Login | December 15, 2019

European Union GDPR at one year

Technology for Lawyers

Published: July 5, 2019

The General Rata Protection Regulations signed into law by the European Union is celebrating its first birthday. According to the attendant analysis by CNET, the nascent regs have accomplished much in just 12 months.

As of its first anniversary (May 25), citizens, privacy groups and others filed nearly 150,000 complaints in the first year of the regs (complaints can be filed by anyone).

Companies reported nearly 90,000 data breaches, which they are obligated to report within 72 hours of their occurrence (contrast that with how long it takes US companies to report data breaches, if they do it at all).

Fines, however, have not been all that massive. If you recall, a GDPR fine can be up to 4% of annual company worldwide revenue, but fines to this point have not approached that paralyzing figure. In fact, the only truly large fine has been the hit that Google took for 50 million euros (sort of like one of us being fined 75 cents).

Other fines include a Portuguese hospital for 400,000 euros, a Polish data processor for 220,000 euros, and a German chat app aimed at children for 20,000 euros.

But maybe the biggest fines are yet to come. All the big data players are under investigation or other threat by someone. Ireland, for instance, is investigating Google. And the new enforcement infrastructure needs to flesh itself out in methodology and personnel before it can establish go-to patterns of investigation and enforcement. That go-slow approach was delineated in statements by several EU officials.

As important as the actions of the regs are in the EU and any company that does business in the EU, the impact on both the conversation around privacy and the implementation of regs around the globe may be of equal or greater importance.

In the US, California has already passed data privacy regulations patterned after GDPR, and other states and Congress are looking at the topic. Every website now has to comply with GDPR.

Countries including Brazil, Japan, South Korea and India are looking into enacting similar laws.

Maybe even more importantly, Facebook, Google and other monstrous tech empires are, at least publicly, talking about privacy and changing their business models and terms of service to accommodate it.

So let’s see if Facebook gets hit with a 50 billion euro fine in 2019. Now that would be interesting.