GDPR one year on: Mistakes still being made

A year since the introduction of the EU’s General Data Protection Regulation (GDPR), errors continue to be made, and three countries have yet to implement the regulation into national law.

On May 22, figures published by the European Commission revealed that since 2018, 89,271 complaints have been lodged to data protection authorities regarding GDPR. However, the publication also stated that only 20% of Europe’s population are aware of which public authority is responsible for the regulation.

The Commission noted that since the implementation of the regulation, an increasing number of individuals are contacting their national data authorities to understand their rights regarding the regulation.

GDPR replaced the Data Protection Directive on May 25, 2018. The regulation aims to protect EU citizen’s data privacy, harmonize data laws throughout Europe, and reshape the way organizations approach data privacy. The directive must be adapted into national legislation. However, while 25 EU member states have adopted the directive, Greece, Slovenia, and Portugal have yet to do so.

In an annual report published on February 28, the European Data Protection Supervisor (EDPS) said it would increase its supervision and assessment of measures taken by EU institutions to achieve compliance, and continue to carry out inspections focused on large-scale IT systems.

The authority also stated its intentions to create greater cooperation in data protection and privacy laws, by hosting a workshop for international organizations in mid-2019.

Data violations

Fines for breaching GDPR are separated into two tiers. The first being up to €10m, or 2% of a firm’s annual worldwide revenue for the previous year, with the regulators choosing whichever is highest. Those more serious incidents could result in a fine of up to €20m, or 4% of the firm’s worldwide annual revenue, with the fine being whichever is highest.  

In February, research by Reynolds Porter Chamberlain revealed an increase from 25 in 2017, to 145 in 2018 in the number of data breaches reported by financial services firms to the UK’s Financial Conduct Authority (FCA). The majority of data breaches reported to the FCA in 2018 came from wholesale financial market firms.

On January 21, the French data regulator CNIL penalized Google €50m “for a lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”

In March, the Polish data protection regulator fined a data brokering company for failing to tell citizens that their data was being processed by the company, which the regulator said denied citizens the opportunity to object to further processing of their data.

But it’s not only industry participants that are failing to comply with the regulation. On February 21, the Lands Authority in Malta was fined €5,000 for a lack of necessary technical and organizational measures to ensure the security of data processing on the authority’s online application platform.

A survey published by GDPR.EU in May on how small business are faring with GDPR revealed that 44% of respondents were not “confident that they always obtain consent or determined a lawful basis before using personal data.”

In April, Giovanni Buttarelli, the European Data Protection Supervisor, spoke of the problem that dark patterns – a user interface that can trick individuals into signing up for unwanted purchases, or subscriptions – were posing for GDPR, and the need for regulators not to underestimate such practices.

Across the pond

In the US, California has been the only state to date that has successfully brought in a GDPR-styled privacy legislation. In Washington, attempts were made in April to introduce a similar legislation, however, the bill failed to make it past committee stage.

The California Consumer Privacy Act (CCPA) comes into effect on January 1, 2020. The law will allow consumers to twice a year be given, free of charge, all the personal data a business has collected on them. Consumers will also have the right to refuse companies the sale of their data.  

In October 2018, Tim Cook Apple’s chief executive told the 40th international conference of data protection & privacy commissioners, it was time for the rest of the world, including the US to follow Europe’s lead with GDPR.

“We at Apple are in full support of a comprehensive federal privacy law in the United States,” said Cook.

This call for action has been echoed by others in the industry. On May 20, Julie Brill corporate vice president and deputy general counsel at Microsoft said in a post on the company’s website that any future federal data laws should include strong enforcement terms, but should also be compatible with Europe’s GDPR.

“As I saw first-hand when I served on the Federal Trade Commission (FTC), laws currently on the books are simply not strong enough to enable the FTC to protect privacy effectively in today’s complex digital economy,” said Brill.

“While federal privacy legislation should reflect US legal precedent – and the cultural values and norms of American society – it should also work with GDPR,” she said. “For American businesses, interoperability between US law and GDPR will reduce the cost and complexity of compliance by ensuring that companies don’t have to build separate systems to meet differing – and even conflicting—requirements for privacy protection in the countries where they do business.”

The Federal Trade Commission is the chief federal agency in charge of privacy and data security. In March, The Hill reported that the regulator had told Congress that it had only 40 full-time employees managing internet privacy and data security.

However, on the other side of the debate are those that view the EU regulation as cumbersome, expensive, and a threat to innovation.

On March 12, the Senate Judiciary Committee on GDPR and CCPA, held a panel discussion on the two pieces of legislation – looking specifically at the impact on competition, innovation, and consumer control.

Roslyn Layton, a visiting scholar at the American Enterprise Institute listed 10 issues she had identified with GDPR, and expressed concern that if these issues were not dealt with, they could impact the CCPA.

“The high cost of GDPR compliance is an advantage for large firms which have larger budgets to pay for software upgrades and privacy professionals. Companies have stopped using competing tracking tools to Google and Facebook, giving a greater share of the market to the established players. Users are less likely to try new platforms and tools, sticking instead with the “devil they know” in the incumbent players,” said Layton.

Also speaking at the committee hearing, Professor Jane Bambauer, professor of law, University of Arizona James E Rogers College of Law, said that consumers were not “greatly interested in managing the particulars of their personal data. This is not because they do not care, but because they are uncertain about the upsides and downsides of their bargains in the digital economy.”

“A GDPR-style of privacy right that gives consumers and end users full control over personal information has enormous popular appeal, but despite the political demand, property-style privacy rights do not actually serve American consumer interests. They will burden the digital economy with transaction costs, and there is little reason to think that the compliance costs or behavioral changes will have a meaningful relationship to harm,” said Bambauer.

• Read more under:
• BankingTech
• Digital Banking