It’s been nearly a year since the European Union’s General Data Protection Regulation (GDPR) became enforceable. In that span of time, news outlets have reported various stories largely concerning the regulation and its penalties scheme. In January 2019, for instance, the world learned that France’s data protection regulator CNIL had fined Google 50 million euros for "lack of transparency, inadequate information and lack of valid consent regarding ads personalization,” as reported by BBC News. Several months later, officials in the UK and Ireland told The Wall Street Journal that they expected to announce large fines for other organizations beginning in the summer of 2019. Notwithstanding this coverage, the significance of GDPR’s one-year anniversary extends beyond regulatory fines and penalties. The European Data Protection Board (EDPB) confirmed as much in its first overview report of the regulation. This publication sheds light on how the national supervisory authorities (SAs) of EEA (the European Union 28, Iceland, Norway and Liechtenstein) have worked together to consistently enforce the GDPR within its first year. Let’s take a moment now to examine the main findings of this report.
Implementation at the National Level
The EDPB report found that the SAs of EEA reported a total of 206,326 cases within the first year of GDPR’s implementation. All of these cases pertained to one of three subject matters. Close to half (94,622) dealt with complaints, while 64,684 of those reports concerned data breach notifications. The remaining cases focused on “other” issues. Within that time period, authorities closed just over half (52 percent) of those cases. GDPR stipulates that SAs have different types of corrective powers which they can use with an offending data processor or controller. These rights include issuing warnings, handing down reprimands, ordering that the entity bring its operations into compliance with the regulation and imposing fines if it doesn’t. Since 25 May 2018, the 31 SAs have taken advantage of that last regulatory measure by collectively imposing a total of 55,955,871 euros in administrative fines.
Increasing Means and Powers of SAs
Over the past year, SAs enhanced their level of engagement to meet their expanding enforcement powers. This level of increased activity was evident in the growth of many of these authorities’ budget and staff needs. Twenty-six SAs witnessed an increase in budget between 2018 and 2019, for example. Looking ahead to the future, 17 SAs asked for budget increases. Most of these sought a growth in budget of 30-50 percent, but some asked for as much as 100 percent. Almost none of the SAs received their requested amounts, however.
Cross-Border and Mutual Assistance Cases Abound
EDPB’s first overview makes it clear that SAs are working together to enforce GDPR. This collaboration has taken on various forms since 25 May 2018. One shining example of such cooperation was the fact that 30 SAs registered 281 cases with a cross-border component in the first year of the regulation’s enforcement. These types of cases oftentimes necessitate that SAs work together either via mutual assistance, joint operations or collaboration under a special “One-Stop-Shop” mechanism. While there were no joint operations and just a few dozen instances in which the One-Stop-Shop mechanism took effect, there were plenty of instances of mutual assistance in GDPR’s first year. Indeed, SAs from 18 different countries filed 444 mutual assistance requests (formal and informal) in that time period. The receiving SA sent their answer within 23 in 353 of those filed mutual assistance requests.
Room for Improvement
In its report, EDPB openly recognizes that there’s still work to be done with regards to enforcing GDPR. Reflecting on the regulation’s cooperation mechanism, the entity feels that it can do more to streamline the IMI system’s efficiency. It’s specifically considering allocating more resources to authorities and possibly hiring more staff people who can speak English. External analysts feel that there’s room for improving GDPR in other ways, as well. Dov Goldman, director of risk and compliance at Panorays, feels that a crucial element of the regulation still has yet to be addressed. As quoted by Dark Reading:
Besides the complaints filed against the obvious suspects like Google, Facebook, and Instagram, we've definitely seen a number of changes to how companies ensure data privacy. That being said, these enhancements have primarily been limited surface treatments and much less of the extensive 'privacy by design' envisioned by the regulators.
At this time, it’s unclear what this new phase might look like or when it will take effect. But these unknowns don’t make this stage any less consequential. On the contrary, moving into the “privacy by design” phase is essential to realizing how data security is about much more than just protecting “users.” Its purpose is to respect individuals by safeguarding those private elements which each and every person uniquely doesn’t want exposed. Recognizing the importance of privacy by design, all we can do is wait and see what happens next in GDPR’s evolving mandate.
