A year since its introduction, Oliver Yaros evaluates the impact of the European data protection regulation
In 25 May 2018, the EU General Data Protection Regulation (GDPR) came into force. In the initial months EU data protection authorities (DPA) allowed companies time to improve their compliance, they carried out exploratory investigations and provided recommendations. The DPAs have since increased enforcement and investigations.
DPAs have resorted to indefinite or temporary suspension as a means of enforcement. There have been a few cases of suspensions, the most notable case is of the sanction on Dutch tax authorities by the Dutch data protection officer (DPO) for the use of national identification numbers as part of value added tax (VAT) return numbers for self-employed individuals. According to the Dutch DPA, using the national identification number heightened the risk of identity fraud and lacked any legal basis. As a result, from 1 January 2020, the processing of national identification numbers for the purposes of VAT has been prohibited.
In other cases, Malta’s DPO ordered national land register to temporarily suspend processing for the authority to investigate the land register’s response to a personal data breach. A Canadian technology and political consultancy company was ordered by the UK DPO to erase all personal data it held belonging to UK individuals.
There have been 446 cross-border investigations commenced by DPAs in the first year, either on their own initiative or following complaints by individuals.
A fundamental element of GDPR is the ability of DPAs to order substantial fines for non-compliance, which can be up to 4% of an organization’s annual global turnover in the financial year preceding the breach. To date, while there have been fines under the GDPR, significant fines have been rare. Just over €55 million (US$62 million) in fines were issued by DPAs in the first nine months of the GDPR.
Portugal’s DPA ordered a €400,000 fine on a hospital after patient records were accessible by users who were not entitled to access them, using accounts in the names of doctors not practising at the hospital. A German DPA, the State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg, imposed a €20,000 fine on a social media chat platform for its data storage practices after 800,000 email addresses and user passwords were compromised after being stored in an accessible format. The low level of fine was due to the social media platform’s quick response and remediation of the issue following its discovery.
Poland’s DPA imposed a €220,000 fine on a digital marketing company for aggregating personal data of more than six million individuals from registers that were publicly available without providing them with the required information under the GDPR for personal data that is collected from sources other than the data subject. The provider was also ordered by the DPA to send the required information to the six million individuals within three months (which, according to the company’s estimations, would cost in excess of €8 million if individuals are sent notices by post).
Increased requests and complaints
Under the GDPR, data subjects have greater rights on their personal data. Subjects have the right to data portability and rights of access and erasure. Substantial publicity about this before the implementation of the GDPR has created awareness among data subjects of their rights, which has led to a significant increase in the number of requests from individuals to exercise these rights.
DPAs have received more than 144,000 complaints and queries by individuals who believe their rights under the GDPR have been violated. Most of these complaints were related to promotional emails, telemarketing, and CCTV/video surveillance. A common subject of complaints has been insufficient consent being sought to conduct processing activities and the lack of transparency and information provided by controllers about their processing activities.
DPAs have also witnessed a significant increase in the number of reported personal data breaches, in compliance with the 72-hour/ “without undue delay” deadline under the GDPR. The increase is due to a broader definition of personal data (and consequently, the types of data-related incidents that constitute a personal data breach) and the introduction of a standardized notification requirement with sanctions for non-compliance. Within the first 12 months, 89,000 personal data breaches were notified to DPAs. However, only 63% of cases investigated by DPAs have been closed.
Driving change globally
One of the biggest impacts of the GDPR has been on data protection laws and practices in other jurisdictions. Many countries across the world have adopted or are modelling their policies along the lines of the GDPR. The approach taken with respect to the provision and exercise of rights by individuals as well as personal data breach and accountability requirements that have to be complied with by organizations that use personal data are aspects of the GDPR that have influenced data protections laws and practices in other countries.
Countries across Asia have been influenced by the European legislation. GDPR has encouraged many of these countries to assess their own data protection frameworks. India, China, South Korea, Malaysia, Singapore and Indonesia have introduced or enhanced their data protection and cybersecurity laws following the introduction of GDPR. China has implemented a national standard on personal information, which is similar to GDPR, expanding the definition of personal data to include sensitive personal data and consent requirements. Thailand has mirrored aspects of the GDPR with concepts such as personal data, data controller and data processor.
