The GDPR celebrated its first anniversary on 25 May 2019 - a good time to take stock. In this article, we look at how the GDPR has been enforced so far, what the regulators' future direction of travel might be, and the key areas organisations will need to focus on in the coming months.
EU enforcement trends
The local data protection authorities (DPAs) are facing a heavy caseload. As at 22 May 2019, there had been over 280,000 cases requiring investigation across 27 EEA states, based on a report issued by the European Data Protection Board ('EDPB'). The largest proportion of these cases consisted of complaints about organisations' data protection practices (at the time of writing, over 144,000 queries and complaints had been reported).
The most common types of complaints concerned data processing activities related to telemarketing, promotional emails, and video surveillance / CCTV (as reported by the EU Commission). Complaints were mainly related to the right to access data, the right to prevent processing, and disclosures and unauthorized processing. Data breach notifications also make up a significant proportion of the DPAs' work: over 89,000 breach notifications were reported by the EDPB as of 22 May 2019. In general, DPAs are reporting an increase in the number of breach notifications they are receiving (there has been an almost 40% increase in the number of breach notifications over the past three months, from February to May 2019).
In terms of fines issued so far, DPAs from 11 EEA countries had imposed GDPR fines as of the end of February 2019, when the EDPB issued an interim report on the GDPR's implementation. A number of further fines (for example in Italy, Poland and Lithuania) have been issued since then. Perhaps surprisingly, most of the fines issued so far have been in the thousands rather than the millions, with the notable exception of a fine of EUR 50 million issued by the French DPA (the CNIL) in January 2019.
Other DPAs, such as the ICO and the Irish Commissioner, have recently hinted that GDPR fines may be on the horizon in those jurisdictions as well in the near future; the ICO recently stated (at a conference in Washington in May 2019) that it has "a couple of very large cases…in the pipeline", while the IDPC mentioned at the same conference that it anticipates bringing "first-draft decisions" to the European Data Protection Board this summer.
Interestingly, the primary area of focus for most regulators appears to be breaches of the core data protection principles, such as the GDPR requirements for fairness, lawfulness and transparency of data processing. For example, the EUR 50 million fine issued in France was principally concerned with breaches of the notice and consent requirements (these being related to transparency and lawfulness of data processing). Similarly, a fine recently issued by the Danish DPA (March 2019) was issued for breaches of the purpose limitation, storage limitation and data minimisation principles by a taxi company (albeit a significantly smaller fine than that issued by the CNIL - or US$180,000).
While we are yet to see a major GDPR fine in the UK, the ICO also appears to be placing considerable focus on the data protection principles and in particular the GDPR's accountability requirements, observing in a recent public statement that “accountability encapsulates everything the GDPR is about” and that the relative lack of attention organisations have given to accountability so far is a "problem". The message from the DPAs seems to be that compliance now needs to be very much more than a box-ticking exercise of having all the right policies in place; it will also be critical to ensure that compliance is embedded at a deeper level, by ensuring data protection becomes part of the culture of the organisation.
Enforcement trends in the UK
The majority of recent enforcement actions taken by the ICO in the first months of GDPR related to breaches of the previous law (the Data Protection Act 1998) rather than the GDPR. The GDPR enforcement actions we have seen in the UK so far have been scattered and the ICO generally appears to be opting to issue enforcement notices as its initial course of action, rather than immediately resorting to fines.
However, given the recent public statements made by the ICO, it seems quite likely that we may start to see more GDPR enforcement actions in the UK in the coming months. In addition, the ICO seems to be enforcing increasingly vigorously, and even before the GDPR came into effect a general trend was starting to emerge of fines increasing in number and amount, with the ICO twice issuing the maximum monetary penalty possible under the Data Protection Act 1998. Clearly, if this trend continues in relation to GDPR enforcement actions, the implications could be significant.
In addition, organisations should be aware that the ICO is also actively enforcing for non-payment of the data protection fee (which most controllers are required to pay under the Data Protection (Charges and Information) Regulations 2018) and has fined a number of organisations for this in recent months. To date, penalties for non-payment of the data protection fee have ranged from £400 - £4,000 (and the ICO will normally also publish the name of the offending organisation). To put this in context, the fee itself is between £40 and £2,900, depending on the size of the organisation; organisations that have not yet paid the fee are therefore strongly advised to do so.
