One year has passed since the General Data Protection Regulation (GDPR) took effect on 25 May 2018. The most challenging piece of EU Regulation in terms of data protection and privacy, it is time to see what the impact of the GDPR has been so far and what lies ahead. The latest GDPR fines show this is merely the beginning.
Regulation 2016/679 better known as the General Data Protection Regulation or GDPR was passed on 24 May 2016 and after two year interim period it took effect on 25 May 2018. It replaced the old EU Data Protection Directive (Directive 95/46/EC) and seldom did a regulation change the field it covers as much as this one did. Preparations were manic as in the run up to the live date GDPR overtook both Beyonce and Kim Kardashian as the most trending search term on Google. US-based publishers were so freaked out that they decided to block access entirely to readers based in the EU rather than run the risk of breaching the new rules. And that those fears weren’t entirely unfounded became apparent when the EU slapped a €50 million on Google pay for failing to comply with its obligations – looks like they didn’t pay much attention to their own search results. But seriously, let’s recap for a second what the GDPR was all about:
The Basis
Based on a number of principles, the GDPR seeks to protect the personal data of individuals since the use of such kind of got out of hand. Do you still remember them? No? Well, here they are and according to them data must be:
- processed in a lawful, fair and transparent manner;
- collected for specified, explicit and legitimate purposes (“purpose limitation”);
- adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed (“data minimization”);
- accurate and where necessary kept up to date;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they were collected or further processed;
- the period for which the personal data are stored is limited to a strict minimum;
- transfers of personal data within or between Community institutions or bodies or to recipients in EU countries are subject to certain conditions.
The European lawmakers backed this up by a number of measures:
- limitation of automatic processing of personal data;
- right to object recognized to the data subject;
- right of access by the data subject;
- right to receive the personal data, provided to a controller, and transmit such data to another controller (“data portability”);
- right to lodge complaints concerning possible infringements of the Regulation to the Supervisory Authority;
- easy and timely access to personal data.
That wasn’t all though: The territorial scope was extended, so that even organisations outside the EU were on the hook if they processed personal data about EU data subjects while either offering goods or services or monitored their behavior. No wonder those US companies got spooked.
Because the GDPR also introduced new levels for fines of up to €20 million or up to 4% of total worldwide turnover of the preceding year- whichever is higher.
The results
Despite the fact that the EU promised strict enforcement, many companies left preparations until late with one report stating that a mere 40 percent of organizations were GDPR compliant by the deadline on 25 May and another survey found that one year on millions of small businesses aren’t GDPR compliant.
Has the EU kept its word then? Well, the €50 million for Google are quite a number, but at the same time it is the lion share of the entire amount for the first 12 months in fines. A total of €56 million is the result of more than 200,000 reported cases though a large number of these cases is ongoing. And several national regulators have made it clear that whilst at least to an extent they were willing to turn a blind eye at the beginning as they appreciated the difficulties of implementation, the first month were purely a transition period. This is backed up by a number of recent enforcement actions like the fine for the Italian 5 Star Movement, one of Italy’s governing parties, for leaving its users’ data vulnerable to attackers. The message is clear: the EU is looking everywhere and non-compliance will not be tolerated.
The road ahead
In part, this already describes the road ahead: the enforcement actions so far are just a taste of things to come. The GDPR has forced companies to reconsider their data protection frameworks and for those that haven’t done what is necessary time is running out. More so it has also changed the perception of data protection and privacy in the European Union and beyond though. For the EU it is only one piece in a regulatory framework that promises its citizens more and better protection and means that the EU will take a stand against the ongoing data exploitation by Facebook and co. The net wave of data protection in the form of the ePrivacy Regulation is already around the corner and will further improve it. At the same time, regulators around the world are following the EU’s example and work on their own data protection rules that mirror the EU’s efforts. While it is still a long road ahead, it hasn’t been a bad start at all. For that, Happy first birthday, GDPR!