GDPR: 10 Months down the road

Mar 21, 2019 12:00:00 AM | EU GDPR: 10 Months down the road

The European Data Protection Board (the “EDPB”) recently published an overview on GDPR’s implementation since its enforcement last May, and the roles of national supervisory authorities in this regard. We have summarised and examined some of the items we consider key to the success of GDPR, in this blogpost.

GDPR 10 months blogpost-1

National Implementation of the GDPR

As of today, almost all Member States have implemented and enforced the GDPR in their national laws. The only remaining exceptions are Czech Republic, Greece, Slovenia and Portugal. 

Guidelines and Recommendations

Along with the national implementation laws, national supervisory authorities (“SAs”) and the EDPB have issued guidelines and recommendations clarifying various aspects of the GDPR. The EDPB has also adopted all the previous guidelines issued by WP29. It is important to note that most SAs have published their list of additional triggers for conducting a data protection impact assessment, and the EDPB has issued consistency opinions on these lists, requiring certain additions or removals from the national lists. Some other relevant guidelines are those on the territorial scope of the GDPR (still under consultation) and the guidelines on certification bodies and their accreditation.   

GDPR Compliance

The general awareness about data protection has definitely increased with the implementation of the GDPR. It has been observed that there has been an increase in the number data subject access requests as well as reporting of complaints to SAs. For instance, as per the EDPB report, SAs from 31 EEA countries reported 206,326 cases, of which 94,622 comprised of data subject complaints. 52% of the total reported cases have been concluded and 1% are currently being challenged before national courts. The total administrative fines imposed for non-compliance till now amounts to €55,955,87.

In our observation, some SAs such as that of France (“CNIL”) and the Dutch SA have been more active in monitoring GDPR compliance than others. For instance, the Dutch SA has reviewed compliance with Article 30 (record of processing activities) by companies from various sectors, as well as the requirement of appointing a data protection officer. More recently, it has acknowledged the receipt of a large number of complaints from website users regarding blocking of access to websites upon refusing cookies. In light of this, the Dutch SA has issued a note on the illegality of cookie walls. In our opinion, it would be prudent to improve compliance with cookies in anticipation of a fresh investigation initiated by the Dutch SA in this regard. With respect to data subjects’ right to information and consent, CNIL has recently imposed a financial penalty of €50 million against Google LLC for violating its transparency obligations and not obtaining valid consent before delivering personalised advertisements. 

Besides fines and investigations, CNIL has also provided detailed guidance on several aspects of the GDPR. For instance, CNIL issued detailed forms for conducting data protection impact assessments. The Dutch SA has issued guidance on what processing records should consist of, and what the criteria are, for a GDPR compliant Article 30 register.

Miles to go before we sleep

As may be seen, there is definitely a general increase in awareness and urgency regarding compliance with the GDPR. However, there still remain several ambiguities that may need to be tackled in order to achieve the GDPR’s legislative intent. 

For instance, one of the main objectives of the GDPR was to overcome the fragmentation of data protection laws under the previous regime (Directive 95/46/EC), and to support the free flow of data across borders within the EU by achieving legal certainty and consistency in data protection. In order to achieve this, GDPR was structured as a regulation directly applicable to all member states. However, for good reason, the GDPR recognised that member states may be in a better position to legislate on certain issues within their jurisdictions, and therefore, offered them room to lay down conditions for specific processing situations. This is also relevant in the context of sector specific laws that member states are competent to legislate on, and those may have sectoral data protection limitations. Sensitive data, age of consent, data processing in the context of employment, powers of SAs and the designation of a DPO are some of the areas in which member states can lay down specific rules setting limits or stipulating additional conditions for data protection.

However, this is emerging as a double-edged sword since these differences in national implementation laws could again lead to fragmentation and dilute legal and practical certainty for data subjects as well as controllers. Similar divergences are also seen in guidelines and clarifications issued by different SAs. As an obvious consequence, it is likely to become harder for multinationals to achieve complete compliance with the GDPR, since it would oftentimes entail meeting different standards in different jurisdictions for the same processing activities. An argument that is often heard is that the purpose of the GDPR is to protect the privacy of individuals, and not to facilitate ease of doing business. However, one cannot deny that they go hand in hand, and the GDPR itself recognises this under recital 7 where it states that “legal and practical certainty for natural persons, economic operators and public authorities should be enhanced.” 

Although a lot of positive changes have occurred in the past 10 months, many companies continue to be non compliant, either because of practical/interpretational challenges or financial burdens. In order to achieve satisfactory levels of compliance across the EU, all stakeholders must be involved in clarifying ambiguities, increasing ease of compliance through cooperation and consultation, developing industry codes which can be really useful for SMEs, and implementing seals and certification mechanisms. The ultimate goal is to imbibe privacy by default and design into the very core of corporate ethics. Last but not the least, it is hoped that in the future the Court of Justice will be faced with opportunities to remove differences in national implementations and work to bring about more certainty, uniformity and greater compliance with the letter, spirit and essence of the GDPR.