European Union: The GDPR: One Year On

The European General Data Protection Regulation (GDPR) came into force on 25 May 2018. In this article, we look back at its impact and the trends relating to its interpretation and enforcement over the last twelve months.

1. INCREASED PERSONAL DATA BREACH NOTIFICATIONS

The EU data protection supervisory authorities (DPAs) have seen a huge increase in the number of personal data breaches being reported, to comply with the "without undue delay" / 72-hour breach notification deadline under GDPR, with over 89,000 personal data breaches being notified to DPAs in just under the first twelve months.¹ The broadened definition of personal data (and therefore the types of incidents involving data that constitute a personal data breach) and the introduction of a standardised notification requirements with penalties for failure to comply has substantially increased the number of reported incidents. Only 63% of cases investigated by DPAs have been closed.²

2. INCREASED REQUESTS TO EXERCISE RIGHTS BY DATA SUBJECTS

GDPR has granted data subjects greater rights relating to their personal data, including the right to data portability, and further promoted existing rights of erasure and access. Significant publicity about this in advance of the implementation of the GDPR has naturally led to an increase in awareness by data subjects of their rights and a substantial increase in the number of requests being received to exercise those rights³.

3. COMPLAINTS

Over 144,000 queries and complaints are reported to have been made to DPAs by individuals who believe their rights under GDPR have been violated. The majority of these complaints have concerned activities including telemarketing, promotional emails, and video surveillance/CCTV.⁴ Lack of transparency and information provided by controllers about the processing activities they conduct and insufficient consent being sought to conduct processing activities have been a regular subject of complaints.

4. ENFORCEMENT

For the first few months after GDPR came into force, DPAs conducted exploratory investigations, offered recommendations and gave time to companies to improve compliance with GDPR. This initial phase lasted a few months, after which DPAs have increased their investigations and enforcement efforts.⁵

• Investigations – In just under the first twelve months, DPAs initiated 446 cross-border investigations, following individuals' complaints and on their own initiative.⁶
• Orders requiring the temporary or indefinite suspension of processing – DPAs have ordered the suspension of processing by certain organisations as a means of enforcement. For example:
• • The UK DPA ordered a Canadian based political consultancy and technology company to erase all personal data held by it belonging to individuals in the UK by reference to the domain names used in the email addresses relating to those individuals.⁷
  • The Dutch DPA sanctioned the country's tax authorities for using the national identification number as part of the VAT return number for self-employed individuals. The DPA stated that the use of the national identification number had no legal basis and increased the risk of identity fraud. As of 1 January 2020, the processing of the national identification number for VAT purposes is prohibited.⁸
  • Malta's DPA imposed a temporary suspension of processing on the country's national land register while it investigated how the national land register has been responding to a personal data breach.⁹
• Fines
• • One of the key features of GDPR is that DPAs are able to impose significant fines for failures to comply with European data protection law. These fines can reach up to 4 percent of an organisation's annual global turnover in the preceding financial year per infringement. So far, whilst fines have been issued by DPAs under the GDPR, substantial fines have been rare. In the first nine months of the GDPR coming into force, the total fines issued by DPAs totalled just over €55 million¹⁰.
  • Fines included:
  • • The State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg, a German DPA, fining a social media/chat platform €20,000 for its data storage practices, after it discovered that over 800,000 user passwords and email addresses were compromised as a result of them being stored in an accessible format.¹¹ The swift response and remediation of the incident by the social media platform following its discovery is thought to be the reason for the low level of fine issued.
    • The Portuguese DPA fining a hospital €400,000 after determining that patient records could be accessed by IT users not entitled to see them using accounts that were being held in the names of doctors not practicing at the hospital.¹²
    • The Polish DPA fining a digital marketing company €220,000, for aggregating personal data concerning over six million individuals from publicly available registers without providing the data subjects to whom the information related with the information required to be provided under the GDPR when collecting personal data from sources other than the data subject. The Polish DPA also ordered the provider in question to send the required information to the six million individuals in question within a three month time frame (an exercise which the company estimated may cost in excess of €8 million if notices are sent to individuals by post).¹³

To view this article in full, please click here.

Footnotes

1. https://edpb.europa.eu/news/news/2019/1-year-gdpr-taking-stock_en

2. https://edpb.europa.eu/news/news/2019/1-year-gdpr-taking-stock_en

3. http://www.pulsetoday.co.uk/partners-/practice-business/bma-subject-access-requests-to-gps-increased-by-more-than-a-third-since-gdpr/20037951.article

4. https://edpb.europa.eu/news/news/2019/1-year-gdpr-taking-stock_en,  https://ec.europa.eu/commission/sites/beta-political/files/190125_gdpr_infographics_v4.pdf

5. https://gdpr.report/news/2019/04/30/gdpr-one-year-on-what-have-we-learned/

6. https://edpb.europa.eu/news/news/2019/1-year-gdpr-taking-stock_en

7. https://ico.org.uk/action-weve-taken/enforcement/aggregate-iq-data-services-ltd/

8. https://gdpr.report/news/2019/04/30/gdpr-one-year-on-what-have-we-learned/

9. https://gdpr.report/news/2019/04/30/gdpr-one-year-on-what-have-we-learned/

10. http://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/LIBE/DV/2019/02-25/9_EDPB_report_EN.pdf

11. https://www.welivesecurity.com/2018/11/27/german-chat-site-faces-fine-gdpr/

12. https://iapp.org/news/a/first-gdpr-fine-in-portugal-issued-against-hospital-for-three-violations/

13. https://iapp.org/news/a/polands-dpa-issues-first-gdpr-fine/

Originally published May 24, 2019

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2019. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.