The GDPR turned one: what have we learnt and what is ahead? (Part I)

The GDPR celebrated its first anniversary on 25 May 2019 - a good time to take stock. In this article, we look at how the GDPR has been enforced so far, what the regulators' future direction of travel might be, and the key areas organisations will need to focus on in the coming months.

EU enforcement trends

The local data protection authorities (DPAs) are facing a heavy caseload. As at 22 May 2019, there had been over 280,000 cases requiring investigation across 27 EEA states, based on a report issued by the European Data Protection Board ('EDPB'). The largest proportion of these cases consisted of complaints about organisations' data protection practices (at the time of writing, over 144,000 queries and complaints had been reported). The most common types of complaints concerned data processing activities related to telemarketing, promotional emails, and video surveillance / CCTV (as reported by the EU Commission). Complaints were mainly related to the right to access data, the right to prevent processing, and disclosures and unauthorized processing. Data breach notifications also make up a significant proportion of the DPAs' work: over 89,000 breach notifications were reported by the EDPB as of 22 May 2019. In general, DPAs are reporting an increase in the number of breach notifications they are receiving (there has been an almost 40% increase in the number of breach notifications over the past three months, from February to May 2019).

In terms of fines issued so far, DPAs from 11 EEA countries had imposed GDPR fines as of the end of February 2019, when the EDPB issued an interim report on the GDPR's implementation. A number of further fines (for example in Italy, Poland and Lithuania) have been issued since then. Perhaps surprisingly, most of the fines issued so far have been in the thousands rather than the millions, with the notable exception of a fine of EUR 50 million issued by the French DPA (the CNIL) in January 2019. Other DPAs, such as the ICO and the Irish Commissioner, have recently hinted that GDPR fines may be on the horizon in those jurisdictions as well in the near future; the ICO recently stated (at a conference in Washington in May 2019) that it has "a couple of very large cases…in the pipeline", while the IDPC mentioned at the same conference that it anticipates bringing "first-draft decisions" to the European Data Protection Board this summer.

Interestingly, the primary area of focus for most regulators appears to be breaches of the core data protection principles, such as the GDPR requirements for fairness, lawfulness and transparency of data processing. For example, the EUR 50 million fine issued in France was principally concerned with breaches of the notice and consent requirements (these being related to transparency and lawfulness of data processing). Similarly, a fine recently issued by the Danish DPA (March 2019) was issued for breaches of the purpose limitation, storage limitation and data minimisation principles by a taxi company (albeit a significantly smaller fine than that issued by the CNIL - or US$180,000). While we are yet to see a major GDPR fine in the UK, the ICO also appears to be placing considerable focus on the data protection principles and in particular the GDPR's accountability requirements, observing in a recent public statement that “accountability encapsulates everything the GDPR is about” and that the relative lack of attention organisations have given to accountability so far is a "problem". The message from the DPAs seems to be that compliance now needs to be very much more than a box-ticking exercise of having all the right policies in place; it will also be critical to ensure that compliance is embedded at a deeper level, by ensuring data protection becomes part of the culture of the organisation.

Enforcement trends in the UK

The majority of recent enforcement actions taken by the ICO in the first months of GDPR related to breaches of the previous law (the Data Protection Act 1998) rather than the GDPR. The GDPR enforcement actions we have seen in the UK so far have been scattered and the ICO generally appears to be opting to issue enforcement notices as its initial course of action, rather than immediately resorting to fines.

However, given the recent public statements made by the ICO, it seems quite likely that we may start to see more GDPR enforcement actions in the UK in the coming months. In addition, the ICO seems to be enforcing increasingly vigorously, and even before the GDPR came into effect a general trend was starting to emerge of fines increasing in number and amount, with the ICO twice issuing the maximum monetary penalty possible under the Data Protection Act 1998. Clearly, if this trend continues in relation to GDPR enforcement actions, the implications could be significant.

In addition, organisations should be aware that the ICO is also actively enforcing for non-payment of the data protection fee (which most controllers are required to pay under the Data Protection (Charges and Information) Regulations 2018) and has fined a number of organisations for this in recent months. To date, penalties for non-payment of the data protection fee have ranged from £400 - £4,000 (and the ICO will normally also publish the name of the offending organisation). To put this in context, the fee itself is between £40 and £2,900, depending on the size of the organisation; organisations that have not yet paid the fee are therefore strongly advised to do so.

In line with the trend seen at the EU level, the ICO appears to be giving particular focus to infringements of the GDPR's data protection principles, such as the requirement to process data fairly, lawfully and transparently. In particular, the ICO has identified tackling "unfair, invisible processing" as an enforcement priority, and is taking a particular interest in this issue in the context of ad-tech and online tracking. Other priority areas identified by the ICO are processing by data brokers and the processing of children’s data.

Adaptation of national laws in the EU Member States

Despite being directly applicable in all EU countries, the GDPR has required each country to adopt national legislation implementing certain provisions of the GDPR (including variations and derogations from certain obligations and rights). As of 22 May 2019, 25 EU States have adopted such legislation while 3 EU States (Greece, Slovenia and Portugal) are still in the process of doing so. We invite you to access Baker McKenzie's GDPR National Legislation Survey (last updated in January 2019) for detailed insights on the progress and content of local data protection laws (as of January 2019).

To read Part II of this article, please click here.

Contributors: Maura Migliore and Joanna de Fonseka