The DPOInsider covers the latest news and developments in data compliance and privacy. The DPO’s favourite weekly read ☕️

Hello and welcome to another edition of the DPOInsider.

A special hello to those who have subscribed since last week’s edition. Thanks for joining. You can see all of our previous editions here.

The GDPR is four years old

Time is going past so quickly, etc etc. Yes, that’s right, it’s four years this week since the day when we all received a hundred emails from organizations that we didn’t know, asking us if they could continue to contact us.

Joking aside, what have we learned since the implementation of GDPR? What’s changed?

Well, apart from €1.7 Billion in fines, it could be argued that the GDPR hasn’t had a decisive effect on eliminating the misuse of personal data.

These things take time, of course. But IMO, the GDPR faces the following challenges:

• A culture of hostility from businesses. I can’t remember any other legal requirements routinely positioned as ‘killing innovation’. For example, it’s rare to see tax laws ridiculed in the same way.

• Technical limitations - many businesses struggle with implementation across national borders, and with vast, fluid data sets within their organization, it’s hard for them to implement a technical solution.

• Lack of enforcement from DPAs. Despite significant name cases attracting news headlines and increasing fines in the past year. I’ve heard of many open investigations.

• So far, the failure to entirely shift the view that privacy and compliance can be a business enabler.

So, in short, we are moving in the right direction. But there’s still a lot of work to be done. Here’s to the next four years!

Twitter’s turn in the spotlight

Step aside, Google. It’s Twitter’s turn to get a nasty slap on the wrist. This week, the tech company was hit with a $150 million fine for misusing phone numbers and emails in its ad targeting solutions.

The data was collected for security reasons. Even Elon Musk chimed in on the news:

Elon Musk @elonmusk

@stevenmarkryan If Twitter was not truthful here, what else is not true? This is very concerning news.

1:59 AM ∙ May 26, 2022

---

12,231Likes1,387Retweets

It’s unclear whether this was simply a mistake. As we mentioned with Google last week, these fines are great examples to check our governance and compliance implementation at our own organizations.

EU at the forefront of a global data privacy agreement

It seems that the EU is highlighting the need for a global data privacy agreement.

According to the Wall Street Journal, European Data Protection Supervisor Wojciech Wiewiórowski said, “There is a need for more world-wide convergence.” around global privacy laws. Whilst other European officials recently said that Russia’s invasion of Ukraine highlights the need for a “global data privacy agreement”.

Separately, During a Washington, D.C., visit this week, a delegation of seven members of the European Parliament’s Civil Liberties Committee met with legislative and administrative leaders.

Committee Chair Juan Fernando López Aguilar said Parliament “wants a robust, effective and data protection compliant system for international data flows that provide the adequate level of data protection for EU citizens.”

We’ll continue to monitor this as it develops, but there are a number of barriers to a global solution. For now, the need to protect personal data as it flows between regions and jurisdictions isn’t going away.

Notable links:

• DuckDuckGo allegedly has a tracking deal with Microsoft. This is a potential disaster from the “privacy-first” browser.

• How CMO should lead in ensuring data privacy.

• I tried not to take too much of a walk along memory lane with the GDPR content above. But for those interested in a touch of lighter reading around that fateful GDPR day, check this out.