication about personal data flows. The currently latent demand will be articulated, which in turn, will drive software and standard development and adoption. This will also take supervision to a next level, because it can be partially automated.
 

Laurens Mommers

 

[1] Cf. F. Brunton and H. Nissenbaum (2015), Obfuscation: A User's Guide for Privacy and Protest, The MIT Press.

[2] D. Cearley and B. Burke (2018), Top 10 Strategic Technology Trends for 2019, Gartner report.