So, we approach the GDPR’s first birthday. You know what’s nice for birthdays? Fines. Really big ones. According to an article in today’s Times (paywall), significant GDPR monetary penalties from the ICO are imminent, around the 1-year mark for our new data protection regime. The Irish DPC is apparently limbering up likewise. And it also announced its investigation into Google’s Ad Exchange this week, which could develop into a very significant foray into online ad tech.
So where on earth is this new Regulation? Good question. The European Council has announced in the past few days that an agreed text is still some way off.
If you delve into the EU Parliament’s website (a nice thing today, on election day), you will find a helpful summary of the outstanding issues, as well as a bit of history of aspirational timetables. This is all accompanied by a curiously retro little graphic of (I think) a train. It hasn’t gone very far out of its shed (maybe because it doesn’t have a driver?) but there is some imagery of a track. It all has something of the flavour of Brexit transport infrastructure planning on Chris Grayling’s desktop, but I think the overall point is that things are behind schedule, as there are a number of lingering points of disagreement at the European Council level. So there is no agreed draft text for the Council to discuss with the Commission and the EU Parliament.
Sticking points appear to concern inter alia impacts on artificial intelligence, data retention, privacy browser settings and mechanisms for securing cookie consent, e.g. via a generic consent covering parties on ‘whitelists’. Overall: it doesn’t look like we will get the missing piece of our privacy jigsaw anytime soon, so the ‘old’ e-Privacy laws remain in place alongside the GDPR.