The GDPR just had its first birthday. Before the GDPR became effective, organisations were anxious because the Regulation provides for heavy penalties. But was their anxiety justified? And as a first step, how have EU member states themselves implemented the GDPR? This article will provide short answers to these questions.
Local implementation efforts
Although the GDPR intended to unify data protection law within the EU, it permits EU member states to implement stricter local rules in some cases, based on the so-called 'opening clauses'. These allow local rules to be implemented on important issues, such as the requirements for the designation of a data protection officer, the age of consent of children, data protection in the context of employment, and data breach notification obligations.
EU member states have generally made good use of this option. Germany was the first member state to pass an act to implement the GDPR (and is currently working on an amendment), but the other EU member states quickly followed suit.
Local implementation highlights
Some EU member states have introduced local provisions that are worth noting, particularly for organisations doing business in these jurisdictions. Some examples are:
- In Germany, organisations that continually employ at least 10 people to deal with the automated processing of personal data must appoint a data protection officer.
- France has some preliminary notification obligations, especially with regard to the processing of biometric or genetic data, for example.
- Dutch law retains regulations from the previous Dutch data protection law with regard to the processing of sensitive data, for example in an employment context.
- Hungary and Spain introduced provisions with regard to the personal data of deceased individuals.
- Spanish law includes specific provisions for data processing in relation to, for example, video surveillance, whistleblowing and the financial solvency of individuals.
- The laws of Austria, the Czech Republic and Ireland provide for an easing of the fine system for public bodies.
You can find an overview of all implementation laws and their specialties here: https://www.reedsmith.com/-/media/files/perspectives/2018/gdpr_factsheet_may2018.pdf?la=en.
How are enforcement activities coming along?
Ahead of the implementation of the GDPR, organisations were in a rush to achieve compliance for fear of the high potential fines of up to €20 million, or 4 per cent of worldwide annual turnover. In reality, the EU data protection authorities first had to prepare themselves for the GDPR and staff up for advisory and enforcement activities. Consequently, the expected flurry of fines – and particularly of severe fines – has so far not occurred.
With regard to available information, it has to be noted that EU member states take very different approaches when it comes to reporting on their enforcement actions. Some countries are very detailed and disclose detailed information -not only infringement and fine amount, but also name of parties) (for example, Italy with regard to the party Movimento 5 Stelle or Lithuania with regard to the payment service provider UAB MisterTango). Other countries, like Austria, Bulgaria and the UK, only publish anonymous reports. Other countries, such as Germany, do not publish anything unless explicitly asked to do so.
Based on publicly available information, by the one-year anniversary of GDPR on 25 May 2019, only 11 EU member states had imposed fines on any organisations at all. In total, these fines amount to around €56 million. Almost all of this sum (Art. 50 GDPR) is made up of a fine by the French data protection authority, CNIL, against Google for non-compliance with the GDPR's transparency requirements.
What to expect next?
Rumour has it that the grace period is over and data protection authorities are gearing up for further enforcement activities. The following news from different countries seems to confirm this:
- The Irish Data Protection Commissioner, Helen Dixon, recently said that firms based in Ireland are "lawyering up" and behaving in a "more combative" manner as they are expecting upcoming fines.
- The Dutch data protection authority has published its guideline on fines setting out its fining standards (only available in Dutch here).
- The UK ICO announced at a conference in early May 2019 that several "very large cases" were just weeks away from becoming public and will include significant fines.
In conclusion, organisations are well-advised to comply with GDPR obligations and to stay in the loop with regard to guidance published by the data protection authorities, as fines are coming.