On its first birthday, the GDPR needs to grow some teeth

Update, June 2019: We’ll be covering  the GDPR and other data protection topics at RightsCon Tunis. You can find sessions related to the GDPR here.

On 25 May 2018 the General Data Protection Regulation (GDPR) entered into application in the European Union. It is changing the way our personal information is stored and used, and is widely considered one of the strongest data protection laws to date.

Nearly a year later, it’s time to look back and evaluate the impact it has had so far, celebrating its first successes and identifying the challenges ahead. There are already some positive impacts, but for the GDPR to reach its full potential, we need to move from the implementation to the enforcement stage.

Baby steps: more people know they have rights

Since people first felt the impact of the GDPR through the wave of emails it triggered in the weeks before it came into application, many people now associate the GDPR with new Terms-of-Service pop-ups. Even though these pop-ups can be annoying and compliance still raises concerns, more of us understand that there are rules covering the use of our personal data. The European Commission even noted that the GDPR got more media coverage than Mark Zuckerberg in 2018 — and in May 2018, it triggered more Google results than Beyoncé and Kim Kardashian!

Levity aside, more awareness of the GDPR means that more people can begin to understand how their personal information is being handled, the first baby step to ensuring their rights are respected. Regulators across Europe are seeing growing interest in data protection, with an increase in the number of complaints of data violations from 2017 to 2018. In France, that increase is as high as 64%, according to the CNIL, the French data protection authority. Recently published figures from the European Data Protection Board show that citizens and organisations across the continent have lodged more than 95,000 complaints. Note that you can keep up with statistics and other facts to show how the GDPR is being applied by reading the latest edition of GDPR Today.

The GDPR vs. tech Goliaths

A trend has emerged since the GDPR’s inception: so far, big tech companies are the main targets of the complaints filed by users and NGOs. Our friends at Noyb.eu, whose chairman, Max Schrems, is famous for having successfully challenged the US-EU safe harbour, filed complaints against Google, Instagram, WhatsApp, Facebook, and others. Nyob argued that these companies have forced users to agree to new privacy policies on a “take it or leave it” basis. La Quadrature du Net, BEUC, Open Rights Group, and many of our other partners in the EU have filed similar complaints, all across the continent.

“… I suspect that if 2018 is the year of implementation, 2019 will be the year of enforcement”. Raegan MacDonald, Mozilla

The majority of the cases are ongoing and could lead to fines up to €20 million or 4% of the annual revenue (whichever is higher) if the companies are found to have perpetrated serious data protection infringements. The largest fine imposed so far is from the CNIL, which sanctioned Google with a record fine of €50 million to penalise its lack of transparency and failure to provide sufficient information and get valid consent from users, especially regarding its ads personalisation. This fine comes as a result of complaints filed by noyb and La Quadrature du Net.

Now for some bite

Companies have needed time to comply with the GDPR across the two-year implementation period and national regulators also needed to prepare for the thousands of complaints that have been filed. But now it is time for GDPR enforcement to grow some teeth.

The cases that involve big companies may get the most media coverage, but the first few “small” infringement cases may tell us more about the scope of the GDPR and its full potential, once national regulators truly start using the enforcement mechanisms.

  • In Austria, a sport betting café was fined for unlawful video surveillance (€5,280);
  • In Portugal, a hospital where patient information was inappropriately accessible by non-medical staff was also fined (€400,000);
  • In Germany, a social network operator was fined for failure to secure users’ data (€20,000).

Enormous data breaches appear to be increasing, and data protection authorities must not hesitate to investigate and then enforce the GDPR so its full capabilities can be realised. Out of 59,000 breaches reported, only 91 fines have been issued.

The Netherlands regulator is the first to issue a fining policy, setting up categories of infringements and factors to be taken into account. As the GDPR aims to make data protection rules uniform, including the approximate amount of the fines, the Dutch policy could have a larger, EU-wide impact.

Many complaints were filed on first day of application of the GDPR on 25 May, 2018. Nearly a year later, the fine for Google in January should lead the way for 2019 to be the year of enforcement of GDPR.

For the GDPR to mature, we need implementation + monitoring + resources

The GDPR requires all 28 EU member states to implement certain measures in their national law.. Three years after the adoption of the law by the EU, the GDPR has yet to be implemented in Greece, Portugal, Slovenia, and the Czech Republic. The EU Commission is liaising with each of these countries to speed up implementation. For our part, Access Now will not hesitate to call for the launch of infringement procedure if any of these countries do not implement the GDPR quickly. States have the political and legal responsibility to deliver on the GDPR.

That said, taking action cannot mean abuse of the law. The EU Commission must also look into national implementation to ensure harmonisation and investigate any possible misuse of the GDPR by national authorities and governments. Last November, the Romanian data protection authority ordered an investigative journalism outlet to reveal its sources under the threat of a fine of up to €20 million based on the GDPR. Meanwhile, in Spain, the new data protection law includes a highly controversial provision allowing political parties and organisations to collect and use personal data revealing political views of individuals. Fortunately, this law is being challenged before Spain’s supreme court. If these issues are not addressed head-on, we risk a gross misunderstanding of what the GDPR is, and that could undermine the law and the benefits it brings to people.

Finally, member states must increase the funding and staffing of their data protection authorities. The latest report of the European Data Protection Board shows that in some states, financial and human resources are insufficient. As a result, these authorities cannot properly and effectively perform their tasks. Adopting the GDPR was a major milestone in the protection of personal data in the EU, but without strong enforcement, we risk seeing the data harvesting practices continue with a return to business as usual.

“On paper the GDPR is the best data protection law in the world, but member states still seem to be neglectful when it comes to implementation”. Sophie in ‘t Veld MEP, ALDE Member of the European Parliament

Impact of the GDPR beyond the EU: securing the future of data protection

It is undeniable that the GDPR has impacted and will continue to impact the protection of our personal data worldwide, as many companies have adapted their global terms of service and and internal practices to comply with the law.

In addition, some countries, using the GDPR as a baseline, are following suit in the development of data protection laws, including:

  • In the US, the state of California introduced the California Consumer Privacy Act (CCPA), which has often been described as “GDPR Lite”. It will enter into force in 2020. Important debates are also taking place at federal level and Access Now is taking part in the discussions (see below).
  • Brazil passed a GDPR-inspired law last summer, called the GDPL, which largely follows the GDPR and has measures that provide close to the level of data protection provided under EU standards. However, it lacks an independent data protection authority responsible for overseeing implementation and enforcement of the law. To protect people’s rights, this critical flaw must be addressed.
  • In Argentina, the Senate is considering a new bill on data protection to update the country’s existing legislation, in light of the GDPR and in the hope Argentina can keep its adequacy decision with the EU, which allows for the transfer of data.
  • The government of India has constituted a committee to consider issues relating to data protection in India and propose a draft statute on data protection.

As major data scandals continue to pile up, we can only hope that more countries will create or update their data protection legislation. There should be a race to the top for the best protection of users’ rights online.

One obvious candidate for progress in this area is the United States, home to many of the largest tech companies. Access Now is engaged in the ongoing discussions on data protection legislation at federal level and in this context, we are organising the Data Privacy Summit on 27 March in Washington, DC. If you cannot make it in person, we encourage you to watch the livestream!