Alessandra NisticoIn May 2018, companies were all struggling with the GDPR compliance deadline, as the deadline for enforcement was coming. Who does not remember the email inbox full of brand new GDPR-compliant privacy policy announcements? One year later, what has changed in the perspective of data subjects?
The awareness of personal data protection resulted in an increased number of complaints
According to a survey by Eurobarometer in March 2019, 67 percent of Europeans are aware that the GDPR entered into force on 25 May 2018, and 57 percent of European citizens indicated that they are aware of the existence of a public authority in their country, responsible for protecting their data protection rights, demonstrating that one of the aims of the GDPR has been achieved. In comparison with the Eurobarometer survey in 2015, there has been a 20 percent increase in citizens’ awareness. The preamble of the GDPR introduces the regulation by stating that, according to the Charter of Fundamental Rights of the European Union and Article 16 of the Treaty on the Functioning of the European Union, “the protection of natural persons in relation to the processing of personal data is a fundamental right.”
Making data subjects aware that personal data protection is a fundamental right is the first step in order to increase levels of protection in the data-sphere. On 22 May 2019, the European Data Protection Board (EDPB), which is a European entity composed of Member States’ Data Protection Authorities and the European Data Protection Supervisor, published the results of one year of GDPR enforcement. There were 441 cross-border procedures, from one in June 2018 to 40 on 20 May 2019, reaching the highest rate in April 2019 with 51 cross-border procedures.
From the survey, we also learned that National Data Protection Authorities registered increasing queries and complaints compared to 2017. More than 144,000 queries and complaints and 89,000 data breach notifications have been registered from National Authorities, underlining the increased awareness among data subjects.
The spread of the GDPR word
The regulatory model of the GDPR has been studied and evaluated all over the globe, and several data protection laws are about to be adopted from different countries in the world following the principles and rules of the GDPR. Countries like Brazil, with the General Data Protection Law, and China, with the Cyber Security Law, shaped their regulations on the model of the GDPR, followed by Canada and South Africa, while California, with the California Consumers Privacy Act, and Japan both introduced a softer regulation.
Let’s just remember the major case of Cambridge Analytica, when this British political consulting firm had access to the personal data of citizens in the USA and Europe through apps connected with Facebook, allowing it to profile them for political propaganda reasons that might have influenced election results. Cambridge Analytica pushed states to adopt legislation to protect personal data; however, truth be told, if Artificial Intelligence is the key of the fourth industrial revolution, data will be needed in order to ensure economic growth. The key will be in balancing everyone’s rights. Learn more about data subject rights in the article 8 data subject rights according to GDPR.
The art of balancing rights with high fines
The next step that Data Protection Authorities will face is the balance of rights. In the first year of GDPR enforcement, European citizens became aware of their fundamental data protection rights while entities made great effort to comply with the new rules. Of course, fines had been imposed by National Data Protection Authorities.
The most severe Data Protection Authority had been the French CNIL, imposing a 50 million Euro fine against Google LLC for lack of transparency on 21 January 2019. The other high fines, such as Uber’s 400,000 Euros, were based on the lack of security measures to protect personal data.
Most of the other Data Protection Authorities gave suggestions and guidance to economic operators in order to comply with the GDPR requirements, issuing fines in cases of data processing without a legal basis.
However, in the new framework, data protection rights will be balanced with other rights, like the freedom of expression and information or the freedom to conduct a business.
In fact, in the GDPR preamble, the “whereas” n. 4 clearly states:
“(4) The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.”
Why will the role of the EDPB be crucial?
In order to ensure a unique data protection legal framework, the role of the EDPB will be crucial, in the future, in order to harmonise principles and decisions among the National Data Protection Authorities and avoid, as much as possible, any discrepancy of treatment in the different Member States.
A year after the GDPR compliance deadline, on 4 June 2019, the EDPB took further steps. It adopted the final version of the Guidelines on Codes of Conduct, in relation to Article 40 and Article 41, with impacts at both the national and European levels. The goal is to “act as a clear framework for all competent supervisory authorities, the Board and the Commission to evaluate codes of conduct in a consistent manner and to streamline the procedures involved in the assessment process.” The Guidelines on Certification and Accreditation were adopted, too, in order to ensure harmonised interpretation of GDPR rules across European countries.
If you want to learn more about data subject rights, you can also enrol in this free webinar: Data Subject Rights under the EU GDPR.
The lesson for the future
While the EDPB and national authorities will face the balance of rights, one lesson we can learn from the first year of GDPR enforcement is the importance of accountability under Article 5 of the GDPR. Being able to explain what, how and why data are processed will be crucial for the future. Transparency will be important in the relationships with consumers and employees who are aware of the importance of their data, and it will be a key factor in lowering litigation risks due to data processing.
Meanwhile, accountability will help in dealing with Data Protection Authorities in case of controls, data breach or complaints, underlining the legal basis of data processing and the other rights to be balanced with them.
To learn how to deal with data subject requests, download this free EU GDPR Data Subject Access Request Flowchart.