One year of GDPR: GDPR enforcement and awareness

Saturday May 25th, 2019 by Malia Thuret-Benoist

The General Data Protection Regulation (GDPR) came into force after years of debate and preparation. The European Commission started in January 2012 to set out plans for data protection reform across the European Union in order to make Europe ‘fit for the digital age’. Approved by the European Parliament in April 2016, the legislation came into force across the European Union on 25 May 2018, and celebrates is one year birthday today.

One Year GDPR

Reshaping how personal data is handled and raising awareness

This regulation is aimed at fundamentally reshaping the way personal data is handled across every sector in Europe. One year later, we can clearly see that this regulation raised professionals and individuals’ awareness of data protection issues. The regulation gave extensive new powers to individuals in how they can control their data. For example, data subjects can demand from organisations to tell them how their data are used and ask them to destroy their data,  “the right to be forgotten.” and the fines for non-compliance were significantly increased.

According to the Eurobarometer of March 2019, the increase in queries and complaints confirms the rise in awareness about data protection rights among individuals. Indeed, 67% of EU citizens polled indicated that they have heard of the GDPR, 36% of them indicated that they are well aware of what the GDPR entails. In addition, 57% of them indicated that they are aware of the existence of a public authority in their country responsible for protecting their data protection rights. This result shows an increase of 20 percentage points compared to 2015 Eurobarometer results according to the European Commission.

GDPR Awareness in the EU

How has the GDPR been enforced so far?

On February 26, 2019, the European Data Protection Board released an overview on the implementation and enforcement of the GDPR.

According to this report, cooperation mechanisms within national data protection authorities have been heightened. Between May 2018 and February 2019, 444 mutual assistance requests, both formal and informal, have been triggered by Data Protection Authorities (DPAs) from 18 different EEA countries. Furthermore, 45 one-stop-shop procedures were initiated by DPAs from 14 different EEA countries, 23 cases are currently at the informal consultation stage, 16 are at the draft decision stage and 6 cases have been finalised. These cases are mainly related to the exercise of individual rights, consumer rights and data breaches. The EDPB has adopted 28 consistency opinions regarding the national lists of processing subject to a data protection impact assessment.

The total number of cases reported by DPAs from 31 EEA countries totalled 206,326 with 94,266 complaints and 64,684 of those cases initiated on the basis of data breach notification by controllers. 52% of the above cases have concluded while 1% are being challenged before national courts. DPAs from 11 EEA countries reported imposing administrative fines under the GDPR totalling €55,955,871.

GDPR Cases in Year One

GDPR fines in the first year

In 2018, based on a complaint by the non-profit organisation NOYB (“None Of Your Business”)  the french supervisory authority imposed the world’s stiffest privacy fine against Google. In January, the CNIL impose a fine penalty of 50 million euros to the company in over how it uses data for ad-targeting by violating the GDPR principles of transparency, adequate information and valid consent regarding ads personalisation. While there is limited transparency of the enforcement and only some DPAs have published their results to date, some details for the different states in Germany are known:

GDPR Fines in Germany

As recent as last Tuesday, May 21st 2019, a fine was imposed for breaches of the General Data Protection Regulation in Lithuania. The  data protection inspectorate issued a 61,500 EUR fine against a payment services provider for violations of the data minimisation, adequate security measures and data breach reporting requirements of GDPR.

A transition year for data protection

By enhancing data protection we are protecting the fundamental rights and freedoms of persons that are related to that data. As General Data Protection Regulation came into force only one year ago, improvements are made in order to address issues that companies and europeans citizens are facing into the day-to-day practice of data processing.

The EEA Supervisory Authorities have reported that they need to carry out investigations, observe procedural rules, coordinate and share information with other supervisory authorities in order to standardise and provide the best solutions to secure our data.

The first 12 months and looking forward

Looking back on the first 12 months of the EDPB’s work, Andrea Jelinek, Chair of the EDPB, comments: ”It has been a challenging first year, but we have reached the goals that we set out to achieve, and we intend to keep up both the work and the pace.”  

European Data Protection Board (EDPS) had adopted the framework of the 2019-2020 work programme and is willing to develop operational cooperation with its non-European counterparts and a convergence of data protection principles worldwide.

How TechGDPR is involved

During the first year of the GDPR, TechGDPR has been deeply involved in many discussions, in particular around data protection and privacy. Our team is for example involved in the privacy working group of the German Blockchain Association, has taken the lead on privacy matters within the newly set-up International Association of Trusted Blockchain Application (INATBA) and is part of the DIN consortium working on the DIN SPEC on Privacy by Blockchain Design.

Tags: , ,

Malia Thuret-Benoist

Business Development Intern

Malia has a background in Governance and Political Science, she is convinced about the potential of blockchain as a tool to build trustable participative democracies and a sustainable future.

International Transfers of Personal Data after the Schrems II ruling
August 6th, 2020

A Comparison of POPIA and GDPR in Key Areas
July 28th, 2020

HIPAA, the GDPR and MedTech
July 23rd, 2020

Small meetings under the COVID-19 ordinance in Berlin
March 18th, 2020

Response to the GDPR-relevant points in the German Blockchain Strategy of September 2019
September 29th, 2019

GDPR compliant products debunked: it’s all about HOW you use it
September 26th, 2019

GDPR’s Right to be Forgotten in Blockchain: it's not black and white.
August 13th, 2019

What is the difference between personally identifiable information (PII) and personal data?
June 27th, 2019

Personal data and cold calling under the GDPR
June 25th, 2019

Blockchain & DLT under the GDPR explained to the European Commission
June 4th, 2019

Artificial Intelligence (3)
Berlin (1)
Beyond EU (6)
Big Data (2)
Blockchain (10)
Comparison (1)
Court Cases (1)
Data Subjects (6)
DLT (1)
DPO (2)
European Commission (2)
GDPR Canvas (1)
GDPR Status (2)
Germany (2)
International Transfers (1)
IoT (4)
Privacy by Design (7)
Regulation (3)
Speaking (1)
Startups (1)
Strategy (2)
Terminology (2)
WiFi (1)
Workshop (2)
Article 17
Artificial Intelligence
Big Data
call center
CJEU ruling
Cold calling
Data transfers
European Commission
GDPR Analysis
GDPR Compliance
GDPR so far
gdpr workshop
gdpr year one
German Blockchain Strategy
International transfers
medical data
one year gdpr
open workshop
personal data
personally identifiable information
Privacy by Design
privacy policy
Retail Analytics
right to be forgotten
right to erasure
Schrems II
south africa
August 2020 (1)
July 2020 (2)
March 2020 (1)
September 2019 (2)
August 2019 (1)
June 2019 (3)
May 2019 (2)
April 2019 (1)
February 2019 (2)
January 2019 (1)
December 2018 (2)
October 2018 (1)
September 2018 (1)
August 2018 (3)
July 2018 (4)
June 2018 (1)
March 2018 (1)

Contact us to find out how we can help you with your GDPR compliance.