Over 18 months of GDPR - a review of milestones and effects since applicability

1.     INTRODUCTION 

The General Data Protection Regulation (GDPR; Regulation 2016/679) is a European Regulation on the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of such data. It entered into force on 24 May 2016 and has been bindingly applicable since 25 May 2018 after a two-year implementation period. Companies have been given time within this implementation period to bring their business activities into line with the provisions of the GDPR.

The GDPR replaced its predecessor, the Data Protection Directive (DPD; Directive 95/46/EC) of 13 December 1995. This directive had to be transposed into national law by the member states of the European Union, whereas the GDPR is directly applicable to all currently 28 member states. However, it contains mandatory and optional opening clauses that leave the member states discretionary powers to regulate certain areas, such as employee data protection. The GDPR aims to harmonise European data protection law.

2.     MILESTONES AND EFFECTS SINCE APPLICABILITY

The GDPR has brought about many changes in the area of data protection. The European legislator has identified risks to the protection of personal data in the rapidly developing digitalisation of business processes and the constant further development of technology. For this reason, new rules had to be created for the processing of personal data. The GDPR has now been in force for over 18 months and concerns not only lawyers, legal departments and data protection officers, but also the companies themselves, who must bring their business activities into line with the new rules. Some major milestones since the law became applicable are explained below.

2.1   DATA PROTECTION IS BEING CATAPULTED

The GDPR has greatly increased the importance of European data protection. The media coverage has made people aware of their rights in their role as data subjects. The public relations work of the supervisory authorities has also contributed to the fact that they now take a closer look at the processing of their personal data. According to EU Commission statistics, "GDPR" had more search queries on Google on 25 May 2018 than the celebrities Beyoncé or Kim Kardashian:

 


Source: EC, GPDR in numbers 2018

Data subjects made extensive use of their rights. The EDPB has produced statistics showing how many complaints were received after just under 1 year of the applicability of the GDPR. The supervisory authorities recorded a sharp increase compared with previous years:


Source: EDPB, 1 year GDPR - taking stock

 

The number of data protection officers has also increased significantly. According to an IAPP study of 16 May 2019, it is estimated that over 500,000 data protection officers have been notified to the supervisory authorities:


Source: IAPP, GDPR One Year Anniversary -- Infographic

 

 

The media, too, are increasingly adding data protection topics to their reporting portfolio. Major data protection incidents were reported in online portals of well-known newspapers and magazines within a very short time. This also informed and educated data subjects about data protection.

2.2   THE WORK OF THE SUPERVISORY AUTHORITIES

The GDPR has increased the powers of supervisory authorities in Europe, allowing them to use a variety of measures to prevent and sanction unlawful processing of personal data. Their powers are laid down in Art. 58 GDPR and range from warnings to the imposition of temporary and definitive limitations on processing and bans or fines.

The GDPR has introduced a strategy of cooperation for the European supervisory authorities. Within the framework of the so-called consistency mechanism, the supervisory authorities can delegate responsibilities among themselves, take coordinated measures or cooperate with the EU Commission. The GDPR has introduced the one-stop-shop principle, which means that there is always only one contact point for data protection matters.

The GDPR also established the European Data Protection Board (EDPB). Alongside the EU Commission (EC) and the European Data Protection Supervisor (EDPS), the EDPB is now a further player in European data protection. The EDPB consists of the head of the supervisory authorities of each Member State and the European Data Protection Supervisor. He is the successor to the Article 29 Working Party. His tasks are regulated in Art. 70 GDPR. These include advising the EU Commission, preparing opinions and adopting guidelines.

2.3   FINES

One of the top topics - even long before the GDPR became applicable - was the high fines that Art. 83 (4) et seq. GDPR provides for.

In January 2019, the French supervisory authority Commission Nationale de l'Informatique et des Libertés (CNIL) imposed a fine of 50,000,000 € on Google. One reason for this was insufficient fulfilment of information obligations. In particular, the transparency requirements were not met. On the other hand, Google processed personal data of users for personalised advertising without having a legal basis for doing so, especially as the declarations of consent used did not meet the requirements of data protection law.

In England, there were two fines amounting to millions. The Information Commissioner's Office (ICO) imposed a fine of 204,600,000 € on the airline British Airways for inadequate technical and organisational measures pursuant to Art. 32 GDPR. The background was a hacker attack on the website of British Airways, in which website visitors were redirected to a malicious website during the booking process. This trick was used to steal highly confidential data from around 500,000 customers. This theft also affected the credit card data of approximately 380,000 customers.

A fine was imposed on the hotel chain Marriott International Inc. shortly afterwards. The amount of this fine was 110,390,200 €. This fine is also due to insufficient technical and organisational measures in accordance with Art. 32 GDPR. Hackers exploited a massive data leak and captured data of 383,000,000 guests, including 5,250,000 unencrypted ID numbers and 385,000 valid payment card numbers and expiry dates.  

The next fine, amounting to millions, was imposed on the Austrian Post. It received a fine of 18,000,000 € for using customer data to compile statistics on their party affinity. Furthermore, the Austrian Post reprocessed data about parcel frequency and the frequency of relocations in order to carry out direct marketing activities.

Two German companies were also affected by million-euro fines. The Berlin supervisory authority imposed a fine of 14,500,000 € on the real estate company Deutsche Wohnen SE. The reason for this was the inadmissible storage of personal data of tenants regarding their salary statements, bank statements or tax, social security or health insurance data. The data, some of which were years old, were stored in an archive system that did not provide for the possibility of erasure.

