The General Data Protection Regulation, or GDPR as it is commonly known, is five years old today, 25 May 2023.
The GDPR is a regulation enshrined in EU law around data protection and data privacy, covering citizens and users of services offered by businesses in EU and the EEA. The goal of the GDPR is to protect an individual's control over their own personal data, and to simplify the regulatory regime for businesses, especially those operating internationally.
"Five years on from the GDPR we now have a wealth of guidance, decisions and case law that is really helping us to see the fundamental principles of the GDPR come to the fore. We're really seeing the supervisory authorities mature as regulators, and this in turn provides us as lawyers with key signals as to what their focus of attention is"
Anne-Marie Bohan, Head of Technology and Innovation, Matheson LLP.
From a legal perspective, the implementation of GDPR has been an overall success despite significant challenges. Irish businesses in all industries, not to mention sports clubs, charities and other organisations who are "data controllers" or "data processors" under the GDPR have shown themselves to be capable of building coherent strategies for dealing with what were at the time very new and complex regulations.
The last five years have been about getting up to speed, processes and procedures getting bedded in and understanding a brand new area of regulation. Looking forward, equipped with the benefit of five years of decisions and guidance, businesses are now taking a fresh look at the policies and procedures they put in place when the GDPR came into force in 2018 to see what needs to be updated, as demonstrable compliance with the GDPR must be evidenced through "living documents". It is timely therefore that the Irish Data Protection Commission recently launched guidanceOpens in new window for businesses looking to review their Record of Processing Activities ("ROPAs"), based on a review of ROPAs from 30 representative organisations.
As the legislation matures, the trend is now moving increasingly into enforcement and litigation. On the matter of enforcement, this week we have seen the largest fine ever imposed by the Irish Data Protection Commission on Meta Platforms Ireland, in relation to Meta Platforms Ireland's data transfers to Meta Platforms US. Matheson partners Davinia Brennan, Anne-Marie Bohan and Carlo Salizzo discuss this case in more detail in this insight: EU-US Data Transfers Back in the Spotlight Following Record €1.2bn Fine
We are also seeing the progression of the GDPR in the context of civil litigation. Following the conclusion of UI v Österreichische Post AG (Case C-300/21) ("the Austrian Post case"), there is more clarity around how claims for compensation for non-material losses can be brought. A number of further test cases are expected to be heard before the Court of Justice of the European Union ("CJEU") and following these decisions we expect to see a rise in claims for non-material damage following data breaches and other infringements of the GDPR. Matheson partners Davinia Brennan and Michael Byrne have explored these likely implications further in this insight: CJEU Decision: No 'de minimis' threshold for GDPR compensation claims.
The first five years of the GDPR have been eventful and if there is one thing that is for certain, the next five years will not be any different.