Today marks the first anniversary of the introduction of the European Union’s General Data Protection Regulation (GDPR). As the solitary candle of the birthday cake is being blown out, we can take a moment to reflect upon what has undoubtedly been an eventful debut year.
GDPR redefined the rules for companies and organisations which gather, hold or process personal information about residents of EU member states. The regulation requires more transparency about what data they hold and who they share it with than had previously been the case. The law has quickly become a de facto global standard for privacy in the internet age.
In March 2018, numerous media outlets revealed news of Cambridge Analytica’s business practices. In particular, it was reported that that the political consultancy had obtained the personal data of approximately 87 million Facebook users without their prior permission. Coming in the wake of these revelations, the timing of the GDPR’s introduction was seen by many commentators as emphasizing the justification for such regulation and underlined that it had been long overdue.
Facebook and other internet giants were forced to make comprehensive changes to their policies concerning user privacy and data-handling. Users are now asked for their to consent to all new terms. Pop-ups now inform them of changes. Significantly, special new protections for adolescents were introduced. To date, only one American company, Google, has been impacted with a large fine under GDPR.
One year in, for the larger US companies, the true effects of the General Data Protection Regulation are yet to be felt. In addition to the direct consequences for EU based companies, or those who process the data of EU residents, the European Union’s activism in bringing its privacy regulation up to date appears to have acted as a catalyst for other nations around the globe to consider making similar reform.
In terms of fines imposed and complaints made, what has the impact of the GDPR been during its first year? Well, according to official stats of the European Union, the complaints procedure has been a busy one. A total of 144,376 complaints have been filed under the regulation since its implementation. Companies are obliged to report their own data breaches within 72 hours of discovery. Of these, 89,271 data breaches have been reported.
Nonetheless, fines have been somewhat smaller than had been anticipated. Under the terms of the GDPR, companies can be fined up to €20,000,000 or 4% of their total global revenue for the preceding financial year, whichever is greater.
January 2019 witnessed the first (and thus far, only) landmark GDPR penalty when the French regulator, CNIL, imposed a €57 million fine to the technology multinational for having failed to properly disclose to its users details of the manner in which their data was being gathered and exploited for targeted advertising campaigns. Only this week it was confirmed by the Irish Data Protection Commission (DPC) that an investigation remains open.
In a statement, Google said, “We will engage fully with the DPC’s investigation and welcome the opportunity for further clarification of Europe’s data protection rules for real-time bidding”.
Other significant fines include those issued by data protection authorities in Portugal (€400,000 to a hospital), Poland (€220,000 euros to a data processor) and Germany (€20,000 to a chat application aimed at children). There are no available statistics regarding the total number of GDPR fines issued.
The somewhat cautious start may be due to the fact that national data protection authorities have to learn how to administer their new powers. There may also have been a desire to give companies some leeway to get their affairs in order during the first year of the regulation’s existence.
National authorities have been debating how best to interpret the law in the context of their own national legislation but also with the goal of developing a consensus throughout Europe.
Given the dramatic increase in the number of complaints that have to be investigated, some authorities have quickly needed to recruit more staff to deal with the workload.
A rush to issue fines could also create another set of problems for national data protection authorities. Given their vast resources, tech giants will undoubtedly use teams of talented lawyers to resist anything they feel is unfair. This has already been the case when it came to European Union antitrust decisions.
Experts expect that complaints involving artificial intelligence, facial recognition software, data profiling and advertising personalization will be prioritised by the authorities. This would predominantly impact US interests, as these technologies tend not to be developed in Europe.
At first glance it might appear that it is in the EU’s best interests to rapidly secure a number of high-profile fines to grasp the attention of tech companies both in Europe and world-wide so that they continue to treat compliance seriously. However, in reality it would seem that the European Commission is more focused about the “how” GDPR compliance is to be enforced than the “when”.
Věra Jourová, the European Justice Commissioner and Andrus Ansip, Vice President for the EU Digital Single Market, released a joint statement earlier this week in which they advised that, “Compliance is a dynamic process and does not happen overnight. Our key priority for months to come is to ensure proper and equal implementation in the Member States.“
Overall, perhaps the real success of the GDPR at this point is that it has instigated a global discussion about privacy. This was acknowledged this week in a speech by Jourová. She views calls to emulate the GDPR as clear evidence of its success; “Last year we heard complaints and criticism, today we hear calls around the globe for comprehensive data protection rules similar to the GDPR.“
Following the EU’s lead are attempts by the likes of Brazil, South Korea, Japan and India to introduce privacy regulations that are similar to those outlined in the GDPR. In America, legislators in California (where Silicon Valley is found) are making preparations to introduce a Consumer Privacy Act.
Facebook, Apple and the other tech giants are increasingly calling for regulation resembling the GDPR and have promised their support for US privacy protections. Microsoft aided business users to comply with the GDPR and has expressed a desire to assist in framing US privacy regulation, calling for legislation that places the burden on the tech companies themselves.
Ultimately, however, it is the policymakers who must make the big decisions.
The USA will undoubtedly observe how the EU regulation is applied in the multiple jurisdictions of European Union member countries. America will meet similar concerns when it attempts to harmonize its federal and state laws.
What does seem apparent is that Federal-level US regulation is something that we can expect to see in the near future.