Analysis: Why GDPR may not work at all

World
Europe

You don't really need to search your mailbox for "GDPR" to realize how many messages you've received about "privacy policy changes."

Memes are being created all over the place, like this one:

Star Wars movie director Rian Johnson makes fun of GDPR-related emails with his classic staff crawl. /Screenshot from Twitter

After you may have laughed and got bored about GDPR, there's something important behind it.

The General Data Protection Regulation is the EU's answer to the global privacy concerns raised by data breaches such as those involving Cambridge Analytica and Equifax.

Its impact is so strong that even we at CGTN, a media organization based in China, have to take actions, because we target a global audience, including EU citizens.

Getting a string of emails may seem akin to insurance for some. But can GDPR really protect EU citizens' privacy? Let's look at some key changes it is bringing to those "evil" companies that may be preying on your secrets.

Get companies to delete your data?

GDPR grants EU citizens a right to force companies to delete their personal info, which is cool when you realize you can't remove your account from a lot of online services.

But the problem is verification. How can you tell whether your info has been wiped out or not?

The databases of Internet companies are almost black boxes to users. "It's a company secret," they will say.

So you can't look into it to make sure. Searching is not a good idea, because the companies can just hide your info from results, but still have access to it.

Big fines: Will it actually happen?

If a big company like Google fails to behave, it's screwed: The fine under GDPR for naughty companies is four percent of annual global revenue, or about 23 million US dollars, whichever is higher.

Google's revenue in 2017 was 109.65 billion US dollars, according to Statista. That means a fine can be more than four billion dollars. Wow.

Now, just one day after GDPR went into effect, Google and Facebook are already facing lawsuits filed by activists for allegedly tricking users into providing personal data.

Will the billion-dollar fine be imposed? Big tech companies don't lose lawsuits without a fight. Think about the phone design suit between Samsung and Apple (the famous "round-corner rectangle" case). It's seven years old now and hasn't been completely settled yet. Latest update? Just on Thursday, a jury said Samsung should pay Apple 539 million US dollars.

Tronc backs off

GDPR may drive away some companies from Europe. One quick example is Tronc, a media company that owns the Los Angeles Times and Chicago Tribune.

If you visit the website of these two newspapers in Europe (or through a European VPN service), no news will come out. You will be greeted by a notice saying they're not serving the EU for now.

Screenshot from Los Angeles Times

The website notice also said Tronc is seeking to fix the issue.

So for now, EU citizens may have trouble accessing some online services that have not fully prepared for GDPR.

With all that said, GDPR is still a very strong message, that big internet companies are not the rulers of the web. There are still ways for governments to limit them.

China also has a system to limit Internet companies from exploiting users' data. A regulation that came into effect in 2013 prohibits all Internet companies operating in China from selling user data. And the companies have to clearly tell users what data they're collecting and how they will use it.

There has to be a way to query and change personal data, with an account-deletion service a must-have, the Chinese regulation says.

But China's fine of less than 5,000 US dollars is unlikely to hurt the Internet giants.