The General Data Protection Regulation (GDPR) applies since 25 May 2018. Reports of massive data breaches and the mishandling of personal data by large online platforms remind us what is at stake: from preserving our private life, to protecting the functioning of our democracies and ensuring the sustainability of our increasingly data-driven economy.
A year later, the same Regulation faces growing pains across Europe. The implementation was visibly not uniform, but the differences have been very big and specific. One of the reasons for this is the unpreparedness of the EU for the various upcoming technologies, and especially from China a country whose privacy culture is very different from that of the EU.
It is interesting that by 25 May 2019, the first anniversary of the implementation of GDPR, €56 million of fines had been issued – and €50 million of that was a single fine imposed on Google by France.
However, there were many similar fines related to the GDPR before this one. One of the biggest was the £500,000 fine given to Facebook for the notorious Cambridge Analytica scandal. The fine was the maximum allowed under the old data protection rules that applied before GDPR took effect.
It’s not that just European countries have demonstrated different strategies on penalties, but they have also set up different structures for implementing the regulations. In Germany, for example, Data Protection Acts (DPAs) are organised on a German state level – but there is also a separate DPA at federal level, with jurisdiction over telecom and postal service companies. The result is that Germany has 17 data protection authorities, instead of just one.
Other problems that have appeared so far include:
- the interpretation of the GDPR’s details, which was done differently by each country in the EU
- different opinions on how to calculate fines
- determining who imposes and collects the fine.
Determining who imposes and collects the fine
One of the best examples of this problem was when France’s Commission nationale de l’informatique et des libertés (CNIL) issued the €50m fine on Google. The company bypassed the GDPR’s one-stop-shop rule that says a company will be fined in the country that hosts its headquarters – in Google’s case, Ireland. The CNIL argued that Google had no main base in the EU in relation to the fine in question, because all decisions concerning the processing of data related to Android and Google accounts were made at the company’s headquarters in the US.
According to Computer Weekly other EU nations have taken a distinct strategy, investing most of their efforts in educating businesses and issuing warnings, instead of the immediate penalties. That is why the perception of danger was different from one country to another among information controllers.
And these different perceptions result in differences in the number of data breaches. According to DLA Piper, the top three countries in terms of number of data breaches are the Netherlands, Germany, and UK.
The Regulation also brought new data breach notification laws. More precisely, according to DLA Piper: “personal data breaches which are likely to result in a risk of harm to affected individuals must be notified to data regulators. Where the breach is likely to result in a high risk of harm, affected individuals must also be notified.”
Sanctions for not complying with this range from fines of up to €10 million, to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
“In the 8 months since GDPR has applied across Europe, there have been more than 59,000 personal data breaches notified to regulators.”
Organizations have 72 hours to notify data protection regulators, after they become aware of the breach. This deadline may seem short but “become aware” is something that can be interpreted in many ways.