The General Data Protection Regulation (GDPR) came into force after years of debate and preparation. The European Commission started in January 2012 to set out plans for data protection reform across the European Union in order to make Europe ‘fit for the digital age’. Approved by the European Parliament in April 2016, the legislation came into force across the European Union on 25 May 2018, and celebrates is one year birthday today.
Reshaping how personal data is handled and raising awareness
This regulation is aimed at fundamentally reshaping the way personal data is handled across every sector in Europe. One year later, we can clearly see that this regulation raised professionals and individuals’ awareness of data protection issues. The regulation gave extensive new powers to individuals in how they can control their data. For example, data subjects can demand from organisations to tell them how their data are used and ask them to destroy their data, “the right to be forgotten.” and the fines for non-compliance were significantly increased.
According to the Eurobarometer of March 2019, the increase in queries and complaints confirms the rise in awareness about data protection rights among individuals. Indeed, 67% of EU citizens polled indicated that they have heard of the GDPR, 36% of them indicated that they are well aware of what the GDPR entails. In addition, 57% of them indicated that they are aware of the existence of a public authority in their country responsible for protecting their data protection rights. This result shows an increase of 20 percentage points compared to 2015 Eurobarometer results according to the European Commission.
How has the GDPR been enforced so far?
On February 26, 2019, the European Data Protection Board released an overview on the implementation and enforcement of the GDPR.
According to this report, cooperation mechanisms within national data protection authorities have been heightened. Between May 2018 and February 2019, 444 mutual assistance requests, both formal and informal, have been triggered by Data Protection Authorities (DPAs) from 18 different EEA countries. Furthermore, 45 one-stop-shop procedures were initiated by DPAs from 14 different EEA countries, 23 cases are currently at the informal consultation stage, 16 are at the draft decision stage and 6 cases have been finalised. These cases are mainly related to the exercise of individual rights, consumer rights and data breaches. The EDPB has adopted 28 consistency opinions regarding the national lists of processing subject to a data protection impact assessment.
The total number of cases reported by DPAs from 31 EEA countries totalled 206,326 with 94,266 complaints and 64,684 of those cases initiated on the basis of data breach notification by controllers. 52% of the above cases have concluded while 1% are being challenged before national courts. DPAs from 11 EEA countries reported imposing administrative fines under the GDPR totalling €55,955,871.
GDPR fines in the first year
In 2018, based on a complaint by the non-profit organisation NOYB (“None Of Your Business”) the french supervisory authority imposed the world’s stiffest privacy fine against Google. In January, the CNIL impose a fine penalty of 50 million euros to the company in over how it uses data for ad-targeting by violating the GDPR principles of transparency, adequate information and valid consent regarding ads personalisation. While there is limited transparency of the enforcement and only some DPAs have published their results to date, some details for the different states in Germany are known:
As recent as last Tuesday, May 21st 2019, a fine was imposed for breaches of the General Data Protection Regulation in Lithuania. The data protection inspectorate issued a 61,500 EUR fine against a payment services provider for violations of the data minimisation, adequate security measures and data breach reporting requirements of GDPR.
A transition year for data protection
By enhancing data protection we are protecting the fundamental rights and freedoms of persons that are related to that data. As General Data Protection Regulation came into force only one year ago, improvements are made in order to address issues that companies and europeans citizens are facing into the day-to-day practice of data processing.
The EEA Supervisory Authorities have reported that they need to carry out investigations, observe procedural rules, coordinate and share information with other supervisory authorities in order to standardise and provide the best solutions to secure our data.
The first 12 months and looking forward
Looking back on the first 12 months of the EDPB’s work, Andrea Jelinek, Chair of the EDPB, comments: ”It has been a challenging first year, but we have reached the goals that we set out to achieve, and we intend to keep up both the work and the pace.”
European Data Protection Board (EDPS) had adopted the framework of the 2019-2020 work programme and is willing to develop operational cooperation with its non-European counterparts and a convergence of data protection principles worldwide.
How TechGDPR is involved
During the first year of the GDPR, TechGDPR has been deeply involved in many discussions, in particular around data protection and privacy. Our team is for example involved in the privacy working group of the German Blockchain Association, has taken the lead on privacy matters within the newly set-up International Association of Trusted Blockchain Application (INATBA) and is part of the DIN consortium working on the DIN SPEC on Privacy by Blockchain Design.