Part 1 - Looking back over 2 years of the GDPR

The General Data Protection Regulation (EU/2016/679) (GDPR) is two years old! To celebrate, in this Part 1, we are looking at the trends we have seen in 2019 and 2020, the biggest fines that have been received, and in Part 2, we will be considering how we can all play a part in its future.

An international influence

The EU Vice-President for Values and Transparency and the EU Commissioner for Justice, Vēra Jourová and Didier Reynders, declared when celebrating its second anniversary that the rules set out in the GDPR have shaped not only the way we deal with our personal data in Europe, but have also become a reference point at global level on privacy.

They have also said- how could it not be mentioned when considering the year so far!- that in the context of COVID-19, the GDPR and EU privacy rules are playing a vital role in ensuring that personal data and especially medical data are well protected. 

In the last two years, citizens of the EU and businesses have become more aware of the importance of data protection, and the EU has supported this growth through online relationships. It has now consulted 4.3 million businesses and citizens online and assisted them with their data protection queries. The Information Technology Industry Council has agreed that the GDPR is a landmark regime which has transformed data privacy. On the date of its first birthday, the EU declared that it intended to focus on putting the new rules that opened a new chapter on EU data protection into practice, and it has described 2019 as a year of transition. So, what have we seen in its second year?

The biggest fines of the GDPR’s second year

The most active EU authorities have been France, Austria and Germany, with their watchdogs issuing the largest fines. France has issued €51,100,000 worth of fines (thanks to the infamous €50,000,000 Google fine!) and the next highest amount was Germany with €24,574,525. The Netherlands has had the highest amount of reported data breaches per country, with Germany coming second and the United Kingdom third.

While the UK ICO has announced its intention to fine the airline and hospitality industries €213 million and €99 million respectively, for their poor security arrangements and failures to conduct due diligence, these fines have not been finalised as of May 2020. However, given their size they are worth a mention! 

The biggest fines of 2020, year 2 of the GDPR have been:

  1. Italy- in January 2020, the Italian telecommunications operator received a €27,800,00 fine for a long list of violations including contacting customers multiple times, sometimes more than 150 times a month, without proper consent or legal bases, data breaches, improper record management and excessive data retention.

  2. Austria- in October 2019, Austrian Post received the largest fine seen to date in Austria with €18,000,000 (plus the cost of investigation, which was about €1.8 million). The company had created profiles of more than 3 million Austrian citizens including their hobbies and political interests, which were sold on to third parties.

  3. Germany- in October 2019 the German authority issued its largest fine to date, €14,500,000, relating to the retention period of personal data at a real estate company Deutsche Wohnen.

Focus - Biometric data

There has also been a special interest in the processing of biometric data, with a major data breach in the UK being reported to the ICO, and the Netherlands and Sweden being among the authorities warning about the privacy risks of its use.

Fines have been issued under the GDPR in Poland and France has been considering its use in schools and to monitor employees, and in the UK the national tax authority has been under scrutiny for the way it records voice data.

The EDPB has made clear that this will be of ongoing interest in its guidance on personal data and CCTV and other surveillance and tracking technologies.

However, in the grand scheme of things, a relatively small amount of serious fines have been seen compared to a large number of warnings for strict regulation. So, how effective has this been?

Is it working?

There are still some critics of the GDPR who suggest that the rules can be disproportionately burdensome and prescriptive. The GDPR was created two years ago with the intention of being wide ranging and flexible so that it could apply to all businesses and any nature of processing.

However, there is a difficult balancing act for businesses to perform with previously existing rights, obligations and necessities of everyday business such as the freedom of expression and marketing practices. The interpretative nature of the rules means that some businesses have been left to interpret the rules themselves- rules which can be especially restrictive for innovative companies who are not able to use data effectively, for example in order to develop machine learning and artificial intelligence. 

Disappointingly, in its second year, the GDPR has not effectively addressed the issues it presents in these innovative spheres, such as fashion tech and EdTech. Machine learning, text and data mining and a host of other tech processes arguably take place in a separate sphere from that which the GDPR aims to target, since the data is interpreted by machines and will not be seen by human eyes. However, the rules apply just the same and are even more burdensome thanks to the rule that data subjects shall not be subject to decisions based on automated processing without consent. 

There is some suggestion that this will change during the world pandemic, as global privacy concerns take a back seat and AI is assigned an essential role in the fight of the pandemic through track and trace apps.

Search engines especially have struggled with indexing sensitive areas of personal data unless they are required in the public interest. In the second year of the GDPR, this has led to the case of GC et al v CNIL (2019), which found that Article 9 of the GPDR which sets out the exceptional circumstances of processing for reasons of substantial public interest on the basis of national Member State laws could be invoked by Google, even in the absence of such national Member State laws providing for this.

While the decision is arguably reasonable, it demonstrates the ad hoc way of developing the rules that has been taken in the second year of the GDPR. This ad hoc development can also be seen in a decision in May 2020 in the Netherlands which has found that the GDPR can apply to some-what personal situations, rather than strictly in a business setting. In the case, a grandmother, without the consent of her daughter, posted photographs of her grandchildren online. Since she had not checked the security measures available on the social media sites she used and was effectively sharing them with third parties, she was found to have breached the GDPR and received a small fine.

While authorities exist in order to give guidance, the UK ICO has been clear from the beginning that fines will always be their last resort. As of May 2020, a number of regulators such as in Croatia, Estonia, Finland and Luxembourg have reported to the EDPB that they have not issued any fines under the GDPR. In the UK, even though data breach reports to the ICO increased by 300% when the GDPR was first implemented, one in a thousand cases have actually resulted in a fine.

Since 2018, there have been 160,921 personal data breaches reported within the EEA- however, there has only been €153 million fines, which is not substantial considering the number of breaches- and the amount of rules!

The European Council has recognised in its yearly review of the GDPR that, while the GDPR has been an important milestone for data privacy, new technological developments present specific challenges as they develop so quickly. This means that while everyday life and technology moves quickly there is the danger that the adaptable rules that were developed are left behind, with a lack of concrete decisions from supervisory authorities.

So, how can we approach the development of the GDPR when balancing the rights of data subjects with the usual day-to-day necessities that businesses have? Check out Part 2 of this two-part article to find out more.

In the meantime, if you have any questions about how you can adapt your business to be compliant and contribute to the development of the GDPR, please don’t hesitate to get in touch!

Article by Lily Morrison @ Gerrish Legal, first published on Medium in May 2020 / Cover photo by Dan Nelson on Unsplash

Previous
Previous

Part 2 - GDPR @ 2 years and beyond

Next
Next

Drones and the End of Lockdown: How to balance surveillance with the right to privacy?