Jan 282019

European Commission Provides a Summary of the GDPR so far for Data Protection Day 2019

William RM Long and Eleanor Dodding
, , , ,

On January 25, 2019, the European Commission published a statement to mark Data Protection Day (January 28, 2019) which, this year, comes eight months after the entry into force of the General Data Protection Regulation (“GDPR”) on May 25, 2018.

The statement indicates that the European Commission considers the GDPR to have had a positive effect, in particular because European citizens are now more conscious of the importance of data protection and of their rights. The European Commission also notes that the Data Protection Authorities (“DPAs”) are enforcing the new rules and better coordinating their actions in the European Data Protection Board.

As part of this statement, the European Commission published a “GDPR in numbers” infographic, highlighting some interesting figures and statistics since the GDPR came in to force:

  • DPAs have received 95,180 complaints from individuals since May 25, 2018. Interestingly, these reached a peak over the winter holidays (December 2018 to January 2019) with 30,000 complaints lodged. The most common type of complaints to date have related to telemarketing, promotional e-mails and CCTV.
  • Organizations have reported a total of 41,502 data breach notifications to their local DPAs.
  • In response to the above figure, by January 2019, 255 investigations had been launched by DPAs.
  • The high volumes of complaints and notifications are leading to the first major fines under the GDPR, including last week’s fine of €50 million imposed by the French CNIL on Google Inc. for violations of the GDPR’s transparency and consent requirements, which Data Matters reported in more detail here.
  • The European Commission infographic also indicates that several significant cases are currently ongoing and could result in fines of up to 4% of the annual worldwide turnover of organizations.

The European Commission also reported that Member State implementation is now well advanced, with only a few outstanding jurisdictions (Bulgaria, Greece, Slovenia, Portugal and the Czech Republic) remaining, which the European Commission will continue to monitor.

Finally, the Commission’s statement concludes: “Today, Europe is not only ensuring strong privacy rules at home, we are leading the way globally.”

William RM Long

London

wlong@sidley.com

Eleanor Dodding

London

edodding@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.