ONE YEAR has passed since the European GDPR (General Data Protection Regulation) came into effect on May 25, 2018.
A helicopter view of the situation a year later reveals both challenges and promises to its enforcement and effects.
Here is a GDPR anniversary update!
The GDPR, or General Data Protection Regulation, is an EU law that regulates how companies, organizations and other entities handle personal data. Its jurisdiction is global, because it requires everyone who deals with the data of an EU citizen to abide by its rules and regulations.
The GDPR empowers Europeans to control what data they wish to share, as well as enabling them to request their collected data deleted.
If you have a website, you most likely have cookies and tracking technology operating on your site and you are therefore required by the GDPR to comply to its rules.
One year into the enforcement of the GDPR, we are slowly beginning to see its impact.
While fines have been slow to ramp up against companies and businesses who violate the GDPR, its effects can also be seen on new privacy laws springing up around the globe, as well as its role as an instigator of public privacy discussions.
The GDPR can be enforced in various ways, ranging from –
So far, the most common GDPR enforcement has been warnings and fines.
The sum of GDPR fines one year into its enforcement amount to approximately €56.000.000, according to the IAPP.
The average GDPR fine has so far been approximately €70.000, according to the London-based accounting firm Ernst & Young.
Most of the GDPR enforcement cases so far have been discretionary, i.e. they have been imposed on a case-by-case basis.
The fines differentiate based on the what articles of the GDPR a company violates: if it violates its own obligations it will be subject to lower level fines, whereas violations of individual privacy rights will be subject to higher level fines.
Germany, Poland, Denmark, Austria and Portugal are among EU member states that have fined companies or organizations for GDPR violation in this first year.
The French data protection authority CNIL can rightly be called the leading watchdog of GDPR when it comes to both enforcement and guidance so far.
CNIL received over 11.000 complaints in 2018 – an increase of 32.5% from the year before – and a large percentage of the complaints has been centered around the GDPR-introduced right to request deletion of personal online data. The French DPA has also been exemplary in guiding companies in GDPR compliance, as well as advising government legislation.
The largest monetary enforcement of the GDPR yet also emerged from CNIL on January 21, 2019, when the French data protection authority levied a €50 million penalty against Google for three separate GDPR violations – lack of transparency (Article 12), inadequate information (Article 6) and lack of valid consent regarding the ads personalization (Article 7).
The €50 million fine was the result of an investigation launched on the basis of two group complaints by the privacy associations None of Your Business (noyb) and La Quadrature du Net (LQDN), who accused Google of violating the GDPR regarding the processing of personal data, particularly in the case of personalized advertisements.
“For the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law”, said the chairman of noyb Max Schrems.
These complaints were put to the French DPA on May 25 and 28 of 2018, that is, on Day One and Day Three of the enforcement of the GDPR. That it took CNIL six months to investigate and enforce, tells us something about the timeframe of larger GDPR enforcement cases… and might hint at much larger enforcements to come.
Technically, Ireland has the singular role of being the GDPR’s lead regulator.
Why, you might ask?
Well, because a provision in the GDPR specifies that its lead regulator be the country that houses a tech company’s data controller, and because Ireland is the European headquarters for many big tech companies such as Facebook and Google, who enjoy lax tax arrangements from the Irish government, Ireland has the responsibility of leading the enforcement of the GDPR against the industry’s biggest.
Both the German and French DPAs have expressed their frustrations over the Irish DPA’s lack of enforcement.
Ireland has courted tech companies for years with low corporate taxes.
However, the Irish DPA revealed recently that their office plans to announce enforcement actions this summer, adding that they currently have 51 large-scale privacy investigations open, 17 of which involve tech companies like Twitter, WhatsApp, Instagram, LinkedIn and Apple, while 7 cases specifically involve Facebook.
On May 22, 2019 – three days short of GDPR’s birthday – the Irish Data Protection Commission (DPC) announced a comprehensive investigation of Google’s DoubleClick company (in the meantime rebranded as Authorized Buyers) for “suspected infringement” of personal data processing. The probe was triggered by a formal complaint from Dr. Johnny Ryan, Chief Policy Officer at Brave, the private web browser.
This investigation could lead to severe fines against Google, or even worse for the company: a complete prohibition of using personal data in its advertising system. The GDPR is showing teeth indeed.
A year into the enforcement of the GDPR we’ve mainly seen smaller fines, but have now begun to see larger and larger investigations and fines on the horizon, exactly because the bigger enforcement cases against the biggest industry heavy weights take a long time to build and execute.
This is why privacy experts say that they expect larger GDPR fines are on the way.
The GDPR authorizes the national data protection agencies to be the chief enforcing bodies of the law. This means that national DPAs can fine companies (up to €20 million or 4% of their global revenue) or they can dictate how or what data companies can use in their business.
The latter can be enforced e.g. in the case of a data breach, where regulators deem a company negligent. In this case, they may issue an ultimatum for the company to either rectify the breach within 90 days or stop using the data that it has collected.
If a company relies on data collection as a core business model for profit, this could potentially be a bigger blow than a fine, however large.
One year into the GDPR, we begin to see another of its impact that hasn’t to do with fines or enforcement, but with legal change – what LinkedIn’s head of global privacy recently called “the GDPRization of laws across the world”, meaning that laws all over the globe are beginning to spring up and take shape with inspiration from the GDPRs scope and strength.
The California Consumer Privacy Act (CCPA) is the strongest privacy law in the US and will take effect on January 1, 2020.
Among the nations or states in the world that either have passed or are in the process of passing privacy laws are …
Argentina, Israel, Chile and China are among other nations who are working on privacy laws and regulations.
When it came into effect on May 25, 2018, GDPR was a top Google search keyword, outnumbering both Beyoncé and the Queen of England.
It doesn’t anymore, but its mainstream reach is still to be felt. The effect of the GDPR has also been to foster a public discussion about privacy that is still raging to this day.
Its date of effect a year ago more or less coincided with the revelation about the Facebook/Cambridge Analytica scandal, perhaps the biggest, most reported privacy crisis last year, only rivaled by the digital interference by the Russian government in the US presidential election.
Some of the biggest news outlets in the world have reported on the GDPR continually and privacy at large remains a big continuous topic, e.g. the NY Times with its article series titled The Privacy Project.
As mentioned before, it is reasonable to say that we can expect bigger, more comprehensive GDPR enforcements in the second year of the General Data Protection Regulation.
Bigger investigations, larger fines.
Another thing to look out for this year, is the ePrivacy Regulation, which is currently underway, but stalled in the EU amid heavy lobbying from the tech industry. It is still expected to arrive either in 2019 or 2020.