Updated February 15, 2020.
One year has passed since the European GDPR (General Data Protection Regulation) came into effect on May 25, 2018.
A helicopter view of the situation a year later reveals both challenges and promises to its enforcement and effects.
Here is a GDPR anniversary update!
Reminder: What is the GDPR?
The GDPR, or General Data Protection Regulation, is an EU law that regulates how companies, organizations and other entities handle personal data. Its jurisdiction is global, because it requires everyone who deals with the data of an EU citizen to abide by its rules and regulations.
The GDPR empowers Europeans to control what data they wish to share, as well as enabling them to request their collected data deleted.
If you have a website, you most likely have cookies and tracking technology operating on your site and you are therefore required by the GDPR to comply to its rules.
- obtain clear and unambiguous consent from its users,
- prior to any processing of personal data,
- after specifying all types of cookies and other tracking technology present and operating on its pages,
- in easy-to-understand ways that enable users to consent and to revoke consent on each specific category of cookies,
- to then be able to safely and confidentially document each user consent,
- Consent must be renewed annually. However, some national data protection guidelines recommend more frequent renewal, e.g. 6 months. Check your local data protection guidelines for compliance.
In doubt whether your website is GDPR compliant? Test with the free compliance test from Cookiebot consent management platform (CMP)
Try Cookiebot CMP free for 30 days… or forever if you have a small website.
GDPR consent management after one year
If you have a website that provides services to the EU, you are legally bound to be compliant to the GDPR.
This means that you must follow its requirements for how to handle user data and personal information.
Using a consent management software like Cookiebot CMP can make you 100% GDPR complianct.
GDPR enforcement overview
One year into the enforcement of the GDPR, we are slowly beginning to see its impact.
While fines have been slow to ramp up against companies and businesses who violate the GDPR, its effects can also be seen on new privacy laws springing up around the globe, as well as its role as an instigator of public privacy discussions.
How can the GDPR be enforced?
The GDPR can be enforced in various ways, ranging from –
- fines up to €20 million or 4% of annual global revenue, whichever is highest,
- data protection inspections directed by the EU Commission,
- temporary or permanent restriction of an entity’s ability to process and/or collect data,
- and ban from operating in the European Union.
So far, the most common GDPR enforcement has been warnings and fines.
GDPR fines in Year One
The sum of GDPR fines one year into its enforcement amount to approximately €56.000.000, according to the IAPP.
The average GDPR fine has so far been approximately €70.000, according to the London-based accounting firm Ernst & Young.
Most of the GDPR enforcement cases so far have been discretionary, i.e. they have been imposed on a case-by-case basis.
The fines differentiate based on the what articles of the GDPR a company violates: if it violates its own obligations it will be subject to lower level fines, whereas violations of individual privacy rights will be subject to higher level fines.
Germany, Poland, Denmark, Austria and Portugal are among EU member states that have fined companies or organizations for GDPR violation in this first year.
France leads the GDPR enforcement in Year One
The French data protection authority CNIL can rightly be called the leading watchdog of GDPR when it comes to both enforcement and guidance so far.
CNIL received over 11.000 complaints in 2018 – an increase of 32.5% from the year before – and a large percentage of the complaints has been centered around the GDPR-introduced right to request deletion of personal online data. The French DPA has also been exemplary in guiding companies in GDPR compliance, as well as advising government legislation.
The largest monetary enforcement of the GDPR yet also emerged from CNIL on January 21, 2019, when the French data protection authority levied a €50 million penalty against Google for three separate GDPR violations – lack of transparency (Article 12), inadequate information (Article 6) and lack of valid consent regarding the ads personalization (Article 7).
The €50 million fine was the result of an investigation launched on the basis of two group complaints by the privacy associations None of Your Business (noyb) and La Quadrature du Net (LQDN), who accused Google of violating the GDPR regarding the processing of personal data, particularly in the case of personalized advertisements.
“For the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law”, said the chairman of noyb Max Schrems.
These complaints were put to the French DPA on May 25 and 28 of 2018, that is, on Day One and Day Three of the enforcement of the GDPR. That it took CNIL six months to investigate and enforce, tells us something about the timeframe of larger GDPR enforcement cases… and might hint at much larger enforcements to come.
IRELAND, a challenge and a promise
Technically, Ireland has the singular role of being the GDPR’s lead regulator.
Why, you might ask?
