On May 25, 2018, the European Union’s General Data Protection Regulation took effect, sweeping aside a patchwork of laws governing data protection and breach notification in individual EU member states.
GDPR was heralded by clamorous alarms from lawyers and consultants, warning clients that the failure to comply with the law could have massive ramifications for their businesses. The threat of fines up to the greater of €20 million or 2% of worldwide annual revenue was picked up by mainstream publications and echoed throughout boardrooms and conference centers in the United States.
Many American enterprises took this threat to heart and commenced sweeping reorganizations of their privacy and data collection practices. Businesses dueled one another with conflicting forms of data processing agreements. Customers woke up to dozens of emails announcing revised privacy policies to which they would need to consent before shopping again at their online favorite retailers.
But, if speaking truly, most or all of these lawyers, consultants and clients alike remained uncertain how the GDPR would affect businesses in the United States.
A year later, we can look back at data available from EU data protection authorities, including statistics regarding enforcement actions brought by those agencies, and begin to assess whether the anxiety of last year was warranted and whether the regulation’s aims are being realized.
The European Data Protection Board’s recap of GDPR activity between May 2018 and May 2019 states that 144,376 complaints or queries were lodged with EU data protection authorities during that year. More than 89,000 data breaches that were self-reported to those authorities (hopefully within the 72-hour mandatory reporting window set by GDPR). And more than 375,000 organizations have registered their data protection officers with an EU authority.
But one potentially misleading reported statistic must be examined, especially in light of the publicity that was focused on potential GDPR fines in the run-up to May 2018. Although the board reported almost €56 million in fines levied in the first year of GDPR, the vast majority of this amount was a single €50 million fine issued to Google by French data protection authorities based on the company’s alleged failure to provide adequate information and control for users to offer genuine consent to Google’s data collection practices. Another large fine was levied by UK regulators against Facebook out of the Cambridge Analytica scandal. Contrast this with the case of a business owner in Austria, whose closed-circuit video camera was unintentionally recording pedestrians walking in front of his establishment; that business was fined €5,280. Factoring out the huge fines levied against these internet giants, it appears most organizations facing GDPR investigations have escaped with warnings or modest penalties, at worst.
The conclusion that GDPR fines have been issued less often and in smaller amounts than had been feared (or, perhaps more accurately, fearmongered?) is in keeping with my firm’s experience negotiating with EU regulators in the wake of reported data security incidents. Perhaps Americans simply did not put enough trust in statements by those regulators, some of whom who emphasized in the build-up to the regulation that these maximum fines would be few and far between, imposed only for blatant violations, and that the true intent of GDPR was to educate organizations on how to protect individual privacy.
GDPR enforcement has been consistent with these statements; the focus has been on providing consumers the ability to give meaningful consent and later revoke that consent, and on transparency in how information is used. These are viewed as fundamental human rights under GDPR and have enforcement of GDPR has centered on enforcement of these rights.
In the Google decision, for example, the French data protection authority noted that a data controller’s transparency and information obligations are essential for allowing people to exercise their rights and maintain control of their data. The regulator, CNIL, shredded Google’s business practices and the manner in which it obtained consent to collect and process data. CNIL chastised Google’s practice of having all consent options checked by default. According to CNIL, the information that should be communicated to data subjects regarding their consent was “excessively spread out,” “difficult to find,” involved a “multiplication of necessary actions,” and did not “satisfy the requirements of transparency and accessibility of information.” The decision noted that the pieces of data Google collected “are likely to reveal, with a high degree of precision, many of the most intimate aspects of people’s lives …” Finally, CNIL described the way in which Google collected and processed data as being “particularly extensive and intrusive.”
From this perspective, GDPR has been a great success. The regulation heightened awareness of privacy issues around the globe and inspired similar laws such as the California Consumer Privacy Act and Brazil’s General Data Protection Law.
One of the focuses of privacy lawyers a year ago was on the “jurisdictional hook” of GDR; whether a client did enough business in Europe to make them subject to jurisdiction under GDPR, or to require them to designate a representative located within the EU. This EU representative is a close cousin to an agent who receives service of process, but with one additional significant detail. According to Recital 80, “the designated representative should be subject to enforcement proceedings in the event of noncompliance by the controller or processor.”
Today, however, that jurisdictional question seems nearly moot. With the advent of CCPA, and other pending U.S. state and international laws, nearly all companies face the reality that they will need to comply with one emerging law or another in the very near future.
As such, the need for effective privacy programs is becoming ingrained in organizations around the world. The largest question facing many organizations is how to synthesize the varying requirements of this new patchwork of laws in order to effectively comply across jurisdictions. Pending legislation at the U.S. federal level could streamline compliance in the United States, but similar laws have been introduced year after year and never made it very far in our Congress.
So, what can we look for in the second year of GDPR? EU regulators will continue to “scale up” their operations with more staff, allowing for more enforcement. I expect we will see additional massive fines levied by regulators seeking to make examples of large multinational entities and, especially, tech companies. Large fines may be forthcoming as well for egregious violations by smaller organizations. Appeals of the fines levied in year one may bring some clarity regarding interpretation and enforcement of the regulation. Additional guidance from EU regulators expected this year will certainly help to clear up some issues, including applicability of GDPR to businesses with few ties to the EU and the regulation of data transfers from the EU to the United States. Meanwhile, private lawsuits asserting GDPR claims against those same tech companies are proceeding in European courts, and we can expect more private lawsuits to be filed there in year two. It remains to be seen whether private litigation will be viewed as a credible threat to businesses in the EU, or whether plaintiff’s firms in the United States will find a way to enforce foreign laws or emerging U.S. laws through class action litigation in U.S. courts, where such claims are more common.
Regardless of what we can foresee, all U.S. companies should now be reviewing what types of data they collect, what they do with it, and how they protect it. But GDPR and CCPA indicate that simply maintaining reasonable data security will no longer be enough. Instead, organizations must determine how to square their business goals and product design with the privacy rights of individuals around the world.
—Christian Wolgemuth, a 2019 summer associate at the firm and a rising 3L at the Dickinson Law School of Penn State University, helped in the preparation of this article.
Devin Chwastyk is the chair of the privacy & data security group at McNees Wallace & Nurick. He counsels clients on policies and procedures to limit the risk of data exposure events, including developing of data security policies, privacy disclosures, breach response plans, and associated training programs.