In line with the trend seen at the EU level, the ICO appears to be giving particular focus to infringements of the GDPR's data protection principles, such as the requirement to process data fairly, lawfully and transparently. In particular, the ICO has identified tackling "unfair, invisible processing" as an enforcement priority, and is taking a particular interest in this issue in the context of ad-tech and online tracking. Other priority areas identified by the ICO are processing by data brokers and the processing of children’s data.
Adaptation of national laws in the EU Member States
Despite being directly applicable in all EU countries, the GDPR has required each country to adopt national legislation implementing certain provisions of the GDPR (including variations and derogations from certain obligations and rights). As of 22 May 2019, 25 EU States have adopted such legislation while 3 EU States (Greece, Slovenia and Portugal) are still in the process of doing so. We invite you to access Baker McKenzie's GDPR National Legislation Survey (last updated in January 2019) for detailed insights on the progress and content of local data protection laws (as of January 2019).
Future GDPR regulatory landscape
- Higher risk of enforcement on the horizon? In the GDPR's first year we have seen a large number of complaints and data breach notifications to regulators but comparatively few enforcement actions and fines. There are likely several reasons why enforcement activity has been relatively slow so far. First, a number of DPAs will have faced challenges in preparing for GDPR themselves; they are likely to have needed to expand their existing resources and to equip themselves for new cooperation mechanisms such as the "one-stop-shop". Secondly, some DPAs may also have chosen to allow organisations more time to complete or improve their GDPR compliance programmes and therefore opted for a relatively light-touch approach to enforcement in the past year. Instead many spent time and resources on preparing guidance for business. Thirdly, the reality is that during the GDPR's first year, many DPAs will still have been primarily concerned with historic infringements which occurred pre-GDPR, and therefore needed to be dealt with under the previous legislation. However, things may change now that DPAs have been allocated more resources and started to recruit more staff, and have gained some experience in cooperating on cross-border cases (over 400 cross-border cases requiring some form of cooperation among the regulators have been reported as of 22 May 2019). As noted above, some DPAs, like the ICO and IDPC, have also suggested that they intend to intensify their enforcement activities over the coming months.
- Increased privacy awareness among Internet users, consumers and individuals Individuals across the EU have become increasingly aware of their data protection rights. The latest figures from the EU Commission (as of 22 May 2019) show that 67% of Europeans have now heard of the GDPR and 57% know that a public authority in their country is responsible for safeguarding their rights. The figures also indicate that 20% of Europeans even know which public authority is responsible. This heightened awareness is likely to be attributable in part to DPAs having become generally more active in public campaigns aimed at individuals; for example, the ICO recently launched an initiative to raise public awareness of online targeting and individual profiling. Increased awareness is likely to result in more requests from individuals to exercise their rights and more complaints to DPAs, which may ultimately lead to more investigations and enforcement actions.
- More complaints by not-for-profit organisations A number of complaints to the DPAs have been brought by not-for-profit organisations (such as "None Of Your Business" (NOYB), led by privacy activist Max Schrems). Under the GDPR, individuals can mandate these organisations to act on their behalf for data protection violations. Given that data security breaches and other violations of the GDPR usually involve a large number of individuals, over time this could lead to large numbers of claims by not-for-profit organisations.
- Sandboxes and other similar business-friendly initiatives by regulators The ICO seems to be paving the way in helping businesses comply with data protection law while using data in innovative ways. To this purpose, the ICO has launched a "sandbox" initiative to assist and advise selected organisations from different industries with respect to innovative data usage and data protection compliance. The ICO is also looking at ways to foster the use of privacy-enhancing technologies (based for example on anonymization, pseudonymization, homomorphic encryption and differential privacy). In time, other DPAs across the EU may also develop business-friendly initiatives which promote technological innovation.
What should organisations do in light of these regulatory trends?
- Continue embedding privacy and information security in their general risk assessments, taking into account a heightened enforcement risk over the coming months as a consequence of a more mature regulatory framework.
- Prioritise compliance with the core GDPR principles (including accountability, transparency and lawfulness of data processing e.g., notice and consent).
- Watch out for regulatory developments in their country (or countries) including guidelines on specific thematic or industry areas.
- Consider participating in sandboxes (where there is appetite to experiment with innovative data usage in a safe regulatory environment) or other initiatives by their competent DPAs.
- Make the most of tools and resources which are made available by DPAs to facilitate compliance.
- Continue to foster a culture of privacy in the organisation (including emphasis on training, data subject rights and requests, breach reporting, information security, and compliance documentation).