European Commission Provides a Summary of the GDPR so far for Data Protection Day 2019

On January 25, 2019, the European Commission published a statement to mark Data Protection Day (January 28, 2019) which, this year, comes eight months after the entry into force of the General Data Protection Regulation (“GDPR”) on May 25, 2018.

The statement indicates that the European Commission considers the GDPR to have had a positive effect, in particular because European citizens are now more conscious of the importance of data protection and of their rights. The European Commission also notes that the Data Protection Authorities (“DPAs”) are enforcing the new rules and better coordinating their actions in the European Data Protection Board.

As part of this statement, the European Commission published a “GDPR in numbers” infographic, highlighting some interesting figures and statistics since the GDPR came in to force:

  • DPAs have received 95,180 complaints from individuals since May 25, 2018. Interestingly, these reached a peak over the winter holidays (December 2018 to January 2019) with 30,000 complaints lodged. The most common type of complaints to date have related to telemarketing, promotional e-mails and CCTV.
  • Organizations have reported a total of 41,502 data breach notifications to their local DPAs.
  • In response to the above figure, by January 2019, 255 investigations had been launched by DPAs.
  • The high volumes of complaints and notifications are leading to the first major fines under the GDPR, including last week’s fine of €50 million imposed by the French CNIL on Google Inc. for violations of the GDPR’s transparency and consent requirements, which Data Matters reported in more detail here.
  • The European Commission infographic also indicates that several significant cases are currently ongoing and could result in fines of up to 4% of the annual worldwide turnover of organizations.

The European Commission also reported that Member State implementation is now well advanced, with only a few outstanding jurisdictions (Bulgaria, Greece, Slovenia, Portugal and the Czech Republic) remaining, which the European Commission will continue to monitor.

Finally, the Commission’s statement concludes: “Today, Europe is not only ensuring strong privacy rules at home, we are leading the way globally.”