The General Data Protection Regulation (GDPR) was implemented in the European Union (EU) exactly five years ago, in May 2018, to protect the privacy and personal data of EU citizens.
These five years of GDPR saw stricter rules for data breaches being introduced, requiring organizations to notify relevant authorities and affected individuals within a certain timeframe if a breach occurs.
The GDPR applies to all organizations that process the personal data of EU citizens, regardless of whether the organization is located within the EU or not.
What followed was a wave of similar regulations across the world, increased demand for better disclosures, Big Tech’s incessant lobbying to retain their free rein on data usage and sale, and million-dollar penalties.
The GDPR’s extraterritorial reach has compelled organizations worldwide to comply with its stringent requirements, ensuring the protection of the personal data of European Union (EU) citizens.
Martin Sloan, Partner at UK law firm Brodies LLP, has been involved with the nitty-gritties of GDPR since its inception.
He has witnessed the five years of GDPR’s growing impact on the EU and the world, the repercussions of Brexit on the regulations, and UK’s continuing efforts to set up a GDPR alternative.
With his extensive expertise in the field, Martin shares his valuable insights into the past, present, and future of the GDPR in a discussion with Chandu Gopalakrishnan of The Cyber Express. Edited excerpts:
We have witnessed a sea of change over the five years of GDPR. How has the implementation of GDPR influenced the practices of organizations regarding data protection and privacy?
For many organizations, the introduction simply required an evolution of their existing practices relating to data protection.
Many were already doing the right thing, but just needed to tighten up on some of their internal policies and procedures. For others, it required more extensive work.
What GDPR did do was bring to the fore data protection compliance as a major corporate risk, whether that be awareness at board level of internal compliance risks, or as a key point for diligence on investment and M&A deals.
In parallel, many businesses are now driven by data. This will only increase as businesses invest in AI and other technology.
Combined with cyber risk, data protection and information security are now key corporate risks for most businesses.
Risks and breaches are now followed by penalties. What are some notable examples of data breaches or privacy violations that have resulted in significant fines in these five years of GDPR, and what lessons can be learned from these cases?
The €1.2bn fine issued earlier this week by the Irish Data Protection Commission to Meta is the largest fine issued to date under GDPR. This related to non-compliance with the rules on cross-border data transfers.
We have also seen substantial fines for failure in relation to transparency, the use of consent, unlawful processing and the use of cookies, facial recognition technology and data security.
In the UK, the largest fines issued have been to British Airways and Marriot in relation to data security failings that led to cyber attacks.
While it does not get the same headlines as the fine, the more significant part of the DPC’s enforcement action against Meta this week is the order to suspend US data transfers for five months and to rectify the non-compliance within six months.
These have a direct and immediate impact on the operation of Meta’s business.
Meta had a free rein on information of individual users before. In what ways has GDPR empowered individuals to have more control over their personal data, and what mechanisms have been established for exercising their data protection rights?
GDPR carried forward existing rights of individuals under previous legislation, supplementing them with additional rights such as the right of erasure (right to be forgotten), rights to port data to another organisation, and certain rights in relation to automated decision making.
The media coverage of GDPR together with awareness raising activity by regulators, has helped to make individuals more aware of these rights, and so leading to businesses receiving more requests than they did prior to GDPR.
However, the rights are often misunderstood. For example, many of the rights are qualified, which means in some cases businesses can reject a request.
The possibility of rejection and contention has often affected larger initiatives. How has the GDPR affected cross-border data transfers and the establishment of international data protection standards? What are the implications for businesses operating globally?
While GDPR did not itself make any substantive changes to EU rules on cross-border data transfers, the last five years have seen numerous court cases and other developments.
These include the European Court of Justice’s ruling in the Schrems II case, which found that the Privacy Shield scheme for US data transfers was incompatible with EU law.
The introduction of new EU standard contractual clauses and regulatory guidance on transfer impact assessments is another point of debate.
And, of course, there is the order issued last week against Meta by the Irish Data Protection Commission after the regulators found that Meta’s US data transfers were unlawful.
In parallel, we are now seeing a number of other countries introduce their own rules on cross-border transfers.
Each of these present challenges to businesses that transfer data internationally, as they seek to juggle different rules around the world and continually evolving regulatory guidance.
Looking ahead, what trends or developments can we anticipate in data regulations beyond GDPR? How might emerging technologies like artificial intelligence, blockchain, or IoT shape the future of data protection and privacy regulations?
We are already seeing data protection regulators grapple with new technology, such as AI.
Earlier this year, the Italian data protection authority temporarily suspended ChatGPT in Italy, only lifting that suspension when OpenAI made some changes to how ChatGPT works and the information it provides to users.
AI-specific legislation is being proposed in both the EU and UK, and it remains to be seen how that will interact with data protection laws.
With differing approaches to the regulation of AI and a new data protection bill in the UK Parliament, we are starting to see the beginnings of post-Brexit deviation between the EU and UK.
It is also clear that there is a long way to run on cross-border data transfers and the tensions between EU data protection laws and the powers of local law enforcement. Meta has already said it will appeal the DPC’s order.
The EU and UK are both trying to agree a new cross-border data transfer framework with the USA, but it is inevitable that campaigners will seek to challenge this in the courts as they did with Safe Harbor and Privacy Shield.
These disputes pre-date GDPR by many years and will continue for years to come.