The GDPR: A two year perspective
The adoption of the General Data Protection Regulation (GDPR) in 2016 led to the biggest shake-up in data protection for the last 20 years. It was a lengthy process that started with the launch of the first official draft by the European Commission in January 2012 and ended with the final adoption in April 2016. It also led to massive advocacy efforts, with thousands of amendments tabled at the EU Parliament alone.
The outcome is a heavy piece of legislation (80 pages, 99 articles and 173 recitals), supplemented by guidelines and recommendations at EU and national levels and a growing number of decisions from the regulators.
With the second anniversary of its application in May, now is an excellent time to take stock of its impact. For that purpose, the authors have surveyed seven major markets in Europe, and the findings are summarised in this article.
National laws and a lack of complete harmonisation
When the EU Commission launched its draft in 2012 to reform the data protection landscape, the GDPR was heralded as an instrument that would better protect fundamental rights to data protection and create a uniform legal framework at EU level.
That harmonisation of data protection across the EU has been largely successful. The GDPR is, after all, a regulation (rather than a directive) that applies most of its rules directly in each EU member state. It is supported by a one-stop-shop mechanism so that EU businesses should only deal with one supervisory authority.
The harmonisation is not complete, however, and in some areas divergence across states continues. For example, financial services businesses looking to roll out standardised employee monitoring solutions across the EU are likely to find the differing sets of rules on processing employee personal data tricky to navigate. An EU-wide approach to conducting criminal records checks on employees is also difficult to achieve, with some countries significantly limiting the scope of checks that can be carried out lawfully.
This divergence is apparent from how states have chosen to structure their national data protection laws. Some, like the UK, have gone to the extreme of including in their law an exhaustive list of grounds to cover the processing of special category and criminal offence data, while others, like Poland, have comprehensively amended existing sets of national laws to provide for this type of processing.
While the direct application of the GDPR and the one-stop-shop mechanism have resulted in more harmonisation, the GDPR itself does not give the entire picture and companies must continue to consult national legislation to organise their approach to compliance.
Trends on breach reporting, complaints and fines
Analysis carried out by the authors shows a significant increase in data breach notifications submitted to the regulators across six of the European countries surveyed — Belgium, France, Germany (Free State of Bavaria), Italy, Poland and Spain, with an average increase of 66% compared with the first year of the GDPR's application.
The UK has bucked the trend, however, reporting a decrease: the number of data breach notifications has dropped by 17%, whereas numbers almost doubled in France, with a 97% increase, and there has been a similar increase in Spain and Italy. The increases can be explained because companies are more aware of their obligations and many of them were still undergoing their compliance programmes during the first year of application of the GDPR.
Following that trend, Poland also reported a relatively high number of notifications with 6,039 data breach notifications in 2019. This is likely to be due to the relatively low threshold set by the local data protection authority.
In the UK, the decrease in data breach notifications might be explained by the fact that organisations were over-reporting data breaches following the initial implementation of the GDPR, something that the Information Commissioner's Office has highlighted as an issue on several occasions. The UK also had particularly high breach notifications compared with other countries in the first year of application of the GDPR.
Across the seven countries considered, the majority of breaches relate to breaches of confidentiality or access by unauthorised third parties. The main sources of breaches remain external malicious acts (e.g., hacking) but internal human errors are also non-negligible (e.g., sending e-mails to the wrong recipients).
Except for Spain, where the number of complaints has dropped by approximately 11% in 2019 compared with 2018, in all other countries covered, the number of complaints submitted to European data protection authorities has increased. The largest growth is observed in Bavaria, Germany, where the number of complaints has risen by some 51% year-on-year, followed by France with an increase of approximately 28%. According to surveys conducted by data protection organisations, the explanation may be the broadened awareness of data subjects.
Most European data protection authorities are struggling with limited staff resources, which is impeding the processing of the complaints they receive. To address this, they are implementing organisational changes, employing additional staff or reorganising the internal structure and setting up a separate division to deal solely with data subjects' complaints, as is the case in Poland.
