What was the first year of GDPR like? Where is it heading?

Ius Laboris share their thoughts on what the first year of GDPR looked like and where they see it heading in the future

In the run-up to 25 May 2018, preparations for the implementation of the European Union (EU) General Data Protection Regulation (GDPR) were a key priority for organisations. The GDPR’s entry into force was viewed with concern, given its complexity, the challenges of putting the new data protection rules into practice and the extremely high fines that can be imposed for breaches. The majority of infringements can be punished by a fine of up to €20 million or 4% of an organisation’s total worldwide annual turnover for the previous financial year (the higher of the two). Over a year on, with the first wave of decisions and fines issued by a number of national data protection authorities (DPAs) and many ongoing investigations, it is interesting to examine if and how the GDPR rules are actually having their desired effect.

Enforcement authorities in many countries have used this first year as a grace period to educate and promote compliance with the GDPR. Corporate awareness of the GDPR rules and potential repercussions of breaches has increased and new or enhanced data protection policies have been implemented as companies’ ability to handle personal and sensitive data safely and in compliance with the data protection principles has been subjected to fresh scrutiny. These include a significant increase in the employment of Data Protection Officers (DPO). If a DPO is appointed (which is not always mandatory), it is the DPO’s responsibility to inform and advise with respect to data protection obligations, to supervise compliance with these obligations and to cooperate with the DPA(s).

As awareness has risen, there have been a growing number of complaints and breach notifications across the EU. DPAs in some Western European countries such as Germany and France appear to have been very proactive in enforcement. For example, the French Data Protection Authority (‘CNIL’) imposed a €50 million GDPR fine on Google LLC in January 2019. The huge fine was based on a lack of information and transparency for users and took into consideration the large volume of data and number of individuals involved in this violation of privacy.

The UK’s Information Commissioner’s Office (ICO) also recently announced its intention to impose large fines on Marriot and British Airways, as a result of data breach-related incidents. The proposed fines announced were £99.2 million for Marriot and £183.4 million for British Airways, highlighting the seriousness with which the ICO treats such cases.

Others, however, have been slower to take significant enforcement action and in Eastern Europe, many countries have taken a mild approach to enforcement. While the Polish and Lithuanian DPAs have imposed relatively significant fines, Latvia, the Czech Republic and Hungary have only imposed very minor penalties. At the time of writing, the Slovak DPA has only fined organisations for failing to comply with inspections and not for GDPR breaches and the Bulgarian DPA has mainly issued warnings and reprimands. Slovenia is one of the EU Member States that has not yet completed the process of implementing the GDPR into national legislation. Warnings have been issued in a number of jurisdictions and the various DPAs are making orders for bringing processing activities into compliance; there should be further activity over the coming year.

The GDPR has faced some criticism, with commentators noting that the law in its current state is broadly worded, meaning the regulations are open to differing interpretation. This means there is a risk of divergent decisions in different jurisdictions when investigations are carried out.

Further, given that GDPR is an EU Regulation, its validity in the UK will come into question following Brexit. Most experts believe that the GDPR will be enacted in UK Law after Brexit under section 3 of the European Union (Withdrawal) Act 2018.

In light of recent high-profile cases, however and with more predicted imminently, global businesses now have a better insight into the financial and reputational repercussions of failure to comply with data protection principles. The trend towards stricter data protection rules is likely to intensify, as the value placed on an individual’s data privacy continues to rise. It is clear that compliance is key to avoid very significant penalties and organisations and individuals should continue to invest in education and training and promote compliance and best practice.

This article is based on information contained in a comprehensive report ‘The GDPR: One Year On’ prepared by Ius Laboris in May 2019. Further information on how the GDPR has been enforced across various European jurisdictions in the year following its entry into force can be found in the full report, here.