First Year of GDPR Sees More Privacy Complaints, Compliance Inquiries
An uptick in privacy complaints and the first investigations and fines mark the end of the first year of the EU general data protection regulation. GDPR became effective May 25, 2018. Data protection authorities (DPAs) told us they're seeing increased citizen awareness of the law as well as more inquiries from companies about compliance. While compliance appears to be on the rise, businesses continue to struggle with the rules, with some in America's tech sector calling for a complete review of the GDPR and urging the U.S. not to copy it.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The GDPR's "game-changing rules have not only made Europe fit for the digital age, they have also become a global reference point," said European Commission Vice President for the Digital Single Market Andrus Ansip and Justice, Consumers and Gender Equality Commissioner Vera Jourova in a Wednesday statement. Because "compliance is a dynamic process" that doesn't happen overnight, the EC's top priority is to ensure the rules are properly implemented in EU countries, they said.
DPAs have seen increased privacy complaints and data breach notifications. French DPA CNIL (Commission nationale de l'informatique et des libertes) called 2018 "an exceptional year" during which it received "a considerable increase in complaints" and became a "go-to player" as businesses increasingly turned to it for compliance help. CNIL received a record 11,077 complaints, up over 32 percent compared with 2017, which related mainly to dissemination of data online. CNIL carried out 310 investigations and issued 10 fines. Emerging trends include using the right to data portability; greater user awareness of security of their data; and increased concern by individuals about data access by mobile applications on their smartphones, it said.
The Irish Data Protection Commission had logged nearly 3,850 complaints under the GDPR as of March 22, it reported. By comparison, the DPC received, on average, around 220 complaints monthly in 2017, a spokesperson said: In March, the agency had 48 inquiries open; 33 non-cross-border inquiries (31 into CCTV); and 16 multinational technology companies inquiries. Wednesday the DPC announced it's investigating whether Google Ireland Limited's processing of personal data in its Ad Exchange complies with the GDPR. The company said it will "engage fully" with the probe and welcomes "the opportunity for further clarification of Europe's data protection rules for real-time bidding."
Three cases are in progress in Germany but haven't advanced to where fines have been issued, emailed a Federal Commissioner for Data Protection and Freedom of Information spokesperson. The biggest areas of noncompliance are companies' handling of customer data and data retention periods, he said. In March, the Dutch Data Protection Authority established a fining structure for GDPR violations, Hogan Lovells blogged then.
IAB Europe began looking for solutions to GDPR challenges before the law took effect, and started to develop a framework to help all parties in the digital advertising chain comply with the transparency and consent requirements, emailed Marketing & Business Strategy Director Helen Mussard. The organization, which represents members of the media, publishing and advertising industry, worried that without an industry standard, compliance would be expensive due to fragmented, non-interoperable solutions or become practically impossible for lack of cross-industry coordination. The framework gives media and advertising industries a way to provide transparency and a common language with which to communicate consumer choices for processing personal data, Mussard said. There are around 500 registered vendors and consent management providers.
The tech industry has striven for GDPR compliance over the past three years, said Computer & Communications Industry Association Senior Public Policy Manager Alexandre Roure in an interview. CCIA members have undertaken "considerable efforts" to address the concerns and better empower consumers by developing new privacy controls and practices. Going forward, it's important that coherent enforcement continue across Europe: "Risks of enforcement fragmentation would reduce the GDPR to a minor upgrade of privacy rules from the mid-1990s."
The GDPR has sparked a global movement that has seen governments adopting and considering new privacy laws based on the measure, blogged Julie Brill, Microsoft deputy general counsel. Microsoft "was the first company to provide the data control rights at the heart of GDPR" to customers globally, and one year later, the ever-growing number of people using its privacy dashboard is a "clear sign that people want to be empowered to control their data." The highest level of engagement, per capita and in absolute numbers, continues to come from the U.S., she noted. Brill urged Congress "to take inspiration from the rest of the world" and extend GDPR privacy protections to Americans.
While GDPR "has been seen as projecting European leadership on privacy globally, concerns about restricting innovation remain high," partly because of potentially conflicting rules in the proposed ePrivacy regulation, said the European Telecommunications Network Operators' Association. Compliance has required "a huge effort" by organizations from a legal and managerial standpoint, but "telecom operators are looking at largely good results of this work." The GDPR has set a new standard, but "there is still a long journey ahead of us," blogged American Chamber of Commerce to the EU Chairman Maxime Bureau. The measure must be applied uniformly across Europe, and any new privacy regulation must be consistent with it.
The Information Technology and Innovation Foundation criticized the law, saying recent enforcement decisions in France and Germany revealed complexities and contradictions that "underscore why the GDPR is fundamentally not a viable model for regulating the digital economy." One key problem with the GDPR is its negative impact on artificial intelligence innovations, ITIF emailed Tuesday. It urged the U.S. not to take its cues from Europe as it develops its own data protection law.