Monday’s €1.2 billion fine for Meta – by far the biggest fine issued under the GDPR since it took effect five years ago – has been taken by many as a sign that the Regulation is at last beginning to be enforced with sufficient vigour.
However, the Meta decision illustrates the ongoing difficult of applying a consistent approach to GDPR enforcement, particularly when it comes to cross-border and international data transfers.
In particular, the Irish DPC (Data Protection Commission), which is the supervisory authority for numerous US tech giants whose EU headquarters are in Ireland, continues to attract criticism for its relatively lenient approach to GDPR enforcement.
In the case of Meta – as for some 75% of decisions on cross-border data processing in which the DPC is the lead supervisory authority – the original DPC judgement was overruled by the EDPB (European Data Protection Board).
The Meta fine comes after a ten-year investigation and three court cases involving the privacy campaigner Max Schrems and his organisation noyb (none of your business), which has spent years campaigning against US data surveillance.
Schrems commented:
The Irish regulator has done everything to avoid this decision, but was consistently overturned by the European Courts and institutions. It is kind of absurd that the record fine will go to Ireland – the EU Member State that did everything to ensure that this fine is not issued.
Given the scale and nature of its operations, Meta is obviously something of a special case, but the wider implications for personal data transfers from the EU to the US are clear: this case is surely going to be another nail in the coffin of the new EU-US DPF (Data Privacy Framework).
It follows the recent resolution by LIBE (the European Parliament Committee on Civil Liberties, Justice and Home Affairs) that the Framework didn’t afford adequate protection for EU residents’ personal data when transferred to the US and therefore shouldn’t be used as the basis for an adequacy decision.
Unless it is renegotiated, it seems the EU-US Data Privacy Framework is almost certainly going to go the way of its two predecessors – the Safe Harbor scheme and the EU-US Privacy Shield – both of which were declared invalid by the CJEU following legal action by Schems and noyb.
EU-US Data Transfer Assessment and Action Plan
If you transfer personal data from the EU to the US – or if you or your suppliers use services built by US-owned companies such as Microsoft, Salesforce or Facebook – you need to consider your regulatory requirements.
Our EU–US Data Transfer Assessment and Action Plan will help you ensure you stay on the right side of the law.
- Our data privacy experts will conduct a detailed review of your records of processing, process maps and data flow maps to identify the processes that need to be addressed.
- A set of questionnaires will be sent to your suppliers to review their data processing arrangements.
- The responses provided by your suppliers will be reviewed and assessed.
- A gap analysis will be undertaken to identify any missing information.
- Our team will review your suppliers’ privacy notices and other supporting information.
Data privacy in the age of surveillance capitalism
As US corporations such as Meta (which owns Facebook) and Google increasingly commodified personal data in the early 21st century, it became clear that existing data protection laws needed to be strengthened and the powers available to the data protection authorities extended.
Companies that ostensibly offered services to consumers were amassing large data sets about how those consumers behaved.
They began profiting by selling targeted advertising and access to their analysis of this ‘behavioural surplus’ to other organisations that wanted to predict how consumers might behave. (As the much repeated aphorism had it: “If you’re not paying for the product, you are the product.”)
For lawmakers and privacy campaigners, the need to improve corporate responsibility towards personal data became increasingly urgent: leaving large-scale data processing in the hands of a handful of tech giants was at best unpalatable and at worst ethically dubious.
The GDPR was intended to address that – and at first, it seemed like it would.
GDPR enforcement and compliance: the early years
For organisations that had taken advantage of the relatively low-key compliance environment under the GDPR’s predecessors – EU member state laws based on the Data Protection Directive 1995, such as the UK Data Protection Act 1998 – complying with the GDPR meant considerable work overhauling their data processing practices.
The GDPR introduced stringent requirements relating to technical and organisational measures to secure personal data, data protection impact assessments, data protection officers and the like, which many organisations found onerous.
Unsure of how it would be enforced, boards seemed to take a ‘wait-and-see’ approach to compliance, refusing to regard the Regulation seriously until they saw evidence of fines and other regulatory action.
For their part, the data protection authorities understood that in the early days of the GDPR, they needed to guide organisations towards better habits rather than punishing them for not changing their ways.
As Andrea Jelenik, the chair of the EDPB, told a recent panel discussion at the IAPP 2023 Global Privacy Summit:
When we started from scratch we had to give guidance because everyone wanted to have guidance because the elephant in the room in 2018 was the GDPR. Everybody was thinking now it’s done. No, it was the start of a really big journey.
Over time, however, the supervisory authorities have shifted their position from guidance to enforcement.
Where they once steered non-compliant organisations towards better habits – especially during the coronavirus pandemic, when the sudden introduction of remote working provided a host of new challenges for organisations – they now issue fines.
As Jelenik said, organisations now “have to show that they’re compliant and if they’re not, they will be fined”.
It’s impossible to formulate an entirely accurate appraisal of GDPR enforcement across the EEA and UK. For one thing, not all supervisory authorities publish information about the regulatory action they take; for another, the various free GDPR fines trackers are prone to inaccuracy, with duplicate entries and erroneous dating.
However, DLA Piper’s 2023 GDPR Fines and Data Breach Survey gives an indication of the extent of this shift in enforcement: supervisory authorities across Europe issued €1.65 billion in fines between January 2022 and January 2023 – a 50% year-on-year increase.
Across the EEA, EU GDPR fines now total about €4 billion (although €1.2 billion of that is the Meta fine, which Meta intends to appeal).
Most common types of GDPR breach since 2018
In the face of such an increase in regulatory action, it’s important to understand which GDPR breaches are most likely to see organisations fined.
We’ve been analysing GDPR fines since the Regulation took effect in May 2018. Unsurprisingly, breaches of Articles 5 (data processing principles), 6 (lawfulness of processing) and 32 (security of processing) accounted for more fines than any other GDPR violation.
This is somewhat unsurprising: how personal data is processed and secured is the heart of the GDPR.
You cannot process personal data unless you can demonstrate you have a lawful basis for doing so, follow the six data processing principles, and implement appropriate technical and organisational measures to maintain its confidentiality, integrity and availability.
Reflect – Review – Refresh
As GDPR enforcement increases, it’s critical to ensure you continue to meet your data processing obligations. IT Governance can help you – whatever your resources or expertise.
We’ve been at the forefront of GDPR compliance solutions since before the Regulation took effect. Since then:
- More than 4,000 people have taken our GDPR training courses;
- We’ve delivered GDPR staff awareness training to more than 78,000 people;
- We’ve provided GDPR consultancy to more than 750 organisations; and
- Hundreds of organisations have bought our GDPR books, documentation templates and toolkits.
If you need to update your GDPR compliance activities to ensure you still meet your obligations, we have everything you need.
The post Changing Attitudes Towards GDPR Enforcement and Compliance: 2018 – 2023 appeared first on IT Governance UK Blog.