The entry into force of the EU General Data Protection Regulation (GDPR) on May 25th, 2018 was undoubtedly one of the most anticipated events in the compliance world last year. The threat of fines of up to EUR 20 million or 4 percent of global revenue left many compliance officers scrambling to ensure their organizations complied with the new regulation. Which fears and speculations actually turned out to be legitimate now that we are more than six months into GDPR? Let’s take a look.
First Fines, Significant Increases in Complaints and Data Breach Reports
For compliance officers, enforcement of the GDPR still largely remains a question mark. Part of the issue is that GDPR is enforced primarily on the member-state level by national data protection authorities (DPAs) and civil courts, meaning enforcement practices may differ vastly from member state to member state. German data protection authorities, for instance, have announced that they will start random GDPR compliance audits. However, so far it appears that the purpose of this exercise is to identify areas for future targeted audits and areas where more guidance from the authorities is needed. For our German readers, there is no need to panic just yet. We can expect the German DPAs to expand their enforcement efforts going into 2019.
Until now the number of fines which have been issued under the GDPR can be counted on one hand. The Portuguese data protection authority, Comissão Nacional de Protecção de Dados (CNPD), for instance imposed two separate penalties on a hospital amounting to EUR 400,000 for insufficient data access policies. The first German fine was issued by The State Commissioner for Data Protection and Freedom of Information Baden-Württemberg (LfDI) sanctioning a social media company for lack of data security with EUR 20,000. Other countries which took enforcement actions for GDPR violation or which issued warnings include Austria, the UK, Ireland, France, and Italy.
Even though the fear of hefty fines for thousands of companies has not come true yet, GDPR enforcement does seem to be ramping up. Complaints and data breach reports filed with national data protection agencies have skyrocketed in many EU countries since May 25th, 2018. In particular, the requirements to report a data breach within 72 hours of discovering it, has driven a lot of investment in data security, said Elizabeth Dentham, the UK’s Information Commissioner (ICO), in a speech December 2018. Dentham also indicated that companies that are trying their best to comply with GDPR and that cooperate with the agency can expect “to engage the advisory and warning end of our toolkit rather than the four percent of global turnover fines”. While these words remain vague, it appears that we can expect the UK’s ICO to focus on cooperation and aiding businesses to implement the GDPR, rather than focusing on punishing them for non-compliance unless they fail to cooperate. For now, all that talk about British Airways facing a GBP 500 million fine for its data breach or Facebook facing a USD 1.6 billion fine for its data breach appears to be just hyperbole.
Extraterritorial Reach?
The GDPR applies to all enterprises established in the European Economic Area (EEA) and to all firms regardless of their location which process personal information of individuals located inside the EEA. The consequences of the reach of the law was one of the topics discussed vividly before implementation. It is remarkable that the ICO has issued its first enforcement notice under the GDPR to a Canadian company without any presence in Europe. While its impact on non-EU businesses will likely remain unclear until we have seen a number of enforcement actions reach a conclusion, the recently published draft guidelines on the extraterritorial application of the GDPR suggests that data protection authorities will seek to apply the regulation broadly.
Interestingly, the implementation of the GDPR has also triggered a wave of activity in jurisdictions beyond Europe. Israel and Brazil, for example, have moved on their very own data protection laws to follow Europe’s lead. The US state of California also passed the California Consumer Privacy Act, which provides similar protections to the GDPR.
Innovation and M&A
Businesses worldwide have started to experience a number of other consequences of the law, such as the burden it imposes on many mergers and acquisitions (M&A) transactions. A study found that 55 percent of surveyed M&A professionals were of the mind that compliance and data protection concerns were a primary reason for M&A transactions not to progress. Additionally, respondents believe that acquirers pay increased attention to data protection policies of target firms which further slows down processes.
Moreover, venture funding for young European technology firms has decreased since the GDPR came into force. A study compared overall dollar amounts raised through funding deals, the number of deals, as well as the individual deal’s dollar amounts raised. Even though it is only a snapshot of the industry, the researchers found that European firms received less venture funding, made less venture deals, and that the average deal size dropped significantly compared to the ones of young US technology firms. This development indicates the likelihood of the GDPR affecting the direction of European innovation in the future.
The Road Ahead for GDPR Enforcement
Without doubt, the GDPR is deeply affecting businesses around the world. Many companies are still far from being GDPR complaint and compliance officers are still struggling to comprehend the law and its enforcement in its entirety. However, there is no reason for anxiety and wild speculation over GDPR enforcement. It is likely that we will see enforcement activity tick up significantly in 2019, but speculation about huge fines seems premature considering the cautious position taken by most DPAs thus far.