One year of GDPR in review – fines, global momentum & technology
May 29, 2019
When the European Union’s General Data Protection Regulation (GDPR) entered into force on May 25th 2018, advocates of the new law promised a fundamental change in data protection. Here’s a quick look at where we stand one year later.
Fines in a nutshell
The European Data Protection Board reported that regulators brought more than 200,000 cases in 31 EEA countries and issued nearly 56 million euros in fines in the first nine months. That includes a 50 million euro fine levied against Google.
However, what is striking is the diversity of enforcement actions. In Poland, for instance, regulators fined a company that scraped data (mostly mailing and email addresses) from public sources because the company only provided notice passively in a statement on its website. In Austria, regulators fined a local business for performing excessive surveillance when its security cameras recorded people walking on the sidewalk outside the business.
These initial actions show that GDPR carries many obligations beyond data breach notification and that regulators are holding companies accountable. Companies can also expect data protection authorities to be stricter with their sanctions in the future.
Global data privacy momentum
Regulators intended for the reach of the GDPR to extend far beyond the EU’s borders. The GDPR has encouraged many nations to introduce comprehensive data privacy rules. Brazil, India, Japan, Thailand, the U.S. and others have adopted laws with protections similar to those in the GDPR. In the U.S., the California Consumer Privacy Act (CCPA) mimics the GDPR in many ways.
A consequence of this regulatory trend is the drive toward greater data localization – the practice of keeping personal data stored on devices or servers that are physically present in the territory where the data is generated. While this ensures greater control over privacy, it can also present challenges for cloud solutions and data sharing practices intended to create greater flexibility and efficiencies. Therefore, companies may incur substantial costs in order to bring their data use practices into compliance.
Thousands of GDPR actions are currently pending
Implications for technology
The GDPR is bound to face challenges related to evolving technology. The growth and development of 5G networks, the IoT and artificial intelligence all depend on greater connectivity and increased data sharing.
Although AI might also help companies comply with privacy regulation by tracking the use and transfer of personal data, businesses should expect the EU to take an active approach to AI’s consumption and processing of personal data, especially when that processing distinguishes individuals based on race, gender, political beliefs or any other sensitive category.
The creation of GDPR marks a major shift for data privacy, signaling the start of more aggressive enforcement in an era of rapidly developing technology. Thousands of GDPR actions are still pending, and businesses should expect regulators to continue to punish noncompliance.