A while ago, a headline appeared on VRT: “Free bottle of wine hidden in small print of privacy policy claimed after 3 months”. It took three full months before someone discovered the free wine, hidden in the depths of a privacy policy. With this, the organisation aims to demonstrate that a lot of money and time goes into creating these mandatory policies, while data subjects rarely seem to lose sleep over their privacy.
The GDPR, which aims to protect the privacy and personal data of people within the EU, celebrates its sixth anniversary this week… But are people actually concerned about this? Are they aware of the online data collection frenzy and its impact on their personal lives? We ask Bart van Buitenen, himself a privacy aficionado, but thanks to his experiences and privacy non-profit, the perfect person to keep a finger on the pulse.
Why have a privacy policy then?
Six years ago, on 25 May 2018, the world was turned upside down for many organisations. It was all hands on deck to set up cookie banners and write privacy statements meticulously describing which visitor data was processed and for what purpose.
Fast forward to 2024… It seems that people blindly click “accept” when an annoying cookie banner pops up and don’t bother to review a privacy policy while browsing. So why would an organisation put so much effort into writing and keeping such a page up-to-date? “Of course, you have people like me who scroll through the privacy policy for fun, but that’s a minority. You don’t put a privacy policy on your website because it should be read every day… You put it there for people who want to exercise their rights… You want to inform them when it’s necessary for them. So it’s not illogical that it takes a while before a hidden wine bottle is found in the text,” says Bart.
Do people lose sleep over their privacy?
Okay, we understand that. The GDPR, with all its rules, ensures that people can exercise their rights when it suits them. That’s obviously a positive thing. But are people actually aware of the extent to which their personal data is collected, processed, and used online? “No,” Bart concludes briefly, “In every awareness session I give, whether in companies or at the university, you see people frowning when you confront them with the amount of data collected online, and what impact that has on their own lives.” So while the GDPR legislation is well-intended to inform people about what happens to their data, many people are still not really aware of the scale of data collection.
We also see this through the enormous popularity of apps like Temu and TikTok, where the revenue model is purely in data collection. These apps request access to an enormous amount of data on your smartphone (much more than just your name and email address. What about your photo library, or even your microphone?). If you grant that access, you can be sure that Temu and TikTok will sell your data to the highest bidder. This way, people themselves become the product.
It starts with digital literacy and awareness.
The fact that it doesn’t resonate with the average person seems to have a lot to do with a lack of communication. “A campaign from the government to merge on the motorway is no problem at all, but getting a budget to sharpen the digital literacy, and especially the knowledge about fundamental rights around data protection of the population… There seems to be little enthusiasm for that.” You might then wonder, is that just as important as, say, road safety? Given the high degree of digitalisation and the rapid emergence of new technologies, Bart believes it is.
Yet we notice, even 6 years after the GDPR legislation came into force, that authorities are chronically underfunded, often leaving no resources for such awareness campaigns. “Give the authorities a doubling of their budget tomorrow, and they’ll still be short of hands and feet,” Bart laughs, “but you’ll quickly see a gigantic change. It’s a shame that you have a law that should be enforced through an authority, but due to a lack of resources, they can’t get around to it. This is not only a problem in Belgium, but we see the same happening in the Netherlands, for example.” So there’s still work to be done.
Positive outlook for the future.
You might almost become cynical about it. Yet privacy professionals, like Bart and ourselves, remain positive. “I’m basically a huge GDPR fan. I think the text is well-written and very understandable. We also shouldn’t forget that we’re only 6 years into a journey that’s as profound as this one, you don’t just do that in 6 years. That takes time,” Bart emphasises. “GDPR has made companies more aware of their customers’ privacy. This has led to better protection of personal data and more transparency about how this data is used.”