The authors' analysis also shows that data protection authorities in major European countries made use of their corrective powers and imposed sometimes significant fines during the second year of application of the GDPR.
Italy, Germany and Spain top the rankings, issuing fines in aggregate of approximately 40 million euros, 25 million euros and 6.3 million euros respectively. In addition, the UK's data protection regulator has proposed two record-breaking fines amounting together to £282 million (approximately 312 million euros). They are not yet final.
In France, CNIL imposed six fines amounting to a total of 1.3 million euros in the last year, an amount considerably lower than the 50 million euros fine it imposed on Google back in 2018. Poland and Belgium followed with only 700,000 euros and 189,000 euros, respectively.
New developments in case law
Looking at the relevant case law in the last year, a development that may have considerable impact on businesses' ability to lawfully transfer personal data to third countries is the proceeding of the Court of Justice of the European Union (CJEU) in the Schrems II case (the Irish Data Protection Commissioner against Facebook Ireland and Max Schrems). This case could possibly lead to the (partial) invalidation of the EU Commission's standard contractual clauses (SCC) or even the EU-U.S. Privacy Shield Framework.
Although the Advocate General's opinion on that case found the EU Commission's decision adopting standard contracutal clauses (SCCs) not to be invalid and further recommended the CJEU not to rule on the validity of the Privacy Shield, the CJEU is not bound by this opinion and could rule differently in its judgment announced for July 16, 2020. As a worst-case scenario, the CJEU could decide to invalidate both the SCCs and the Privacy Shield Framework, leaving businesses in total uncertainty about how cross-border transfers could still lawfully take place.
Against this background, businesses should check whether they are sufficiently prepared should this worst-case scenario — or more moderate versions of it — materialise. The Binding Corporate Rules (BCR) remain arguably the safest available safeguard.
The COVID-19 response
The GDPR's ability to respond to crises has been severely tested by the recent spread of the coronavirus pandemic. Governments, public authorities and private companies throughout Europe have adopted measures to fight COVID-19 which have often required the processing of personal data, including health data, raising concerns about their compliance with the GDPR.
As recognised by the European Data Protection Board, however, the GDPR does not hinder measures required to contain and offset the pandemic. Its principles apply in the context of COVID-19 and allow both public and private organisations to process personal data to fight the virus in compliance with its rules. The same message has been repeated by European supervisory authorities to support governments, health authorities and employers.
Although data protection rules are not a barrier in this fight, protection of personal data must be ensured even in these exceptional times. Given the financial impact of the crisis, there is a danger that businesses will struggle to ensure compliance. Support from supervisory authorities and further harmonisation of the rules across the Europe will be essential to ensure companies can sustain this effort.
The GDPR has clearly not reached its cruise speed yet and continues to raise a number of issues in terms of uniformity of application throughout the EU member states and beyond.
One of the biggest challenges is the implementation of data retention obligations in IT systems and their applications in a harmonised manner across borders. Retention periods are governed by domestic laws while IT systems are often not designed to integrate retention specifics at country level. In addition, international organisations are keen to maintain a certain level of uniformity across borders.
Another issue is the need to maintain an up-to-date compliance framework. Since the adoption of the GDPR, numerous national rules as well as EU and local guidelines have been adopted, making it difficult for organisations to keep up.
Finally, due to their accountability obligation, businesses have to keep a complete document trail (e.g., legitimate interest or data protection impact assessments) to justify their compliance. All these obligations make it quite burdensome for businesses which are struggling in an uncertain legal environment. In future, more stability will be welcome.
This article was prepared by a collaboration of nine data protection specialists from Linklaters across seven European offices. Contributors include Tanguy Van Overstraeten and Claudia Allatta (Belgium), Sonia Cissé (France), Dr Daniel Pauly and Jonathan Platz (Germany), Saverio Puddu (Italy), Agnieszka Mencel (Poland), Ceyhun N Pehlivan (Spain) and Greg Palmer (UK).
This article was first published on Thomson Reuters’ Regulatory Intelligence service