Enforcement of the General Data Protection Regulation (GDPR) is one year old. This new pan European Union (EU) legislation is intended to protect consumers’ data by standardizing data capture and storage practices across all businesses operating within the EU. Specifically, it regulates the way companies of a certain size can collect, process, and store consumer data.
But since its inception, the legislation has been a cause of concern for merchants. For starters, the definition of “personal data” under Regulation (EU) 2016/679 encompasses “any information relating to an identified or identifiable natural person”. In other words, anything about anyone.
Statutory Definitions Unclear
Adding to the complication is the fact that the Regulation threatens large penalties for data breaches. Specifically, it establishes the possibility of eight-figure fines, or in the worst cases, even entire percentages of revenue:
Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Adding to the trifecta of misery is the amazingly vague definition of what constitutes a data breach. The text defines it as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Again, a definition that encompasses almost anything.
Finally, each individual EU member state is empowered to interpret the law as they see fit. All told, there was a lot of uncertainty about how the Regulation would play out in practice. One year on, the outlines of what we can expect moving forward have already begun to take shape.
Unfortunately, the European Data Protection Board (EDPB) does not have any uniform standards for how member states must report data. That makes it difficult to gauge the impact. However, the implementation reports published by the EDPB give some indication. The reports show EU citizens made nearly 100,000 complaints since May 2018. That number includes almost 65,000 claimed data breaches.
GDPR Penalties So Far
One year on, it appears fears of the ambiguity and large compliance fines is warranted. National governments imposed hundreds of fines on companies for a variety of violations, including:
- €80,000 for publishing personal health data onto the internet
- €20,000 for not hashing stored passwords
- €50,000,000 for unauthorized processing of personal data (by Google)
In addition, the European Data Protection Board (EDPB) recently published information about the scope and size of fines. The first heading of the text ominously reads “expect more GDPR fines in 2019.” It goes on to tout that Poland levied its first fine of €220,000 for public data scraping. The message that the regulation is here to stay is clear.
What Is the Future of GDPR?
Which raises the question of where we go from here. GDPR’s goal is to harmonize the law between all EU countries. This is in the best interests of individuals and companies. In fact, Article 63 of the Regulation states:
“In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism as set out in this Section.”
However, it’s already obvious that different member states will levy fines differently. A board does exist to eliminate ambiguity, but it’s unclear what practical effect it will have. There is already a huge discrepancy in the size of fines and level of scrutiny. It is clear it will be a long time before all of the ambiguity is eliminated.
It is encouraging that clarity this is one of the stated goals for the future. In addition to closer cooperation and communication, the EDPD recently stated:
“Another opportunity is to adopt consistency opinions and decisions. These decisions mainly address the national supervisory authorities and ensures a consistent application and enforcement of the GDPR.”
It will take time for this to materialize. Hopefully, reporting will be more systematic and robust in the near future. It will also be helpful if member states communicate between one another and standardize their interpretations of the law.
Whatever form it takes, the hope is year two of GDPR will bring more clarity. In the meantime, businesses must continue to do their best to protect consumer data from account takeovers and other attacks.