On Friday, 25 May 2018, the much-heralded General Data Protection Regulation came into force with direct effect across the territory of the EU. Almost exactly one year later, we examine whether much has changed given that no fines have been issued thus far by the Irish Data Protection Commission.
GDPR arrived into the public domain in a flurry spawned by a fairly effective public awareness campaign. Emails whizzed back and forth between businesses across the EU requesting the permission of future data subjects, privacy notices were implemented, data protection-specific clauses were inserted into contracts and overall internal procedures were scaled to comply with the new regime.
Indeed, in a recent survey carried out at the behest of the European Commission, 67% of EU citizens indicated that they were aware of the GDPR. Over the past year, 6624 complaints have been made to the DPC, highlighting the effectiveness of the public awareness campaign. Citizens are keenly aware of their new rights – forcing data processors to remain accountable and on top of their obligations.
As we know, a unique feature of the GDPR is that it can be applied to non-EU controllers and processors where they are operating within the territory of the EU. The basis for the EU data protection regime lies in Art 8 of the EU Charter of Fundamental Rights, which holds: ‘Everyone has the right to the protection of personal data concerning him or her’. First, let us look at the legal basis for data processing.
Art 6 of the GDPR holds that data processing shall be lawful where: (a) the subject has given consent; (b) it is necessary for the performance of a contract to which the subject is a party; (c) processing is necessary for compliance with a legal obligation; (d) it is necessary in order to protect the vital interests of the subject; (e) it is necessary for the purpose of carrying out a task that is in the public interest; or (f) it is necessary for the purposes of the legitimate interests pursued by the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the subject.
The most important rights contained in the GDPR are as follows:
- The right to be informed (Arts 13, 14)
- The right to access information (Art 15)
- The right to rectification (Arts 16, 19)
- The right to erasure (Arts 17,19)
- The right to data portability (Art 20)
- The right to object to processing of personal data (Art 21)
- The right of restriction (Art 18)
Given the fact that the GDPR empowers regulators and other competent authorities the power to levy penalties of €20m or 4% of annual turnover, whichever is the greater amount, it is not surprising that fines are the main talking point whenever the issue of GDPR arises. Most companies could not afford to take such a hit.
With the GDPR still in its nascent stage, many of the inquiries which have arisen as a result of the 6000 or so complaints it has received thus far have yet to be pursued to conclusion. However, according to the European Data Protection Board, 11 fines have been imposed at the time of writing, totalling some €55m – the heftiest of these being the €50m levied by CNIL on Google in January.
According to a report in the Irish Times, the Irish Data Protection Commission currently has 80 frontline staff working on over 50 separate investigations of potential breaches of the GDPR. That said, there are suggestions that the government will need to invest more in the DPC, given its crucial role in policing some of the world’s biggest technology companies.
Even if hard-and-fast enforcement in the form of fines has been relatively scant thus far, it is important to remember that this regulation is still in its infancy. The huge positive to be drawn from the figures released by the DPC is that citizens are very clearly aware of their new rights as data subjects. EU figures also reflect this trend, with 144,000 complaints lodged on the continent.
Looking back on the first year of enforcement, it is fair to say that the main goals of the GDPR – being accountability and transparency – have been realised. Andrea Jelinek, Chair of the EDPB, noted that while the first year has been ‘challenging’, the authorities have by and large achieved their goals that they set out to fulfil at the start of the year.
With the Schrems case set to rumble on, it is fair to say that the issue of data protection in Ireland – and by extension, the EU – is far from solved. Sure, companies and firms alike should keep on top of their obligations under the GDPR, but it is very important to remain cognisant of the possibility for future developments, most notably the proposed E-Privacy Regulation, as the EU moves towards the fulfilment of its Digital Single Market strategy.
The third edition of Privacy and Data Protection Law in Ireland by Denis Kelleher is due to be published in October 2019. Referred to as ‘the most comprehensive reference book for Irish privacy and data protection practitioners’ – advance copies may be pre-ordered here.