GDPR: a year in review with Elizabeth Renieris

What is your take on the first year of GDPR? 

On the surface, it looks and feels like a year of mass confusion and chaos. For many individuals, the Web suddenly had a different look and feel, with European and rest-of-the-world versions of websites (with some sites wholly unavailable in certain jurisdictions), an increasing number of paywalls and subscription offerings, and myriad updates to terms and conditions and privacy policies. Businesses took a new or renewed interest in their customer-facing notices and disclosures, in compliance tools and professionals, and in privacy and data protection events and conferences. It’s no coincidence that the International Association of Privacy Professionals’ 2019 Global Summit was its largest yet, with more than 4,000 privacy professionals in attendance. Finally, for governments around the world, there was a recognition that they were next, and that their citizens were looking for the same or similar kinds of protections as those afforded to European citizens by the GDPR. It feels like the first year that we had a truly global conversation about data protection and privacy, and data governance-related issues more generally.

What has been the impact of GDPR in your jurisdiction? Do you think that users and their data have a greater protection as well as it was intended when passing GDPR?

In the US, and particularly in Washington, DC where I am based, the GDPR has forced a long overdue conversation about privacy and data protection in our houses of Congress. Despite being an early global leader on these issues through international conventions like the Universal Declaration of Human Rights and domestic measures like the Fair Information Practice Principles and the Privacy Act in 1974, Congress has done nothing meaningful on privacy in decades. This absence of action coincides with a series of devastating data breaches of both the public and private sectors, and a loss of trust in our digital platforms, with an impact on nearly all Americans. The question of whether we are better or worse off in light of GDPR is the subject of much debate in our legislature, with the answer depending on preexisting political agendas and biases. Overall, it feels like we have a deep lack of understanding in this country about what the GDPR is and how it’s intended to work that impedes our ability to make such a determination. For example, there seems to be this idea that the GDPR is only about click-box consent. That’s just false.

If you were able to implement a measure that protects user privacy and their data effectively, what would it be? 

Perhaps the hardest truth to confront in this arena is that there is no silver bullet. There is no single measure—no piece of legislation, administrative action, technology, or market solution—that can give us a better relationship with our data as individuals, corporates, governments, and as a global society. Progress will be incremental and will require a tapestry of laws, market adjustments, and behavioral changes. The most important thing is to not accept a defeatist version of the future where we have no control over how data is used to impact our choices or decisions, and where we lack any privacy in our communications, thoughts, actions, and lives at large. If we think it’s game over, it is. As Margaret Atwood recently said at the IAPP Global Summit, we must remember what it was like to have a private life.

Elizabeth M. Renieris, Founder at hackylawyER. Find Elizabeth on twitter @hackylawyER

Thanks to, where this was first published.