GDPR is a landmark in privacy jurisdiction. Through its 99 articles, it sets a framework for both businesses and individuals on their rights and responsibilities when it comes to protecting privacy. The most important element in my opinion is that privacy functions a fundamental human right and needs to be protected.
The Authorities View
Although the first year of GDPR enforcement was considered a “grace period,” many high-profile investigations and fines have made it to the headlines such as:
- The Irish DPA has 54 GDPR investigations underway, 19 of which are related to large tech firms including Google Twitter, LinkedIn, Apple, Facebook and its WhatsApp and Instagram subsidiaries as well as Verizon, which owns Yahoo and the Huffington Post. Many of these cases are expected to be near completion by September-October.
- The Hamburg DPA has ordered Google to stop manual reviews of audio snippets generated via its voice Al for three months whilst it investigates revelations that contracted workers have been listening to voice recordings made through smart speakers.
- Berlin DPA intends to fine a tech company for tens of millions.
- UK’s ICO has opened an investigation into the King’s Cross private surveillance system using facial recognition technology.
- In July 2019, ICO issued notice of its intention to fine BA £183.39 million and Marriott $111.5 million for GDPR infringements.
- The Greek DPA fined PWC Business Solutions €150,000 for unlawfully processing the personal data of its employees and for processing the personal data of its employees in an unfair and non-transparent manner.
Hundred of cases are being investigated by almost all National DPAs. According to the European Data Protection Board, Data Protection Authorities in 11 Member States issued €56 million of fines over the first year of GDPR.
Actually, this first year was the second chance businesses had to comply with the Regulation. Although the law was enacted back in 2016, it provided for a two-year grace period during which both authorities and businesses had the chance to prepare before the Regulation’s actual implementation in 2018. Unfortunately, many European businesses didn’t seize this opportunity. In fact, 30% of European businesses admit they are still not compliant with GDPR, according to a survey conducted by the European Business Awards.
Finally, marking the GDPR anniversary, the European Commission published a report looking at the impact of the EU data protection rules and how implementation can be improved further. The Commission’s communication sets out concrete steps to further strengthen the data protection rules and their application. The Commission recommends that the European Data Protection Board (EDPB) should step up its leadership and continue building an EU-wide data protection culture. Additionally, it encourages national data protection authorities to pool their efforts, for instance, by conducting joint investigations.
The Civil Society Organizations View
According to United Nations Development Program (UNDP), civil society organizations (CSOs) are “voluntary non-market and non-state organizations” that “play a vital role in enabling people to claim their rights, in promoting rights‐based approaches, in shaping development policies and partnerships, and in overseeing their implementation.” Actors of civil society can, for instance, include non-governmental organisations (NGOs), professional associations, social partners, universities or media representatives. They are usually close to local communities and can, therefore, play a crucial role in development cooperation.
As part of the European Commission’s Directorate General for Justice and Consumers’ assessment of GDPR’s impact, the European Union Agency for Fundamental Rights (FRA) asked civil society organisations (CSOs) to answer a short online questionnaire about the impact of GDPR on their daily work.
The FRA report is based on responses from 103 organizations, which represent a wide range of CSOs, most of which do not work specifically in the field of privacy and data protection.
The ‘General Data Protection Regulation – one year on’ focus paper shows that two-thirds of civil society organizations understand the GDPR requirements and that around half of them have also designated data protection officers. However, even with this understanding, 77% face challenges in implementing the rules. Eighty-nine percent of the CSOs say it required effort to comply with the rules, as they understood them. This mostly relates to adopting or revising privacy policies and obtaining consent from mailing list subscribers.
The above figures are worse when it comes to small CSOs. Smaller CSOs are more likely to lack awareness or understanding of and as a result fail to implement GDPR requirements due to a lack of adequate resources. The GDPR’s principles were characterized as “cumbersome,” “complex” and “costly.” The main concern lies in the likelihood that they could miss or misinterpret important legal requirements as a result of not being able to dedicate either human or financial resources to assessing the new data protection requirements properly. Several organizations referred to their need to receive information tailored to the specificities and needs of civil society.
The latter point brings us to the next significant finding: getting appropriate advice and cooperating with the DPAs. The GDPR Article 57 has reinforced and widened the scope of the mandate of DPAs to the following tasks:
- “promote public awareness and understanding of the risks, rules, safeguards and rights in relation to data processing”
- “advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons’ rights and freedoms with regard to processing”
- “promote the awareness of controllers and processors of their obligations under this Regulation”
- “provide information to any data subject concerning the exercise of their rights under this Regulation”.
Despite these provisions, many respondents (48%) indicated that the relevant authority did not provide any assistance or advice to their organization (for example in the form of a leaflet, online information, a helpline or training). A few organizations further indicated, in response to an open question, that while their national authority did provide some information on its website, such information was either “incomplete” or “not particularly helpful.” Of the 30% of organizations that indicated they had benefited from information from their supervisory authority, the main source of assistance or advice was online or web-based information. This finding underlines a lack of communication between the two involved parties.
Regarding the impact of the GDPR on the daily work of the CSOs, many respondents indicated that the GDPR did not have any impact on the efficiency of their day-to-day work (37%). Another 37% of respondents indicated that the GDPR had made their work somewhat less or much less efficient, while 16% of respondents declared that the GDPR had made their work somewhat more or much more efficient. The majority of organizations that declared that the adoption of the GDPR had made their work somewhat less efficient or much less efficient operate in the field of access to justice, economic and social rights, poverty eradication, education or immigration, asylum and return and integration. All of these are activities that are highly connected to alleviating real-life problems and obstacles faced by people seeking immediate social care and protection.
In fact, some organizations reported cases in which official bodies had denied them access to sensitive information (such as data on ethnic origin) on the basis of the GDPR. This is particularly concerning, as it could prevent organizations that work on, for instance, the prevention of discrimination or victim support from being effective. Several of the respondents, when invited to add any further remarks in relation to the issues covered by this survey, highlighted concerns that some governmental bodies may misuse the GDPR against CSOs. Concerns include potential threats to CSOs from state actors, the abuse of fines, strict interpretations of GDPR requirements to weaken CSOs’ effectiveness and limiting the action of small NGOs, in particular, those that perform advocacy or watchdog activities.
As far as security is concerned, the vast majority of the organizations (91%) declared being concerned (from “slightly” to “very” or “extremely concerned”) by potential unauthorized access to personal data. The security of personal data is very important for most CSOs, which may have to process very sensitive and/or confidential information. Concerns regarding potential surveillance by governmental bodies are noteworthy, as 28% indicated that they are either very or extremely concerned about this.
The majority of respondents (75%) have adopted a new data protection policy since the date of application of the GDPR. Of the respondents who declared that they were somewhat to extremely concerned by any forms of unauthorized access other than government surveillance, 64 % had installed a new IT system within their organization.
Users rarely seem to use their rights to access, modify or erase their personal data held by civil society. When they do, it tends to be mostly about deleting their personal data. In addition, the paper shows that very few civil society organizations exercised their right to complain about data protection violations.
The European Data Protection Board report says that “the GDPR cooperation and consistency mechanism works quite well in practice. The national supervisory authorities [DPAs] make daily efforts to facilitate this cooperation, which implies numerous exchanges (written and oral) between them.”
But this is only one side of the coin. The FRA report actually highlights two important issues: a lack of communication or inadequate information flow between the DPAs and the CSOs as well as a lack of trust towards the governmental bodies that they will exercise the law in good faith. Despite the high-profile fines and the discussions for “privacy-by-design,” awareness and trust should be at the top of the GDPR compliance agenda. And we have a long way ahead in achieving this.