Furthermore, 1&1 Telecom GmbH received a fine of 9,550,000 € from the German Federal Commissioner for Data Protection and Freedom of Information. The company had not taken sufficient technical and organisational measures to ensure that unauthorised persons could obtain information on customer data during a telephone customer service call. Callers were only able to obtain extensive information on personal data by providing the name and date of birth of a customer. In the opinion of the authority, this authentication procedure constituted a violation of Art. 32 GDPR.

2.4   DATA PROTECTION IMPACT ASSESSMENTS

The Data Protection Impact Assessment (DPIA) is also a novelty and a milestone in European data protection law. It is a reflection of the risk-based approach of the GDPR and, pursuant to Art. 35 GDPR, obliges the controller to carry out an assessment of the consequences of processing activities that are likely to present a high risk to the rights and freedoms of the data subject. The Data Protection Commissioner supports him in this. The aim of the data protection impact assessment is to eliminate or at least minimise the identified risks of processing so that they no longer constitute high risks.

In connection with risks, the GDPR speaks not only of material damage, such as financial loss or damage to property, but also of immaterial damage, such as damage to health, deprivation of liberty or the restriction of rights. The German Conference of Independent Federal and State Supervisory Authorities (DSK) has agreed on a positive list in accordance with Art. 35 para. 4 GDPR. This list specifies those processing activities for which a data protection impact assessment must be carried out in any case.

3.     EFFECTS ON THE BUSINESS ACTIVITIES OF COMPANIES

The GDPR has had a lasting impact on the business activities of companies. They had to adapt their processes to the new legal requirements. Two major effects on companies are explained in detail below.

3.1   ACCOUNTABILITY AND DOCUMENTATION OBLIGATIONS

Art. 5 para. 1 GDPR sets out the principles of processing. These represent the basic rules for the processing of personal data. Art. 5 para. 2 GDPR sets out the accountability. Accordingly, the controller shall be responsible for, and be able to demonstrate compliance with, these principles. The best way to do this is to have access to internal documentation.

This includes, for example, lists of processing activities pursuant to Art. 30 GDPR, the ability to demonstrate consents pursuant to Art. 7 para. 1 GDPR or the storage of important internal documentation, statements and expert opinions, such as

  •  Balancing of interests
  • Data Protection Impact Assessments
  • Audits in the event of data breaches
  • Purpose compatibility checks

Careful data-protection management facilitates the work of the controller and is useful for a beneficial clarification of disputes or official investigations.

3.2   MAJOR IMPLEMENTATION PROJECTS AND SUB-PROJECTS

Many companies were already involved in major implementation projects before the GDPR became applicable. They had to adapt the former legal situation in data protection to the new requirements of the GDPR. Those who had already carried out their processing activities in accordance with the Data Protection Directive did not have to do as much as companies that had hardly taken data protection into account at all.

The subject of large-scale projects was both the reappraisal of the external presentation, such as data protection notices on websites, and the correction, adaptation and introduction of internal processes. In larger companies, attempts were made to introduce a comprehensive data protection management system that would regulate the many individual areas of responsibility of the GDPR in the sense of a holistic system.

Many projects and sub-projects are still running in companies at this time. In particular, the topics of data erasure, handling of data subjects' rights and authentication procedures, reporting channels for data protection violations, technical-organizational data protection and data protection contract management (processing on behalf of the controller, joint controllership and transfers to other controllers) are present in data protection departments and for data protection officers. Nevertheless, regular data protection activities have also settled down at many companies.

4.     CONCLUSION AND OUTLOOK

In accordance with the marketplace rule, the GDPR affects companies from all over the world if they intend to offer their goods or services to consumers based in the EU or EEA. It is therefore of great importance to implement and comply with the requirements of European data protection law.

Lawful handling of personal data has become an important criterion for many consumers. Earlier in this article, it was stated that already about one year after the applicability of the GDPR, the European supervisory authorities had received 144,376 inquiries and complaints from natural persons (cf. infographics EDPB). These were either direct contacts between individuals and the authorities or organisations claiming the rights of these individuals.

According to the authors, companies can use compliance with data protection regulations as a competitive advantage. There is now a high level of social awareness about data protection. Legitimate processing of personal data creates trust among customers and thus serves to promote the sale of goods and services.

There will most likely be other laws that will regulate European data protection, such as a hotly debated ePrivacy Regulation. It remains to be seen what concrete effects they will have, but one thing is clear: the subject of data protection will become increasingly important both as a legal and a social phenomenon.

External Data Protection Of cer, NOTOS Xperts GmbH in Darmstadt, Germany

Erdem Durmus completed his studies in Information Law (LL.B.) at the UAS Darmstadt. He wrote his bachelor thesis on the right to data portability according to Art. 20 GDPR. Afterwards, he also studied Global Licensing (LL.M.) at UAS Darmstadt. He completed both courses of study with a very good grade point average. His master's thesis he wrote, in cooperation with the Fraunhofer Institute for Secure Information Technology (SIT), on the GDPR-compliant erasure of e-mails. He is also the author of numerous articles on data protection law in specialist journals.

Managing Partner, NOTOS Xperts GmbH in Darmstadt, Germany

Jens Engelhardt has been advising as a highly specialized lawyer (specialist lawyer for IT Law, copyright and media Law and IP Law) for almost 20 years in IT & IP Law. Since 2019 Jens Engelhardt has been listed in "Deutschlands beste Anwälte" and "Best Lawyers" for the area of Data Security and Privacy Law. Through NOTOS Xperts GmbH, he is available for the position of an external data protection of cer or data protection consultant. The aim is to enable clients to concentrate on their core business.