Do you remember the Y2K bug in the run-up to the new millennium? Warnings that computer systems and networks would stop functioning on 1 January 2000 led to panic and pandemonium as people prepared for its impact.
In some ways, the introduction of the GDPR (General Data Protection Regulation) was reminiscent of the Y2K scare.
Despite the two-year transition period, a lot of organisations left it to the last few months before the enforcement date to get themselves GDPR ready.
Inboxes were flooded with emails about updated privacy policies, and plenty of organisations sought reconsent to continue processing information they had gathered prior to the GDPR –even though, in many cases, they did not need to.
So, what did happen on 25 May 2018?
Here are a few newspaper headlines from the day:
Schrems is an Austrian activist and founder of non-profit organisation NOYB (None of Your Business) who is known for launching campaigns against Facebook, claiming the tech giant violated consumer privacy and transferred users’ personal data to the US National Security Agency.
The day the GDPR came into force, Schrems lodged complaints against Facebook, Instagram and WhatsApp through data protection authorities in Austria, Belgium and Hamburg, Germany. He stated that Facebook and its subsidiaries were forcing users to accept the platform’s updated ‘intrusive’ terms and conditions or lose access to the services.
Schrems also filed a complaint about Google’s operating system with the French data protection authority, CNIL. The complaint stated that users who purchased a phone with an Android operating system are automatically pushed into Google’s environment, breaching their right to be informed.
Some organisations in the US decided to deal with the GDPR by not dealing with it. Their solution to handling the Regulation was to stop providing their products and services to readers in the EU. This is still the case today for a number of US news organisations.
In the weeks leading up to 25 May 2018, the term ‘GDPR’ trended higher in Google searches than ‘Beyoncé’. Given that Beyoncé has more than 100 million followers on Instagram, and more than 15 million on Twitter, this is a considerable achievement.
What has happened over the past year?
It’s just over a year since the GDPR became applicable. What’s happened in that time?
GDPR notifications so far
The DLA Piper GDPR Data Breach Survey: February 2019 looks at data breaches reported to supervisory authorities between 25 May 2018 and 28 January 2019.
The report is based on figures from 23 EU member states and Norway, Iceland and Liechtenstein.
In that period there were 59,430 reported data breaches, ranging from minor breaches, such as emails sent to the wrong individual, to major incidents, such as cyber attacks that affected millions of people.
In terms of data breach notifications, the Netherlands tops the list with more than 15,400, followed by Germany (12,600) and the UK (10,600). Ireland is fourth with 3,800. While this doesn’t seem too bad compared to the Netherlands, Germany and the UK, when the results are weighted to consider the country’s population, Ireland moves up to second place. The Netherlands is still first but the UK and Germany drop to 10th and 11th respectively.
The number of notifications continues to grow. On 22 May 2019, the EDPB (European Data Protection Board) revealed that EEA (European Economic Area) supervisory authorities had logged 144,376 queries and complaints and 89,271 data breaches since the GDPR’s enforcement date.
Some GDPR fines to date
On 21 January 2019, the French supervisory authority, CNIL, imposed a €50 million fine on Google – the highest GDPR fine to date. The fine was issued for lack of transparency, inadequate information and lack of valid consent regarding the personalisation of advertisements.
The fine results from complaints made to CNIL by two groups, one of which was Max Schrem’s NOYB group.
CNIL found that information held by Google is not easily accessible for users and that users are not sufficiently informed when giving their consent.
In October 2018, a Portuguese hospital was fined €400,000 for three GDPR violations:
- €150,000 for excess numbers of users having access to patient data. Although only 296 doctors worked at the hospital, there were 989 doctor profiles on the system, all with access to patient files and medical information.
- €150,000 for not having adequate technical or organisational measures in place to prevent unlawful access.
- €100,000 for not being able to ensure the continued confidentiality, integrity and availability of systems.
What’s interesting about this fine is that CNPD, the Portuguese supervisory authority, acted on a newspaper report and not on any complaint.
Bisnode took the data of more than 6 million individuals from the government public register and used it for commercial reasons without informing them.
Germany’s data protection authority differs from other countries as data protection laws are delegated to each of the 16 states, each of which has its own authority. A committee of representatives is appointed from each authority to ensure a consistent approach throughout the state.
So far, fines have been imposed in 6 of the 16 German states and by May 2019 a total of 75 fines had been issued.
On 12 September 2018, a €4,800 fine was issued to a sports betting café in Austria for operating an unauthorised CCTV system that covered public streets as well as car parks. It was not adequate for the purposes of the processing and was not limited to a necessary extent. There were no logs of video surveillance processing operations, no deletion of the personal image data recorded and no separate logs for processing in this regard. In addition, the filmed area did not have adequate signage about CCTV being in use.
On 28 May 2019, the Belgian Data Protection Authority announced its first GDPR fine. A mayor was fined €2,000 for misusing personal data for electoral campaign purposes. The mayor reportedly sent election propaganda to two constituents who had contacted him about an urban development project. According to officials, this was a breach of the Regulation as the mayor used the personal data for a different purpose from that for which it was originally collected.
This is an excerpt from Alice Turley’s webinar ‘GDPR – One Year On’. To view the full webinar, click here.
Alice is a qualified data protection, compliance and insurance professional, consultant and trainer. She is highly experienced in data protection, consumer protection and compliance, providing expert and solution-based advice to organisations within the insurance, advertising and education industries.
Delve deeper into the Regulation with part one of our ‘GDPR one year on’ series: An overview of the GDPR with Alice Turley, data protection expert’.