25 May 2018 was a red-letter day for the global ecosystem of data protection laws, with revolutionary legislation that changed the global business landscape coming into force, namely the General Data Protection Regulation (GDPR). Three years later, it is worth reflecting on how the watershed piece of law has fared.
There has been a total of 661 fines imposed so far on organizations since 2018 by various Data Protection Authorities (DPAs) and a high number of data breaches have been reported, with more than 281,000 data breach notifications since the application of the GDPR. As suggested by a DLA Piper survey, it can be said that there is better awareness as well as preparedness amongst the stakeholders in regard to processing of personal data, as well as adhering to compliance requirements. Due credit can also be given to the legislation for making “data protection,” “privacy” and “information security” more widely known concepts. It is also worth mentioning that the GDPR has introduced a rights-based approach, influencing company practices to focus on conducting a risk analysis for timely mitigation and paving the way for increased focus on protection of user rights. This has pushed the protection of data subject/consumer rights to the fore, altering the lens through which risk analyses were previously done.
Additionally, organizations now seem to have matured data management practices and the GDPR has provided a level-playing field to all businesses, regardless of their size. With a new sense of accountability among corporates, especially in upgrading security practices to minimize the risk of data breaches, the increased and active role of DPAs in enforcing the legislation is evident.
Also, in the past year, the economic implications of the COVID-19 pandemic have been taken into account by DPAs, with the amount of fines reduced by ICO. This reflects how a balance has been maintained by DPAs between compliance and enforcement on one hand, but the ongoing practical challenges for businesses on the other.
As the GDPR became a trend setter on the global privacy landscape, it can be said that the legislation was the catalyst for regulatory reforms across the globe as well. Besides businesses around the world becoming privacy-aware and compliant with the GDPR, the past three years saw a major regulatory overhaul in multiple jurisdictions. For example, the Brazilian Data Protection Law, which came into effect in 2020 has been inspired by the GDPR. Likewise, the India Data Protection Bill 2019, which is yet to be passed as law, is said to be similarly influenced by the GDPR. Japan gaining adequacy status for cross-border data flows in 2019 was another crucial as well as encouraging development for other countries vying to attain this status.
Ever since the law was enacted in 2018, there has been some major upheavals in the field of data protection. One of the biggest developments was the Schrems II judgment in July 2020, when the Court of Justice of the European Union (CJEU) invalidated the US-EU Privacy Shield, making cross-border data flow from the EU to the US on the basis of this instrument illegal. This instantly led to international data transfers being halted to US, making way for reliance on standard contractual clauses SCCs for the time being, leaving room for developments and clarification in this aspect. It can be said that surveillance practices by states are a big concern for EU, which further demonstrates the impact and magnitude of GDPR to date. Increased focus on the culture of trust in light of data privacy practices has brought about such overhauls.
Three Years On: Challenges Ahead and the Way Forward
As mentioned previously, invalidating the Privacy Shield will require organizations to move to alternate instruments of data transfer, including SCCs, the validity of which has been upheld by the CJEU. This could result in additional efforts in terms of looking for a work around, which could have a financial impact on smaller organizations in particular. In the absence of clear guidance on what will replace the Privacy Shield, this grey area could be a big challenge for companies to adhere to GDPR requirements for cross-border data transfers.
Additionally, in light of Brexit, the European Commission’s pending decision on adequacy status for the UK is another challenge for organizations falling under the purview of GDPR. This could be another game changer for businesses if they are forced to look for an alternate instrument in case the adequacy decision does not come through in favor of the UK. The economic stakes are high.
As the new version of SCCs is expected to be issued in 2021, which were re-drafted in order to make these clauses complaint with the GDPR (the existing version dating back to the year 2010 and clearly not in sync with legislation), businesses have another challenge ahead of them. Replacing existing clauses with new ones will led to re-negotiations and additional work, posing further economic difficulties for SMEs in addition to their ongoing compliance work.
The proposal for ePrivacy regulation is in the works, and once passed, these measures will need to be aligned with the GDPR. Therefore, for marketeers and organizations involved in the processing of personal data, this is another challenge to be wary of in the coming year. Additionally, the future proof and risk-based approach of the GDPR will have to take into account the future EU framework for Artificial Intelligence and the implementation of the European Data Strategy. Syncing with new strategies and policies could have far-reaching consequences for organizations.
Amid the challenges of the COVID-19 pandemic and its continued impact on the economy, complying with security requirements as per the GDPR along with the shift to remote working, has added to security and privacy concerns for corporations. Therefore, complying with security and privacy practices in the “new normal” is something that businesses should seriously consider. This leaves room for development in GDPR interpretation and implementation, as there are new grey areas for businesses directly dealing with consumers on matters pertaining to health, travel or vaccination status of employees, which blur the lines of proportionality, leaving ample scope for detailed guidelines.
The lack of cooperation between the DPAs to enforce the rules highlights the prevalence of national privacy regimes and glaring differences between the ways they operate. This concern was re-iterated in the opinion of CJEU’s Advocate General in a Belgian case in January 2021, which stated that the one-stop shop mechanism was introduced to give a significant role to the lead data protection authority, requiring cooperation mechanisms amongst other data protection authorities.
In light of these challenges, it can be said that while the GDPR continues to have a significant impact across sectors and jurisdictions on one hand, there is a still a long way to go for it to be a proven success. Over the next year in particular, it will be interesting to see whether GDPR enforcement will continue to be harmonized and standardized.