The proposals for what became GDPR were launched by the European Commission 10 years ago tomorrow on 25 January 2012. I wrote my first article on the proposals on the same day – you can still read a copy of that article here https://bit.ly/2QLRRUp. So has GDPR lived up to its expectations?
I’ve used some specific GDPR terms in this blog – you can find the meaning for those terms at www.bit.ly/gdprwords.
One of the initial predictions for GDPR was that it would lead to severely increased penalties. Whilst the 2012 proposals had lower fine levels than the final version of GDPR, there were still some who predicted that the floodgates would open. In fact, GDPR enforcement has increased incrementally since GDPR went live. There was about €1bn of fines in 2021 out of a total of around €1.35bn of fines since GDPR went live in 2018.
But it’s not all about fines. We have seen some DPAs be much more subtle in their enforcement. Some of the regulatory actions with the biggest impact have not involved fines at all, such as the Irish DPA’s intervention into Facebook’s proposed dating (see here https://www.corderycompliance.com/ireland-dpc-halts-fb-dating-service/), the Portuguese DPA banning Cloudflare (see here https://www.corderycompliance.com/cnpd-enforces-schrems3/) and the UK DPA’s processing and destruction order against HMRC (see https://www.corderycompliance.com/episode-247-voice-data-collected-unlawfully-must-be-destroyed/).
GDPR is really about security
Another prediction from some which has proved to be wide of the mark. Transparency is a key theme of GDPR and most of the cases that have led to the highest fines have had transparency as their central theme rather than security. It is true that some investigations into transparency have come about because of a security breach, like the €35.2m fine for H&M in Germany, (see https://www.corderycompliance.com/hmbbfdi-fines-hm-for-gdpr-violations/) but regulators really care about transparency particularly when organisations have misled those they deal with.
One of my concerns when I wrote in January 2012 was piecemeal enforcement. I said then “The new rules will still be enforced by the independent data protection commissioners in each country and by the national courts. This is likely to lead to inconsistencies as in the present system. Fines vary across Europe for relatively similar incidents.” That has proved to be the case. Some DPAs have been more active than others when it comes to fining for GDPR infringements. Spain is out in the lead with about 397 fines in total (around 35% of all known GDPR fines). At the other end of the spectrum, some regulators have hardly got going – Croatia seems to have fined only two unnamed companies an undisclosed amount of money in 2020 and 2021.
There is a real difference in the amount of fines levied too. Of Spain’s 397 fines, only 8 have been over €1m with by far the majority being well under €60,000. In contrast, some DPAs (like the UK) have fined higher amounts infrequently.
We’re also seeing inconsistency, as I said in 2012, in the way in which courts approach GDPR. We’re starting to see this in appeals – the route to court can be complicated. Our note on the appeal against Amazon’s €746m fine in Luxembourg is just one example (see https://www.corderycompliance.com/amazon-fine-lux-cnpd/).
I always have had concerns about the resources available to DPAs, particularly with registration fees also theoretically being removed by GDPR (the UK reinstated registration fees but not as part of the GDPR regime). This in part has led to DPAs sometimes getting their processes and procedures wrong and, as we predicted prior to GDPR coming in, a pretty decent success rate for GDPR appeals. This remains an area of concern. Regulators are going to have to get better at regulating and that includes getting their procedure right in their investigations and following the principles of natural justice.
As I have said already, there are also going to be inconsistencies in the national court systems which are unlikely to be ironed out for a long time if we are waiting for ECJ rulings to bring some harmony. And even then different countries have different ways of imposing and appealing against fines and other orders.
Rise in Class Actions and DSRs
When the European Commission announced its proposals on 25 January 2012, it tried to sell what became GDPR as a way of businesses saving money. The Commission promised savings for businesses “of around €2.3bn per year.” It is hard to see any of those €2.3bn of annual savings. In fact, from an unscientific straw poll I have done, no organisation has saved money through GDPR being implemented. It seems it is quite the opposite. Many businesses are spending more money since GDPR came into force – not only with improving their processes and procedures but also in dealing with nuisance and trivial claims and vexatious subject access and right to be forgotten (RTBF) requests. We have written about these concerns before, for example in the rise of class actions and small GDPR claims. There’s a short film on that here too https://bit.ly/classactionfilm. We have also seen a rise in claims for cookie infringements and the rise of automated SAR and RTBF delivery services with questionable motives.
Another trend has been the use by the super rich of RTBF to forget their past. It’s a disturbing trend and a concern which we shared with MEPs before GDPR came in. Most of the cases we’ve been involved with are not in the public domain but there’s an article which is in the public domain here https://bit.ly/3nRU0uO. We’re even seeing RTBF requests from employees and job candidates especially when they have something in their past which they would rather forget.
The One Stop Shop
Another way in which the European Commission promised a reduction in the burden on organisations was by promoting the so-called one stop shop mechanism. The Commission’s announcement on 25 January 2012 said “organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment.” As I said at the time, one stop shop was always likely to be a real challenge. Different countries care more about different things. For example, those parts of Europe who have suffered from repressive regimes might care more about dental records and the way in which information is used by the State than those in other parts of Europe that do not have that history.
We were always likely to see DPAs step in where those they represented felt strongly on an issue and in some respects the challenges to one stop shop have been accentuated by the dependency on each national government for resources that I highlighted back in January 2012. This is something that the Commission did not fix and, as a result, frequently regulators have not felt themselves bound by the one stop shop – see for example the French DPA’s recent intervention against Google and Facebook (see here https://www.corderycompliance.com/google-fb-cookie-fines/). Even when one stop shop works, it can lead to very strange results – for example with DPAs pushing for penalties many times greater than any penalty it has ever delivered. This is likely to be one of the grounds for example for WhatsApp’s appeals (see here https://www.corderycompliance.com/whatsapp-fined-by-irish-dpa/).
It is too early to say that one stop shop is dead but it is certainly very unwell.
Whilst it is easy to say that GDPR hasn’t fulfilled all of its promises it has certainly changed the data protection landscape. Rightly or wrongly GDPR is seen as the gold standard of data protection by many and it has been the template for new laws around the world, accentuated in some places by the pursuit of an EU adequacy decision to make data transfer from the EU easier.
We’re likely to see many of these trends continue too – increased GDPR enforcement by both DPAs and by private litigation. You can see my 5 minute predictions on this and other areas of compliance here https://www.corderycompliance.com/2022-predictions/.
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|