The General Data Protection Regulation (GDPR) has completed five years since its implementation in May 2018. Adopted by the European Union (EU), the GDPR was created to enhance privacy and safeguard the personal data of EU citizens. The last five years have witnessed the implementation of stricter rules for data breach reporting by organizations, mandating them to inform the relevant authorities and impacted individuals within a specific timeframe in the event of a data breach. The GDPR applies to all organizations processing personal data of EU citizens, regardless of their location.
Following the introduction of the GDPR, similar regulations have been implemented worldwide, leading to an increase in the demand for better disclosures. Meanwhile, large tech companies have been lobbying to retain their flexibility and freedom to use and sell data. The GDPR’s universal application has forced companies across the globe to comply with stringent requirements and ensure the safety of EU citizens’ personal data.
Martin Sloan, Partner at UK law firm Brodies LLP, has observed GDPR’s impacts and related issues since its inception. He has insightfully described the regulations and its effects on the EU and the world, how Brexit could affect GDPR, and the UK’s ongoing efforts to establish a GDPR alternative during a discussion with Chandu Gopalakrishnan of The Cyber Express. Here are some edited excerpts from his conversation:
Organizational practices on data protection and privacy have witnessed a significant transformation since the GDPR was introduced. While many firms were already adhering to the regulations on data protection, others needed to update their policies. However, the GDPR converted data protection compliance into an important corporate risk, resulting in increased awareness of internal compliance risks at board levels, diligence on M&A deals, and many businesses’ investments in innovation. Combined with cyber risk, data protection and information security are now critical corporate risks for most companies.
Risk and penalties must be considered in the event of breaches. What are notable examples of data breaches or privacy violations that have resulted in significant fines under GDPR, and what lessons can be learned from these cases?
The €1.2bn fine recently issued by the Irish Data Protection Commission to Meta for a violation of cross-border data transfer rules is the largest to date under GDPR. Additionally, significant fines have been imposed for violation of transparency, consent misuse, wrongful processing, the use of cookies and facial recognition technology, and data security. In the UK, the biggest fines have been levied against British Airways and Marriot for security flaws leading to cyber-attacks. More significant than the fine in this most recent case is the order to rectify non-compliance and suspend US data transfers for five months, which will have a direct and immediate effect on Meta’s business operations, which had a free hand on user data before.
How has GDPR empowered individuals to exercise greater control over their personal data, and what mechanisms have been developed for exercising data protection rights?
GDPR supplemented existing individual rights with additional rights such as erasure (right to be forgotten), data portability, and specific rights on automated decision-making. Regulators’ efforts to improve awareness of GDPR provisions have enabled individuals to exercise their rights, resulting in a surge in the number of requests to businesses. However, these rights regularly come with conditions, making it possible for businesses to reject certain requests. This possibility of rejection and opposition frequently impacts broader initiatives.
How has GDPR impacted cross-border data transfers and global data protection norms? What are the implications for global organizations?
Despite GDPR not making significant changes to EU regulations associated with cross-border data transfers, the last five years have brought many changes, including the European Court of Justice’s verdict about the privacy shield scheme for US data transfers’ incompatibility with EU law. There are concerns over the introduction of EU standard contractual clauses and evaluation of the effects of transfer. Meta was recently ordered by the Irish Data Protection Commission to suspend US data transfers for five months due to non-compliance. Additionally, considering the expectations for other standards’ implementation, many countries have adopted their rules for cross-border transfers, presenting concerns for firms that transfer data between regions, necessitating the juggling of varied laws globally.
Considering future data regulations beyond GDPR, what trends or developments should we anticipate? How will advancements in emerging technologies like blockchain, IoT, and AI shape future data privacy regulations?
Data protection agencies are already dealing with new technologies like AI. Earlier this year, the Italian Data Protection Authority banned operations of ChatGPT in Italy, which was subsequently lifted after changes were made to the operation. Proposals for legislation relating to AI are being made in the EU and UK, and how they will interact with data protection laws remains to be seen. With EU and UK laws differing on AI regulations and new privacy bill in UK Parliament, we are now witnessing the beginning of post-Brexit differences between the two entities. Moreover, issues on cross-border data transfer and tensions between EU data protection regulations and local authorities’ powers remain unresolved, with many challenges ahead.