The one-year anniversary of the commencement of GDPR in Europe fell on Saturday, 25 May 2019. In the lead-up to GDPR, there was a Europe-wide increase of staff, resources, costs and expenditure in preparation for the most revolutionary pan-European update in data privacy for decades. This preparatory fervour was largely in response to the threat of repercussions of non-compliance, coupled with hefty fines.
One year on, it may seem as if the potential threats of non-compliance with GDPR have receded. Individuals and corporates may wonder if their preparation was excessive or even unnecessary. For example, the Irish Data Protection Commissioner has yet to issue an administrative fine under GDPR. It could also be construed that individuals are not utilising their right to lodge claims for material or non-material damage in respect of privacy breaches.
However, it’s more likely that this is just reflects an initial lull, while potential complainants and supervisory authorities get to grips with enforcement and compensation rights under GDPR.
The European Data Protection Board recently released some statistics from the past year, including that over 144,000 queries and complaints have been received by supervisory authorities across 27-member states, including over 89,000 data breach notifications.
The individual complaints included issues related to access requests, right to erasure, unfair processing, disclosure, unwanted marketing and employee privacy. Thus far, GDPR enforcement actions have resulted in fines equalling around €56 million, the vast majority of which relates to the €50 million fine issued to Google by CINL, the French supervisory authority.
CINL fined Google €50 million in January 2019, for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation". Google's Chief Privacy Officer has confirmed that the fine is under appeal. This fine was the first major enforcement action under GDPR.
In late March, the Polish supervisory authority imposed its first GDPR fine of €220,000 against a digital marketing company. The fine was based on the company’s failure to fulfil its data subject rights obligations under Article 14 of the GDPR, in that it did not inform data subjects as to how it processed personal data. The company was also given three months to contact 6 million people in order to meet its Article 14 requirements.
In addition, the Danish supervisory authority has recommended its first fine of DKK 1.2 million (approximately €160,754) against a taxi company. It was found that the company implemented a data retention policy but failed to comply with it, resulting in data relating to 9 million individual taxi rides being retained in excess of the 2-year retention policy, in breach of Article 5.
The Data Protection Commission (the DPC) here in Ireland has also had a busy 12 months since the introduction of GDPR – dealing with:
- 6,624 complaints;
- 5,818 valid data security breaches;
- Over 48,000 contacts received through the DPC’s Information and Assessment Unit; and
- 1,206 DPO notifications.
While the DPC has yet to issue its first fine under GDPR, over the past 12 months it opened a total of 54 investigations, including 19 ongoing investigations into multinational technology companies. These investigations include reported incidents of alleged GDPR violations by Facebook, Twitter, WhatsApp, Instagram, LinkedIn, Apple, Quantcast and most recently, Google.
The DPC have followed in CINL’s footsteps by opening an investigation into Google. They are examining the processing of personal data by Google’s Ad Exchange business. The ad service will also be examined in terms of GDPR principles of transparency and data minimisation, as well as Google’s retention practices.
Helen Dixon, the Irish Data Protection Commissioner, recently informed the US Senate Commerce Committee that she hopes to conclude some of the investigations this summer. Prior to the implementation of GDPR, Ms. Dixon stated that "there will be fines, and they will be significant.” But, she noted that such fine would only be levied “at the end of a very long path that has demonstrated a lack of accountability and an infringement."
A year has passed, and we see that GDPR is being utilised and implemented by national supervisory authorities across Europe – both in terms of encouraging awareness and engagement on data privacy, but also using their enhanced enforcement powers. Entities managing personal data therefore have ongoing substantive compliance requirements, rather than any tick the box exercise.
Further, the wings of data privacy are still spreading. Countries like Canada, Australia and the State of California have implemented laws similar to GDPR. Mark Zuckerberg recently joined Tim Cook in a call for GDPR-type privacy regulation in the US. He stated that regulators and governments should pay more of an active role in controlling each of - harmful content, election integrity, privacy and data portability.
With our DPC's office growing at a faster rate than any other supervisory authority in the EU, data privacy and its enforcement looks set to be an even bigger issue over the next 12 months.
“On the basis of statistics of previous investigations we have opened, it would be very unusual if none of them ultimately yielded evidence of wrongdoing under GDPR.” Helen Dixon, Ireland's Data Protection Commissioner