Well, because a provision in the GDPR specifies that its lead regulator be the country that houses a tech company’s data controller, and because Ireland is the European headquarters for many big tech companies such as Facebook and Google, who enjoy lax tax arrangements from the Irish government, Ireland has the responsibility of leading the enforcement of the GDPR against the industry’s biggest.
Both the German and French DPAs have expressed their frustrations over the Irish DPA’s lack of enforcement.
However, the Irish DPA revealed recently that their office plans to announce enforcement actions this summer, adding that they currently have 51 large-scale privacy investigations open, 17 of which involve tech companies like Twitter, WhatsApp, Instagram, LinkedIn and Apple, while 7 cases specifically involve Facebook.
On May 22, 2019 – three days short of GDPR’s birthday – the Irish Data Protection Commission (DPC) announced a comprehensive investigation of Google’s DoubleClick company (in the meantime rebranded as Authorized Buyers) for “suspected infringement” of personal data processing. The probe was triggered by a formal complaint from Dr. Johnny Ryan, Chief Policy Officer at Brave, the private web browser.
This investigation could lead to severe fines against Google, or even worse for the company: a complete prohibition of using personal data in its advertising system. The GDPR is showing teeth indeed.
A year into the enforcement of the GDPR we’ve mainly seen smaller fines, but have now begun to see larger and larger investigations and fines on the horizon, exactly because the bigger enforcement cases against the biggest industry heavy weights take a long time to build and execute.
This is why privacy experts say that they expect larger GDPR fines are on the way.
Other GDPR enforcement techniques
The GDPR authorizes the national data protection agencies to be the chief enforcing bodies of the law. This means that national DPAs can fine companies (up to €20 million or 4% of their global revenue) or they can dictate how or what data companies can use in their business.
The latter can be enforced e.g. in the case of a data breach, where regulators deem a company negligent. In this case, they may issue an ultimatum for the company to either rectify the breach within 90 days or stop using the data that it has collected.
If a company relies on data collection as a core business model for profit, this could potentially be a bigger blow than a fine, however large.
- The Dutch DPA has prohibited the country’s tax authorities, since January 1, 2020, from using national identification numbers as part of their tax return number system.
- The Maltese DPA temporarily prohibited its country’s national land register to process data while it investigates the authority.
GDPR as ripple initiator – privacy laws around the globe
One year into the GDPR, we begin to see another of its impact that hasn’t to do with fines or enforcement, but with legal change – what LinkedIn’s head of global privacy recently called “the GDPRization of laws across the world”, meaning that laws all over the globe are beginning to spring up and take shape with inspiration from the GDPRs scope and strength.
Among the nations or states in the world that either have passed or are in the process of passing privacy laws are …
- Brazil, whose LGPD entered into effect in August, 2020.
- California, whose CCPA entered into effect on January 1, 2020.
- India, whose PDPA (Personal Data Protection Act of 2018) has been drafted, but not yet implemented.
Argentina, Israel, Chile and China are among other nations who are working on privacy laws and regulations.
Public awareness of the ad tech industry and privacy
When it came into effect on May 25, 2018, GDPR was a top Google search keyword, outnumbering both Beyoncé and the Queen of England.
It doesn’t anymore, but its mainstream reach is still to be felt. The effect of the GDPR has also been to foster a public discussion about privacy that is still raging to this day.
Its date of effect a year ago more or less coincided with the revelation about the Facebook/Cambridge Analytica scandal, perhaps the biggest, most reported privacy crisis last year, only rivaled by the digital interference by the Russian government in the US presidential election.
Some of the biggest news outlets in the world have reported on the GDPR continually and privacy at large remains a big continuous topic, e.g. the NY Times with its article series titled The Privacy Project.
What is the GDPR?
What is valid cookie consent under GDPR?
Valid cookie consent under the GDPR is a clear and affirmative action from users that unambiguously indicates their wishes. Consent banners on websites must have cookies deactivated by default with no pre-ticked checkboxes, so users actively select and activate those cookies and trackers they will allow to process their personal data.
Who enforces the GDPR?
The GDPR is enforced by data protection authorities in each EU member country. Non-compliance can be fined up to €20 million or 4% of a company’s annual global turnover. The lead supervising body of the GDPR is the European Data Protection Board (EDPB) that is comprised of representatives from each national data protection authority.
How can my website become GDPR compliant?
Your website can use a consent management platform that is able to scan and detect all cookies and trackers, then automatically control them so users can give their true consent to which they will allow to process personal data from them.