Today, the European General Data Protection Regulation (GDPR) is celebrating the three year anniversary of its enforcement. Despite its teeth, with data protection authorities (DPAs) able to fine companies up to 4% of their global revenues, it hasn’t made the headlines for imposing hefty fines, at least not so far.
However, it would be a mistake to dismiss the impact of these rules and their enforcement only because DPAs have not used their full fining ability. “The drops of rain make a hole in the stone, not by violence, but by oft falling” wrote Latin Poet Lucretius, and as such we should consider the impact of GDPR.
The curious case of Brexit and the disappearing GDPR
On the third anniversary of the day the EU GDPR became applicable, Elizabeth Schweyen, senior manager of global privacy and compliance at Druva, discusses the current state of GDPR in the UK following Brexit. Read here
Over the last three years, European DPAs have delivered about 700 enforcement actions, according to the GDPR Enforcement Tracker website. Courts have evolved their guidance and tooling on international data transfers, and GDPR continues to shape the regulatory environment globally, with many current and upcoming privacy bills replicating its standards and requirements. A closer look at some GDPR enforcement actions shows that:
- Data protection authorities are enforcing the rules. Despite the global pandemic, GDPR enforcement continued at a steady pace. With over 220 enforcement decisions made so far, Spain leads the pack of most active regulators across Europe, followed by Italy and Romania. Overall, DPAs have levied fines for a total monetary value of €280 million. Italy has so far imposed fines for the highest amount — more than €76 million — and, if all fines are confirmed, with France’s Commission Nationale de l’Informatique et des Libertés (CNIL) and Germany’s Bundesbeauftragte für Datenschutz und Informationsfreiheit following suit.
- Failures of data governance trigger the most fines and penalties. Alone, or as part of infringements against multiple articles, DPAs have carried out about 55% of their enforcement actions for infringement of Article 5 (principles of processing of personal data) and about 40% of actions for infringement of Article 6 (lawfulness of processing) according to the GDPR Enforcement Tracker website. These rules contain key data governance and privacy principles, such as ensuring that data is linked to a specific purpose, data accuracy, quality, fairness of processing, etc. Data shows that firms have also struggled with rules about collecting data lawfully from individuals, such as through consent or legitimate interest.
- Employee privacy rights is climbing the enforcement priority list. European regulators have so far issued about 50 fines and enforcement actions for violation of employee’s privacy. Some of these relate to employer’s failure to complete an employee request for data deletion or access. Other investigations uncover critical risks that companies often fail to prioritise. Employee personal data is primarily unstructured data, and it has traditionally escaped the same level of control and attention that companies apply to consumer data. Hence, it was not a surprise that the regulator found that excessive employee personal data was kept in instant messaging tools, emails, and other channels employees used daily to communicate.
- Individuals’ privacy rights make their way in new privacy bills, but companies struggle. Regulators are slowly, but increasingly, investigating companies that fail to deal with individuals’ privacy rights accordingly (such as data access and data portability). While fines for failing to comply with data access and deletion requests, as well as objection to processing, have grown significantly in the last 12 months, companies continue to do a poor job at providing privacy notices with appropriate information. This includes information on individuals’ privacy rights and how to invoke them. And, this problem might grow further as other privacy bills, such as the California Privacy Rights Act (CPRA) and the Brazilian General Data Protection Law (LGPD) all contain similar rights.
- Data residency requirements are the gifts that keep on giving. There is not lack of action on this front. After the invalidation of the EU-US privacy shield, authorities at both sides of the Atlantic are still discussing a potential replacement. Meanwhile, the European Commission is finalising updates to the Standard Contract Clauses (SCC), which can be used to transfer personal data from the EU to third countries. The EDPB also published guidance on new risk assessments and additional safeguards, such as encryptions, that companies must put in place when transferring personal data to third countries that raise particular concerns. New data protection adequacy decisions are in the works for both the UK and South Korea.
Q&A: Splunk EMEA VP discusses European perceptions of consumer data
When it comes to privacy, the lack of headlines is misleading. With governments increasingly adopting new privacy regulation globally, consumers systematically considering privacy as a key factor when deciding what to buy and with whom to share their personal data, and employees paying more and more attention on how their employers collect, process, share, and dispose of their personal data, there is no time to be complacent beyond the third anniversary of GDPR.