GDPR: One Year On

The 25th of May, 2019 marked a year since the EU General Data Protection Regulation (“GDPR”) came into force. For most in privacy, involvement with the GDPR has been ongoing for well over this year, but on the first anniversary of the GDPR we take an opportunity to look back and reflect on where we are now in relation to some key areas of interest including enforcement action, privacy litigation, breach notification and developing guidance from the European Data Protection Board (“EDPB”).

To commemorate the “first birthday” of the GDPR, the European Commission (“Commission”) has issued an infographic which provides some interesting statistics about these key activities during the GDPR’s first year which we discuss further below.

Data Breaches and Enforcement Action

Perhaps of most interest has been how the data protection authorities (“DPAs”) would exercise their expanded enforcement powers under the GDPR. This year we have started to see the first major enforcement actions, the most high profile being the €50m fine issued by the French DPA, the CNIL, against an online services company relating to issues over transparency and consent from users for personalised advertising. This trend for enforcement is set to continue as DPAs work through the huge volumes of queries and complaints received to date. In fact, the Commission infographic confirms there have been 144,376 queries and complaints from individuals (and organisations on behalf of individuals) to DPAs since May 2018. Of these queries and complaints, whilst 63% of cases have been closed, there are still 37% of cases that are ongoing. Interestingly, the most common types of activities for those complaints are in relation to: telemarketing, promotional e-mails and CCTV monitoring.

The Commission infographic also focuses on the implementation of the One-Stop-Shop (“OSS”) mechanism introduced by the GDPR, under which companies with cross border activities may be able to deal with one lead DPA, and if there are disputes between DPAs, these can be resolved by the EDPB. The EDPB has confirmed that from the very first day of the GDPR’s application, 446 cross-border cases have been logged in the EDPB’s Internal Market Information case register. 205 of these cases have led to OSS procedures and so far, there have been 19 final OSS outcomes. In her reflections on the first 12 months of the European Data Protection Board’s (“EDPB”) work, Andrea Jelinek, Chair of the EDPB has confirmed: “We will also see several cross-border cases carried out by SAs [supervisory authorities] leading to a final outcome in the coming months.”

Enforcement action can also come from data breaches and a number of high profile incidents this year have highlighted what a key issue cybersecurity can be for companies. In part due to increased awareness of the stringent GDPR timelines around breach reporting, since May 2018, there have been 89,271 data breach notifications to European DPAs. These data breach notifications and subsequent investigations by DPAs will likely lead to further enforcement actions as compliance and security programs come under scrutiny from the DPAs.

Privacy Awareness and Litigation

The European Commission infographic states that as of March 2019, 67% of Europeans had heard of the GDPR, 50% of Europeans know there is a public authority responsible for the protection of their personal data and of that number, 20% know which authority that is. That is an increase of 20% since the same survey (the Special Eurobarometer) was carried out in 2015. However, despite this growth in privacy awareness by consumers and the large volumes of queries and complaints submitted to DPAs in the last year, privacy litigation in Europe (utilising the GDPR’s private right of action) to date has been more limited. We await to see if privacy litigation will start to develop in the GDPR’s second year.

EDPB Guidance

The EDPB has continued to publish guidance on the interpretation of the GDPR following its coming into force. One of the most anticipated guidance documents has been the EDPB’s guidance on the territorial scope of the GDPR. A draft of this guidance was published in November 2018 (which Data Matters reported here). Whilst the draft has gone some way to clarify uncertainty, largely by re-affirming prior interpretations, it does leave certain questions unanswered. For example, the applicability of the GDPR to non-EU businesses offering services to corporate entities (rather than individuals). The guidance also leaves uncertainty for controllers and processors outside the EU on how to deal with the GDPR’s international data transfer restrictions. In particular, controllers and processors outside the EU that find themselves subject to the GDPR are required to implement a GDPR compliance program, through which they offer an adequate level of protection to the personal data that are “imported” from the EU. Arguably, there are no restricted data transfers in that case. However, the draft guidelines do not explicitly confirm that in such a case data transfer mechanisms are not required, and so far the EDPB has not addressed this question, leaving room for legal uncertainty. It is hoped that these points, amongst others, will be clarified in the final version of the guidance. These issues have clearly been contentious, as a final version of the guidance is yet to be published, nearly 6 months since the first draft was released.

Implementing Legislation at a National Level

As a regulation, the GDPR is directly applicable in all EU Member States and it was hoped that it would harmonize privacy legislation across Europe. However, despite this intention, the GDPR includes over 50 instances where Member States may introduce national derogations (e.g., in relation to the age of consent for a minor and an individual’s right to have their data erased). This, in addition to differences in national DPA guidance on interpretation of the GDPR,  has left room for uncertainty for multi-national businesses with operations across Member States as to how to implement their privacy programs consistently in light of such derogations and means that a fully harmonized approach is now unlikely.

One year on, whilst 25 Member States have enacted GDPR implementing legislation, at the date of this post there remains three EU Member States who are yet to implement their national implementing legislation: Greece, Portugal and Slovenia have either proposed draft legislation or passed a bill intended to implement the GDPR.

Global Privacy Laws

Following the GDPR’s lead, many countries around the world are now developing privacy laws or updating existing rules, and are looking to include elements of the GDPR, such as, the right of erasure. For example, the California Consumer Privacy Act of 2018 (the CCPA), a draft Indian data protection bill, and a new GDPR-like privacy law in Brazil. In turn, companies are now evaluating how much of the work undertaken for the GDPR can be leveraged to meet privacy requirements and laws in other countries and how to develop and strengthen global privacy programmes.

Of course, the GDPR is not static and its impact wasn’t fixed in time on 25 May 2018, nor has it stopped on 25 May 2019. As we move into the second year of GDPR compliance, the numbers highlighted in the above statistics will continue to grow and it will be interesting to see how the GDPR evolves in light of new guidance, cases and enforcement action at both a European and national level. Watch this space.