With the first anniversary of the introduction of the General Data Protection Regulation (GDPR) approaching fast, now is a great time to take a quick look at how the new regime is shaping up, its impact on different countries and what the number of breaches reported can tell us about the ICO’s approach to intervention.
What is GDPR?
First, a quick refresher course. GDPR came into effect on 25 May 2018 and applies across all 28 current EU member states – including the UK, for now. It was designed to protect people’s personal data, aiming to give them greater power over it and making organisations more transparent in how they handle it. It specified that organisations could only store and use data when they either have permission to, or according to one of the following five legal bases – contract, legal obligation, vital interests, public task and legitimate interest.
Before GDPR, if an organisation misused a person’s data, they would receive a slap on the wrist. Now, maximum fines can be levied of up to €20 million, or 4% of a company’s annual turnover, whichever is larger. GDPR also requires organisations to report the exposure of personal data to national data protection regulators and to the affected individuals 72 hours after they become aware of such breaches.
A year of GDPR data breach notifications
The European Commission’s official statistics show that 41,502 data breach notifications were made between 25 May 2018 and Data Protection Day on 28 January 2019. Analysis undertaken by DLA Piper revealed these figures to be somewhat conservative, presumably because they only cover 21 of the 28 EU member states and fail to include Norway, Iceland and Liechtenstein, which are not members of the EU, but are part of the European Economic Area (EEA) and are therefore subject to the same regulations.
DLA Piper’s useful and timely data survey reveals that 59,430 data breaches were actually found to have taken place across Europe within the same time period. The Netherlands, Germany and the UK reported the most, with approximately 15,400, 12,600 and 10,600 breaches respectively. The countries with the lowest number of data breaches were Liechtenstein, Iceland and Cyprus, with only 15, 25 and 35 respectively. The Netherlands also leads as the country with the most breaches per capita, followed by Ireland and Denmark, with the UK ranking at tenth.
Stephen Eckersley, head of enforcement at the UK Information Commissioner’s Office said the UK had seen a ‘massive increase’ in reports of data breaches following GDPR’s implementation. Eckersley estimated that the total will be around 36,000 breaches reported by the end of 2019, a significant increase from the previous annual reporting rate of between 18,000 and 20,000 breaches.
However, despite the high number of data breaches reported, only 91 fines have so far been levied, with the highest one to date a £44 million fine imposed against Google, relating to the processing of personal data for advertising purposes.
What do the numbers add up to?
While there are no overall historical figures to draw comparisons with, the survey’s results suggest two main outcomes from the introduction of GDPR:
- Eight months into its existence, the regulations seem to be having a positive impact on how companies approach data protection, breach detection and transparency with regulators and customers.
- While these numbers make it clear that the policy is a success as a breach notification law, the relative lack of fines imposed compared to the breaches reported would seem to indicate that GDPR has been largely a let-down when it comes to punishing those who fail to adequately protect their customers’ data.
It would appear that the small number of fines issued are a result of regulators in various countries being over-burdened. Facing a logjam of notified breaches that represent considerably more work than they were previously used to, regulators have, unsurprisingly, prioritised the bigger, more controversial and, therefore, attention-grabbing breaches – like the Google fine by the French regulator Commission Nationale de l’informatique et des Libertés. Hence why many organisations are still waiting to hear from regulators about their breaches.
Much of whether GDPR will prove to be successful will come down to regulators’ appetite for enforcing fines. While regulators may be struggling to keep up with the number of data breaches reported, this runs the risk of straining their credibility and therefore limiting their ability to act decisively, especially if they continue to lag behind in handling reported breaches. However, we anticipate that, as regulators get a handle on the logjam that has built up, we’ll start to see more fines for tens and, potentially, hundreds of millions of Euros over the next year.
Differences per capita
Something else that this survey highlights is the incredible difference in the number of data breaches per capita between countries in the north of Europe and countries in Southern Europe. For example, there were 89 breaches for every 100,000 people in the Netherlands but only 0.9 in Italy and 0.6 in Greece - very few, relative to their large populations. This disparity can be explained via cultural differences - different countries will have different attitudes towards notifying regulators. It could also be that there is reluctance around self-reporting, a lack of trust in regulatory authorities or a perception that the breaches aren’t that much of a big deal, perhaps.
Or it could suggest that many misconceptions may still exist around GDPR, and compliance with it, in some countries. It may be that some firms are struggling to understand or implement the rules around consent, data subject rights - including the right to be forgotten - or the role of cloud providers. It could be that more education about a document that has been described as “complex and confusing” might help.
Creases still being ironed out
With the one-year anniversary upon us, it makes sense to take stock of what’s working and what, perhaps, isn’t working as well.
The data breach notification part of the regulations certainly seems to have had a significant impact; while, the fining authority has proved of less value in GDPR’s first year of implementation. However, it’s obviously anticipated that fining authorities will adjust to correct this problem and it’s to be hoped that they do so soon.
Other issues will also start to be resolved as the regulations bed in. For example, in Germany, it’s likely regulators and courts will apply EU competition law principles to calculate GDPR fines, which would violate the European Charter of Fundamental Rights’ principle of proportionality of criminal offences and penalties. They say, therefore, that local German procedural rules should be applied to calculate GDPR fines instead, and that this would result in much lower penalties. We anticipate that regulators will test the limits of their powers about this point through test court cases.
Ultimately, though, and despite the lack of fines, GDPR broadly seems to be working. Companies do seem to be taking their responsibilities seriously and re-evaluating how they use and store consumer data. Given the complexity of the regulation, there is bound to be inconsistencies in application, particularly in the early days. Hopefully the next year will see a lot of these resolved.
If you have any questions about GDPR and how it affects your business, please contact our Commercial and IT Team.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.