Data protection: threat to GDPR’s status as ‘gold standard’
Implemented in May 2018, the European Union’s General Data Protection Regulation (GDPR) was hailed as the gold standard for the protection of consumer information because it ushered in the world’s toughest-ever privacy regime. That image has arguably been tarnished thanks to enforcement concerns and a recent decision by the Court of Justice of the European Union (CJEU).
In the two years since the GDPR’s implementation, just 347 fines have been issued by individual regulatory bodies across the EU Member States – counting the United Kingdom – despite major data breaches regularly being reported. At the same time, with fines ranging in size from €90 in Hungary to €50m in France there is frustration that the sanctions being applied are not robust enough to act as a serious deterrent.
The purpose of the GDPR was to replace the various data protection laws that had been implemented across the EU over the last few decades with something more uniform and better adapted to the internet age.
The GDPR is the gold standard that no one can use – other countries will say that it’s nice, but that they can’t work with it
Matthias Orthwein
Vice-Chair of the IBA Technology Law Committee
In addition to giving individuals greater rights to demand that companies reveal or delete the information they hold on them, the GDPR requires businesses to ensure customers’ personal details remain private. Sanctions for breaching the regulation include public censure as well as fines of up to the higher of €20m or four per cent of turnover.
Though the regulation only applies to businesses operating within the EU or working with the personal data of EU citizens, Matthias Orthwein, Vice-Chair of the IBA Technology Law Committee and a partner at German firm SKW Schwarz, says the robust nature of the GDPR means its influence has been felt globally.
‘Privacy is an important issue for a lot of people and that’s why the GDPR was a great thing from the start,’ he says. ‘It got a global boost because other countries copied it – they thought it was a gold standard.’
‘In 2018 and 2019 a lot of work we had as German lawyers came from the US, Brazil and other jurisdictions, where companies with European subsidiaries wanted to give more attention to privacy,’ explains Orthwein. ‘Even if they didn’t have the same law they wanted to adopt a privacy law in the GDPR style because they knew they would then be safe globally.’
Innocenzo Genna, Website Officer of the IBA Communications Law Committee and an EU public affairs consultant, says that while the regulation has worked well at raising awareness of data protection issues, regulators’ apparent reluctance to enforce breaches against the internet giants in particular is beginning to look problematic.
‘The reality is that so far there have been no strong GDPR sanctions,’ he says. ‘Telecom Italia was recently fined [almost] €30m but that doesn’t change the life of a company like Telecom Italia.’
In Australia, the country’s Competition and Consumer Commission has proposed legislation that reflects much of what the GDPR has to offer. However, Angela Flannery, Working Group Coordinator of the IBA Communications Law Committee and a partner at Holding Redlich, notes that while the Australian authorities were already concerned that anything too similar to the GDPR would result in notification and consent fatigue on the part of consumers, the fact that so little enforcement action has been taken in Europe has weakened the case for aligning the Australian legislation too closely with the EU’s.
‘I don’t think the Australian government is particularly enamoured with the idea that Europe put it in place first and therefore we should all do what the Europeans are doing, particularly as there is no data that indicates that the GDPR has improved things for consumers,’ says Flannery. ‘We watch what’s happening in Europe and there hasn’t been a significant number of cases since the GDPR. There doesn’t seem to have been a huge change in regulatory practice.’
Despite such scepticism about the effectiveness of GDPR enforcement, Jenner & Block partner Kelly Hagedorn stresses that it is too early to judge whether individual regulators are being robust enough and, by extension, whether the regulation is achieving its aims.
‘I look at this from the perspective of someone who was working on the UK Bribery Act when it came in in 2011,’ she says. ‘It took quite a long time for cases to start coming through the system then so it’s not surprising that there have been relatively few high-profile GDPR cases.’
‘Most data protection authorities move more quickly than criminal authorities but I’m not surprised that there has been a relatively small number of fines,’ adds Hagedorn. ‘I imagine that will increase over the next three to five years.’
Hagedorn says that the GDPR is drafted very widely and is principles-based, which means there are a lot of unanswered questions. ‘That will only come over time as we get more guidance from the European Data Protection Board on fining notices as you can always take good guidance from those,’ she believes. ‘That will take some time to shake down.’
For Orthwein, however, that certainty has been put in danger, with a recent decision from the CJEU throwing the regime into disarray. Following on from a case brought by Austrian privacy campaigner Maximillian Schrems in 2015, the decision in Schrems II has effectively invalidated the so-called ‘Privacy Shield’ framework that until now allowed for the transfer of personal data between the EU and the United States. This, says Orthwein, is likely to render the GDPR unworkable for international data transfers. In a globalised world, this will have significant implications.
‘This is a very bad development,’ Orthwein says. ‘On the one hand you’ve got data colonialists who say no one is allowed access to data without a valid justification compliant with the GDPR regime. On the other side you have the US and other governments saying they want to be able to investigate terrorism and other criminal acts [by accessing that data] according to their respective rules, even though these rules might be in conflict with the GDPR regime.’
Orthwein believes it’ll be difficult to find a solution. ‘Everyone is trying to find workarounds but that will have an impact on the image of the GDPR as the gold standard,’ he says. ‘It’s the gold standard that no one in non-EU countries can comply with – other countries will say that it’s nice, but that they can’t work with it.’