Before you were born, you already attracted a lot of attention, after all, not everyone is born over two years after they are conceived and has 28 parents! And your parents had to resist an enormous pressure from people who predicted that once you were born, you would be a nightmare. Well, now that you have been in this world for one year, your aunts and uncles in California, who called you a “monster,” are about to give birth to someone who looks a bit like you and they already have a name picked out, CCPA.
Why did you scare so many people? Because you could cost their companies a lot of money. Because of you, the EU’s national Supervisory Authorities (the “SAs”) now have the possibility to issue substantial fines, up to a maximum of 4% of the annual worldwide turnover or 20 million euros, whichever is higher.
Moreover, you came more than 20 years after your older sister (the EU’s 1995 Directive), so people forgot what it was like to have a baby around. But you already are bigger traveler than her: you have a broader territorial scope, since you apply to businesses that are not established in the EU but offer goods or services to data subjects in the EU or monitor the behavior of data subjects in the EU.
Your broad scope and your potential fines resulted in a lot of stress for companies doing business in Europe, especially companies that are based in countries like the US, which traditionally have not protected personal data in the same way as in Europe.
- An increased awareness as to security
A French novelist once said that he had understood the meaning of the word “fear” after the birth of his first child. Fear is not always constructive, unless it increases awareness and attention to problems. And you have raised awareness in relation to data breaches and data security.
You introduced an obligation to report data breaches to SAs and, in some circumstances, to the individuals affected (your US cousins were way ahead of you and your sister in that regard). Eight months after your birth, the European Commission stated that approximately 41.000 data breaches had been notified to European SAs.
Many national SAs also published information about the number of data breach reports they received; it appears that the highest numbers of breaches were reported in the Netherlands, Germany and the UK.
What kind of breaches have been reported? A great variety, some were malicious, others were negligent. Some breaches affected several millions of individuals, but most were much smaller.
Often, our clients fear that filing a data breach report automatically triggers a big investigation. However, this is not what has happened because of you, GDPR. European SAs are aware that privacy and security risks are everywhere. If, based on the report they receive, they feel that the reporting company has taken the adequate corrective measures and, if applicable, informed the data subjects, the chances are that they will not investigate the matter further.
- Enforcement by European Supervisory Authorities
Before your birth, there was much speculation as to how Supervisory Authorities would enforce your terms. Some were saying that SAs would focus on major internet players, companies outside Europe, or health care companies.
While several health care companies have seen enforcement actions, most of the companies fined by Supervisory Authorities since you were born are actually smaller companies, not the FAANGs or other US major internet companies. Some people forecast that non-EU (and particularly US) companies would be targeted for enforcement actions. However, in the vast majority of the decisions made public, the SAs went after local companies in their own country. Sometimes, fines were issued against really small companies. For example, the Austrian SA fined an entrepreneur who had installed a CCTV camera in front of his establishment. Other specific activities that have resulted in fines by Supervisory Authorities include:
- the illegal monitoring of employees; and
- the use of personal data by insurance companies for purposes others than the ones necessary for the provision of insurance products.
- What happened to the One Stop shop?
GDPR, all your parents want to take good care of you, but they are not always ok with only one of them taking decisions about your future.
In January 2019, the French SA fined Google LLC 50 million euros for GDPR violations, without explaining how it calculated that amount. They referred to Google worldwide turnover in 2017, nearly a 110 billion USD, but they did not give any calculation method and only said that the amount was justified by “the severity of the violations”. This was the biggest fine ever imposed in Europe, and we commented that decision here on this blog entry. The French Authority explained that it investigated the Android’s user “click path” from the creation of a Google account to the day-to-day use of the smartphone. It found that Google was in breach of two of the GDPR main principles:
- the information policy was not sufficiently transparent and accessible and
- the consent gathered by Google to process the data for ads personalization purposes was not valid because it was not sufficiently informed and specific.
One promise made in the GDPR by the European legislator was that it implemented a “one stop shop”: instead of having to refer to each national SA and being subject to fines by each national SA, companies could centralize their compliance and report to just one SA even though they have establishments or process personal data of individuals in EU several countries. However, the French SA has said that the “one stop shop” could not apply to Google’s case because Google has no centralized decision-making place in the EU (just in the US). The Authority explained that it conferred with other SAs and they all reached the same conclusion. Google is appealing the decision, which will probably end up being referred to the European Court of Justice. A ruling against Google means SAs in other countries could fine Google for the same GDPR breaches in their territory (but so far, no other SAs have commenced similar proceedings against Google).
All of this is certainly not what we expected when you were born, GDPR.
Dear GDPR, you are like all children, full of surprises! Happy birthday to you!