EU: Three years of GDPR - a rocky journey

According to a Linklaters analysis of eight European jurisdictions, including Belgium, France, Germany, Italy, Luxembourg, Poland, Spain and the UK, GDPR awareness and enforcement are on the rise during this third year (‘Y3’) of application of the GDPR.

There has been a 59% increase in the number of fines ordered and a 142% increase in the value of fines imposed under the GDPR in the past year across these markets, with the amount of fines reaching over €300 million, as well as an important continued increase in data breach notifications. Y3 of GDPR has also been marked by important changes to data transfers.

An increase in the number and value of fines

The number of fines issued under the GDPR has increased across the board, with Germany being the only exception in reporting a decrease.

Spain’s Data Protection Agency has been the most active supervisory authority, having issued 335 sanctions – including 163 reprimands and 172 fines - for a total of €8.02 million in 2020.

During Y3 of the GDPR, the UK only issued three fines. However, the UK fines amounted to approximately €47 million.

This total amount of fines is in line with the €48 million imposed in Germany, but for a total of 301 reported cases.

Italy’s data protection regulator, known as the Garante, imposed three record fines for unlawful marketing activities, in addition to 35 other fines amounting to €58 million.

Despite Belgium being the second-smallest country reviewed, it has been quite active, with 21 fines for a total of €931,000.

In contrast, Poland has issued 11 fines adding up to €803,000, despite being more than three times more populous than Belgium.

The record amount of fines remains held by France’s CNIL which, after having imposed a €50 million fine in 2019, imposed a €100 million fine in 2020 – the largest fine issued so far in the GDPR era. In Y3 of GDPR, the total amount of fines imposed by CNIL exceeded €138 million.

An increase in data breach notifications

On average, data breach notifications have increased year on year since the introduction of the GDPR. Spain, Italy and the UK are the only exceptions to the trend, as the number of notifications filed in 2019 remained slightly higher than 2020.

The overall growth registered in 2020 could be explained by companies’ increased sensitivity to privacy matters, as well as to an evident rise of cyberattacks during the covid-19 pandemic. Indeed, the pandemic prompted significant changes in the area of cybercrime, and the impact of covid-19 on cybercrime has been the most visible and striking compared to other criminal activities. The pandemic led to an increase of cyberattacks – especially phishing and ransomware – causing an increase in data breach notifications.

Source: figures released by the relevant data protection authorities

The total number of data breach notifications filed from May 2018 to December 2020 was very similar for countries such as Belgium, Spain, Italy, and France, while there was a sharp increase in the numbers for Poland, the UK and Germany. An overall lack of harmonisation of the practical criteria adopted across jurisdictions to decide whether to notify a personal data breach might be the cause of this inconsistency.

Source: figures released by the relevant data protection authorities

The analysis also reveals that the majority of breach notifications across Europe in 2020 stemmed from human errors in the workplace, such as accidental e-mail communications leading to unauthorised access. By contrast, criminal hacking is only the second main cause of breaches in Europe, followed by the loss or theft of unsecured devices, such as mobile phones and laptops, or documents. Interestingly, only a small percentage of the notified breaches in Europe in 2020 were related to information system failures.

Data subject right requests

Data subject rights have also been an important topic over these first three years of the GDPR. It appears that the right of access, the right to be forgotten and the right to object to direct marketing are the most commonly enforced in all jurisdictions. Rights to obtain information about processing and to withdraw consent also appear to be more subject to enforcement.

On the other hand, the rights to restriction and to data portability do not seem to be as well-known by the public, given there seems to be (almost) no enforcement in respect of these two rights so far.

France, Italy and Spain are very active in terms of enforcement of data subject rights: the combined amount of fines issued by these three countries almost reached €180 million, with the largest fines issued so far being in respect of non-compliance with data subject rights.

On the other hand, German regulators have respectively imposed only two data subject rights fines, and Poland only one. The UK has not ordered any monetary penalties in relation to data subject rights. The ICO will often informally require controllers to comply with requests instead of imposing a fine.

The future of data transfers

Y3 of GDPR was also marked by data transfer uncertainties, further to the landmark Schrems II case, in which the European Court of Justice ruled that the EU-US Privacy Shield framework was invalid. The ruling had more far-reaching consequences, as it required EU companies to assess if any country to which data is transferred provides adequate protection. The necessity to perform this assessment has come together with its own challenges: companies now have to determine how national laws are exercised in practice, and how likely they are to be exercised in relation to a data transfer.

The fourth year of the GDPR is likely to be as interesting as Y3 in terms of data transfers. The European Commission released new standard contractual clauses (SCCs) on 5 June 2021. An important repapering exercise will have to take place. Companies have been given 18 months to replace all the SCCs in place.

On the other hand, some help should come from the regulators in the coming months. Adequacy talks were concluded with South Korea on 30 March 2021. The European Commission will now proceed with launching the decision-making procedure to adopt the adequacy decision. The UK adequacy decision, which is required to ensure the continuity of the free flow of personal data from the EU to the UK, is also being expected with much apprehension. Also, after the failures of the Safe Harbor in 2015 and of the Privacy Shield five years later, the US Department of Commerce and the European Commission have initiated discussions to evaluate the potential for an enhanced Privacy Shield framework. It could however take quite some time before a new framework for transfers of personal data between the EU and the US is agreed upon.

The GDPR has a bright future ahead, especially considering that GDPR awareness is on the rise for data subjects (as demonstrated by the important raise in complaints) as well as for companies (shown among others by the increase of data breach notifications). This goes hand in hand with increased enforcement from supervisory authorities: some of the highest-value fines were issued during Y3. There is little doubt that there will still be plenty to say (and maybe even more) on the GDPR’s four-year anniversary in 2022.

This article was first published in Global Data Review.

By Valérie Heremans, Ceyhun Pehlivan and Saverio Puddu.