The stringent new measures were rolled out to help people better understand the way in which information is collected and used, and to act as a deterrent for organisations breaching data laws. Any organisation found to contravene the GDPR can now be fined up to €20 million or up to 4% of their annual worldwide turnover for the preceding financial year – whichever is greater.
The GDPR is said to be one of the most stringent data protection legislation in the world, but these laws only protect EU citizens, with countries around the world differing in their approach to privacy law. In the US, there is no single data protection legislation. Instead, there are of different laws that have been legislated at national and state level, although work is being undertaken to try to align data laws throughout.
The big concern is that, despite having the GDPR in place, EU member state regulators have been slow to issue final penalties to businesses in breach of the law. Since its inception over two years ago, there have been over 160,000 data breaches reported in the EU, but only a handful of businesses have been penalised. Brave, a maker of a pro-privacy browser, released a report recently claiming that the “European governments have failed to equip their national regulators to enforce the GDPR”. The report revealed that only five of Europe’s 28 national enforcers of the GDPR have more than 10 tech specialists each, and half of EU enforcers of the GDPR have small budgets (under €5 million).
Some notable cases have led to potentially significant fines that are yet to be set in stone. The ICO has issued an intention to fine British Airways a record-breaking £183m for a data breach involving over half a million customers, with the total compensation pay-out potentially rising to £3bn. Similarly, Marriott has been issued with a notice of intention to fine in the sum of £99m. But in both these cases, the fines are not final and are being contested, and a year on since they were announced, we still do not know what the final amounts will be. The lack of swift and proper execution of the GDPR punishments on businesses who breach the law has, perhaps, lessened the threat of fines and, therefore, the weight of the deterrent. This should be a concern for all.
These issues have further been impacted by the ongoing coronavirus pandemic which has likely stifled the ability for regulators to use their powers appropriately. Businesses have also faced incredible difficulties in being able to focus on data privacy when adapting to new ways of working in such a short period of time, and this will no doubt be in the minds of regulators.
Unfortunately, there appears to be a need to push for greater regulatory action to ensure that data privacy rights are upheld. Where regulators are fully equipped and resourced to enforce the legislation at their disposal, swift execution of severe punishments for breaching the law can act as a solid deterrent for organisations to change their ways and ensure they protect the data they store and process. If not, we could see further data breaches occur, and the degradation of data privacy rights throughout Europe despite the weight of the new laws in place.
Unless there is a considerable change to the way data privacy regulations are upheld and the way punishments are sanctioned, the worrying possibility is that we could be sleepwalking into an era where the changes we need will fail to come to fruition. Legislators around the world must have the resources they need to uphold and enforce data privacy laws or the impact of the new regulations could be underwhelming. If organisations feel no real threat of the law being applied to them, there may be no end in sight to the slippery slope of data privacy rights continually being abused. There is still time to act, but governments must fully support regulators so they can enforce strong data privacy laws.
Aman Johal, lawyer and director of Your Lawyers