While, India is currently debating a data protection bill, which includes consent-based obligations and restrictions on the handling of personal data.
Japan achieved adequacy status on 23 January 2019 relating to the export of personal data from the EU to Japan after implementing various additional protections to ensure personal data was safeguarded under Japanese laws. South Korea’s data protection laws are currently being amended to achieve adequacy status.
In updating and enhancing their laws, Asian regulators have been partly motivated by the view that data privacy and protection will be improved if personal data is kept onshore. An example is Vietnam’s cybersecurity law, which imposes cross-border data transfer restrictions and data localization. Such a restrictive approach by Asian regulators may make it more difficult for organizations to transfer data offshore, and may lead to unnecessary operational costs in establishing local data centres. The Asia-Pacific Economic Cooperation (APEC) stated that there is significant negative impact in countries, such as Indonesia, China and South Korea, which have passed or proposed data localization laws and restrictions on cross-border transfers. APEC estimates average annual GDP losses of 0.7% in these countries as a result of such policies.
GDPR has also had an influence in other jurisdictions such as Liechtenstein, Norway, Switzerland and Iceland, which have aligned their data processing laws with GDPR. Numerous US states have enacted or proposed laws mirroring aspects of GDPR, in particular data subject rights. The California Consumer Privacy Act (CCPA), which will come to force on 1 January 2020, is partially influenced by GDPR.
It provides similar data subject rights, including the right to data portability and the right to deletion and requires comprehensive information to be provided to individuals about how their personal data is being used. While, New York, Massachusetts, Maryland, Illinois and various others states have proposed laws based on the CCPA, but differ in their obligations and scope. As this may lead to a patchwork of CCPA-like laws, federal data protection laws that would pre-empt any such state laws are being considered.
The Brazilian General Data Protection Law (LGPD) that will be implemented on 15 August 2020 has been influenced by and has many common elements with GDPR.
Previous guidelines on GDPR issued by the Article 29 Working Party have been adopted by its successor, the European Data Protection Board (EDPB).
The data protection board has also issued new guidelines for consultation. Some of the guidelines under consultation are:
- Accreditation of certification bodies under article 43 of GDPR. These guidelines help member states, national accreditation bodies and supervisory authorities create a harmonized and consistent baseline for the accreditation of certification bodies that issue certification in line with GDPR.
- Territorial scope of GDPR. These guidelines clarify the meaning of establishment in the EU, factors determining whether data subjects in the EU are being targeted and the status of tourists.
- Processing of personal data under article 6(1)(b). These guidelines, which relates to the provision of online services, clarify the narrow scope of the legal basis of contractual necessity, whereby processing must be “objectively necessary” for a purpose “integral” to the delivery of a contractual service to the data subject.
- Codes of conduct and monitoring bodies under GDPR. These guidelines provide a framework for assessing the rules and procedures in relation to both national and European codes and practical advice relating to Articles 40 (codes of conduct) and 41 (monitoring of codes) of GDPR.
- Class actions. With lawyers developing a stronger understanding of the types of individual claims that have gained the most traction to date and the development of representative bodies under article 80, we expect an increase in group litigation.
- Certification schemes. Certification schemes, which allow organizations to demonstrate GDPR compliance, are anticipated to gain momentum in the next year. The Information Commissioner’s Office in the UK has declared its support for certification schemes and has provided guidance and the EDPB has published guidance on the accreditation of certification bodies.
- Brexit. The impact of Brexit is likely to be marginal. It has been made clear by the UK government that an adequacy agreement with the EU will be sought to ensure data continues to move between the UK and the European Economic Area countries. Should there be a no-deal Brexit, alternatives such as the Standard Contractual Clauses may be used to ensure GDPR compliance.
Oliver Yaros is a partner in the London office of Mayer Brown International. He can be reached at [email protected].