For a select crowd, May 25, 2018, will forever be known as a turning point. Ushering in the EU General Data Protection Regulation, individuals across the European Economic Area became the recipients of a host of new digital rights and companies bore new responsibilities for protecting, managing, and processing personal data. In enacting the GDPR, the EU became a leader in a new and dynamic field and has yet to relinquish its hold.
While most can remember the years, months, and weeks of implementation in the runup to May 25, 2018, the four years following have happened at such a frenzied pace that the time has felt like a blur for many privacy pros. Countries worldwide have opted to follow in the EU’s path and introduce similar legislation, broadening the reach of data rights to a majority of the globe. GDPR has had a tangible ripple — the past year alone has seen the addition of China, South Africa and a post-Brexit U.K. to enact GDPR-like privacy legislation. As it stands, the UN Conference on Trade and Development shows 80% of countries having data and privacy protection legislation in place or in draft form, and while they vary in the level and types of protections offered, one thing is certain — data is top of mind.
The past year of GDPR saw a significant uptick in enforcement matters as regulators across Europe began to settle into their roles, including remarkable fines and attention-grabbing headlines, demonstrating that the EU’s appetite for enforcement is on the rise. Of note, Luxembourg’s data regulator made headlines in July when it fined Amazon a record breaking $888 million for breaching GDPR rules around the use of consumer data in advertising. In fact, from June 2021 to May 2022, regulators issued nearly 400 fines, totaling $1.4 billion.
At a casual glance, $1.4 billion in fines may seem like a staggering number, yet regulators have much more at their disposal since violators of GDPR may be fined up to €20 million or 4% of the annual worldwide turnover of the preceding financial year, whichever happens to be greater. For the big tech companies of the world, these fines seem to offer little deterrence other than bad (and fleeting) press. Perhaps in recognition that regulators could be more efficient, the EU has signaled a review of its enforcement approach. Speaking to a conference December 2021, Commission Vice President Věra Jourová said, “Either we will all collectively show that GDPR enforcement is effective, or it will have to change and … any potential changes will go towards more centralization.” European Data Protection Board Chief Wojciech Wiewiórowski announced a conference planned for June to discuss alternative models of enforcement of the GDPR. Just this month, the EDPB adopted new guidelines on how to calculate GDPR enforcement fines in an effort to harmonize data protection authorities.
This year, as we look at the GDPR and its impact, it is equally important to recognize the EU’s role in shaping privacy and data protection regulation and how its role may evolve — particularly as the U.K. and U.S. navigate privacy in the year ahead. In the UK, it is expected that a planned reform of its own GDPR-like privacy regime will result in a more business-friendly approach, which has raised concern for some regarding its adequacy standing with the EU. Meanwhile in the U.S., officials are look to shore up trans-Atlantic data transfers after the EU Court of Justice struck down Privacy Shield by finally (maybe) navigating comprehensive federal privacy protections. This, along with efforts in other regions such as Latin America, Africa and Asia Pacific to create regional data transfer mechanisms and regulate artificial intelligence, means the privacy stage will likely grow to include more leaders.
The first years of the GDPR have seen significant progress in protections for personal data across the digital domain, yet it is far from complete. Globally, we have seen as many shortcomings as strengths in approaches to data protection and privacy. Most importantly, we have seen an evolution in the way legislators, companies and individuals think about personal data and what it means to protect it.
Photo by Christian Lue on Unsplash