[co-author: Adam Penman]

The European Union’s (EU) ambitious and far-reaching regulation, the General Data Protection Regulation (GDPR), became effective on 25 May 2018. On the one-year anniversary, we reflect on some of the principal developments following the implementation of the GDPR

European privacy values: a cultural shift

Critics have derided the GDPR for placing an onerous and expensive compliance burden on businesses, causing confusion and creating ‘data privacy fatigue’ amongst consumers and businesses alike.

Conversely, the furore has generated significant publicity around the GDPR, contributing to a cultural shift towards greater consumer empowerment and control over personal information. Public awareness of the GDPR is high – in May 2018, GDPR was searched more often on Google than either Beyoncé or Kim Kardashian. Individuals have a better understanding of their rights in respect of their personal data – which presents more of a risk to data controllers.

Equally, GDPR has completely changed the risk profile of data protection for most businesses. Under the previous, weakly enforced regime, most businesses treated data protection as a low risk issue. Under the new regime, data protection has become a high-risk issue.

GDPR – Complaints to supervisory authorities

The statistics relating to complaints and breach notifications demonstrate the increasing levels of data protection awareness, both among businesses and individuals. Between May 2018 and January 2019, European supervisory authorities received more than 95,000 complaints from data subjects – a significant increase on the numbers under the previous law. The activities which attracted the largest numbers of complaints related to telemarketing, promotional emails and video surveillance/CCTV. Data subject rights (access and erasure), as well as unfair processing, were common complaint topics.

GDPR Breach notifications

Under the GDPR, controllers are required to notify a personal data breach to a supervisory authority within 72 hours (unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons). Over 64,000 data breach notifications have been made to European data protection agencies since 25 May 2018, which, again, is a vast increase than the rate under the previous law. However, supervisory authorities believe that this is largely as a result of controllers self-reporting out of caution.

GDPR Enforcement

One of the most headline-grabbing aspects of the GDPR is the significant sanctions that it gives supervisory authorities the power to impose. According to the European Commission, since 25 May 2018, GDPR enforcement actions by supervisory authorities have resulted in more than €56 million in fines. However, one penalty makes up the bulk of this figure: in January 2019, Google was fined €50 million by France’s data protection authority for continuous and large scale breaches of GDPR. Interestingly, some data protection authorities have seemed far more eager to use their fining powers than others. However, there are some indications that the last year may have been a transition year, as regulators and businesses adjust to GDPR, and therefore we can expect more fines in future.

A global transformation – data privacy is here to stay

GDPR has helped precipitate a global movement towards greater privacy protection. This is partly because GDPR purports to have extra-territorial applicability: data processors and controllers outside of the EU, but whose activities affect individuals located in the EU, are caught within its scope. Consequently, over the past year countries have started to adapt their domestic privacy protection laws with the aim of facilitating economic activity with an EU nexus. Countries with very significant economic power, such as China, India and Brazil, have amended existing legislation or introduced new laws to align with the framework of the GDPR. In the US, the California Consumer Privacy Act 2018 has been called “the American GDPR”. There is also increasing pressure in the US for a federal data privacy law.

Before GDPR was implemented, many commentators dismissed it as a “fad” or a “flash in the pan”; but the contrary is proving to be true.