Tuesday marked the third anniversary of the General Data Protection Regulation (GDPR) coming into force, the legal framework setting guidelines for the collection and processing of personal data from individuals who live in the EU. GDPR’s impact was global, even though it was drafted and passed by the EU. It imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. With potential fines of €20 million or 4% of global turnover, it has captured the attention of media and the general public. To date, around 660 fines have been issued by various data protection authorities in Europe with a tally of €292 million. The highest GDPR fine to date remains the €50 million fine imposed by the French data protection regulator, CNIL, on Google for alleged infringements of the transparency principle and lack of valid consent.
GDPR came into force on 25 May 2018, promising a new age in privacy rights for Europeans and transforming the way companies process data forever. GDPR placed a spotlight on many high profile multi-national companies based in the EU. As the European base for many of the world’s leading technology companies, Ireland and its Data Protection Commission (DPC) have maintained this high profile. Among EU Member States, Ireland recorded the third highest number of data breaches per 100,000 citizens during the period from 25 May 2018 to 27 January 2021.
Enforcement of the GDPR has attracted a lot of criticism, with Ireland’s DPC finding itself at the centre of the world’s gaze. By virtue of the fact that so many major US tech companies have their EU headquarters in Ireland, these firms are answerable to Ireland’s DPC under the GDPR.
Some of the GDPR remains functionally clunky. The one-stop-shop mechanism, under which tech companies like Google, Facebook, and Twitter can handle much of their GDPR responsibilities in one country, in this case Ireland, has created a backlog of still-unaddressed complaints in Ireland, leading to criticism across the EU over its moderate penalties and the slow pace of its case-handling. The DPC’s largest fine so far was a €450,000 penalty imposed on Twitter in December 2020, a moderate penalty in comparison to the fines imposed by France on Google, and by Germany on H&M (€35 million).
According to its latest annual survey of GDPR fines and data breaches, a total of 6,615 data breaches were reported to Ireland’s Data Protection Commission in the past 12 months, the sixth highest level of breach notifications across Europe. Despite ranking high on both the level breach notifications and data breaches per capita, Ireland ranks 14th in fines under the GDPR since it came into May 2018.
Many critics of the current GDPR system would like to see the end of the one-stop-shop mechanism and instead see the introduction of a pan-European approach to the handling of data breach complaints, arguing it would share the workload and speed up investigations. Dr. Johanne Casper, head of Hamburg’s data authority, is a key proponent of reforming the GDPR and has said that “the one-stop-shop procedure has shown massive deficits as it leads to inefficiency, bureaucratic structures and to massive differences between law enforcement in purely national and EU-wide procedures”.
The GDPR, despite its flaws, is one of the most ground-breaking pieces of legislation to come from the EU in the past 30 years. Its full impact is yet to be seen with many companies and countries still adjusting to the transformed data processing landscape.