GDPR Reaches the ‘Terrible Twos’

By Orla M. O’Hannaidh and Taylor Ey

We cannot believe that the European Union’s General Data Protection Regulation (GDPR) just turned one.  And we know we are not alone — many of you have advised your clients on the GDPR, sat through a CLE on the GDPR or, at a minimum, googled “the GDPR” in the days and months leading up to its enforcement date of May 25, 2018.  After all, according to the European Commission, in May 2018 the GDPR was googled more times than Beyoncé and Kim Kardashian. [1]

The GDPR first drew attention due to the risk of steep fines (up to 4% of global revenue) and its broad application to organizations based inside and outside of the EU and EEA.  Responding to the new regime, many compliance-minded US companies (including North Carolina companies) have implemented GDPR compliance programs.  Broadly speaking, the GDPR has required covered organizations to prepare and maintain thorough data inventories, create and/or update privacy notices, prepare and implement response plans for data subject requests, and build privacy and security assessments into everyday business processes, products and services. “Privacy-by-Design” became a “thing”.

To quote Joseph Heller from “Catch-22”: “Just because you’re paranoid doesn’t mean they aren’t after you.” Looking back over this past year, the fear of large fines and enforcement actions was not misplaced.  In January 2019, the French regulator, CNIL, fined Google €50 million for violating the GDPR.  EU regulators brought a number of other enforcement actions with more modest fines, such as the German regulator’s €20,000 fine following a data breach of a company that stored passwords in plain text, the Austrian regulator’s €4,800 fine of a small business that collected too much CCTV footage, and the Portuguese regulator’s €400,000 fine of a hospital that failed to limit employee access to patient records.

Many organizations saw data subject requests, such as the right to access personal data or to delete personal data, for the first time or in greater numbers.  According to EU regulators, thousands of individuals have filed complaints, most related to telemarketing, promotional emails and CCTV. Organizations have overwhelmed regulators with the number of data breaches reported. (Prior to the GDPR, the EU did not require data breach reporting, but now entities must notify regulators within 72 hours of discovery.)  According to the European Data Protection Board (EDPB), 89,271 data breach notifications have been filed with the European Data Protection Authorities as of May 22, 2019. [2]

Some regulators expended a great deal of time and resources investigating complaints and data breaches, and they have announced that large fines are imminent.  But, as Josephine Wolff recently noted writing in Slate, “[d]uring the first nine months that the GDPR was in effect, the total penalties imposed under the statute added up to 55,955,871 euros, according to a report published in late February by the European Data Protection Board.  That sounds impressive until you remember . . . that a single 50 million euro fine levied against Google in January accounts for nearly 90 percent of that sum.”

We do not have all the answers on the GDPR yet.  It is still a “young” law.  Going forward, we expect evolving interpretation of the law from new enforcement actions and regulatory guidance. Specifically, we have heard from the EDPB that it expects large fines to be levied soon (as EU regulators conclude investigations into complaints received), and it indicates that the EU-US Privacy Shield Framework is up for its third annual review in Fall 2019.  The privacy community continues to ask EU regulators for additional guidance on the law. The EDPB has indicated it will next focus on guidelines for accreditation requirements, sector-based codes of conduct, and the concepts of controller versus processor.

We sum up the short recap of the past year on a positive note: many organizations have made huge strides in advancing their privacy programs due to the GDPR, which will serve them well, not just for GDPR, but also for the wave of omnibus privacy legislation it has generated right here at home. No fewer than ten states are considering omnibus privacy legislation with similar attributes to the GDPR.  In 2020, the GDPR’s much-discussed “American Cousin,” the California Consumer Privacy Act (CCPA), will take effect and so will Brazil’s General Data Protection Legislation (LGPD).

As we prepare for the continued development of GDPR enforcement and the enactment of new privacy laws, organizations that have already developed GDPR compliance programs will find themselves ahead of the game.  While there are differences between the laws, we expect that these forward-looking organizations will be able to leverage their existing GDPR frameworks and processes for these new regulations.  And for those organizations that have not started, then, like parents with a toddler who has just learned to walk, childproof the house if you want to have nice things.