The EU GDPR at One Year – What Have We Learned?
As the EU General Data Protection Regulation (GDPR) reaches its first anniversary what have we learned, and what can we expect to see in the next 12 months? The answer to that question is plenty. Since the regulation came into force on the May 25th, 2018 the focus has been on data breaches. This has significantly raised the public’s awareness of data privacy. European Union Data Protection Authorities received more than 90,000 complaints and 40,000 data breach notifications in the first nine months, there are more than 250 investigations into data transfer violations and a fine of 50,000,000 Euros for Google for failing to obtain consent. Countries reporting the highest number of data breaches were The Netherlands, Germany and the UK. However, data protection authorities have highlighted a tendency to over notify for fear of not having “done the right thing”. Not all breaches need to be reported. Knowing when to report appears to be a lesson not yet learned.
Interestingly and according to the European Commission, in the peak month of May 2018, GDPR was searched more often than Beyonce and Kim Kardashian. For a data privacy regulation to reach the levels of celebrity status in search terms helps demonstrate that it is on the way to achieving its key objective, to put the individual more in control of their personal data. The European Data Protection Board also published its guidelines on territorial scope, confirming that the GDPR does indeed have long arms. US companies need to take note. We also saw an increase in business commitment with senior management acknowledging the importance of data protection leading to an increase in resources for compliance and spend on this key area.
The GDPR has helped to shape global privacy and contributed to the changing landscape including public awareness. New regulations such as the controversial California Consumer Privacy Act have been passed. Also in the US, the Children’s Online Privacy Protection Act is facing amendments proposed by Senator Markey. Though the authors would have done well to look towards the GDPR and how it relates to children when writing this Bill.
Many challenges lie ahead as we move into this second year, particularly around territorial scope and data transfers. One objective, to harmonize data protection across the EU, has not been achieved in several areas. If we look at the regulation specifically in relation to children for example, the differing ages of consent across the EU member states poses several issues for Information Society Services (ISSs) which must treat children differently in the UK to, for example Germany or Spain. There is also a lack of understanding among app and website developers over the lawful basis that should be applied when processing data, legitimate interest is not a free pass to collect and use a child’s personal data any which way they choose and on the other hand there is also a tendency to the over use of consent.
Children’s privacy will take its place in the spotlight in the coming months. Watch this space. The ICO (UK data protection authority) will publish the Age Appropriate Design Code this summer. This code is enforceable and ISSs will have to comply. The EDPB also has children firmly in its sights. The current work plan published earlier this year includes a focus on children. The GDPR is like a journey that never ends, it’s not a completed task but an evolving one and ISSs needs to stay ahead and on top.
Claire Quinn is VP of Compliance for PRIVO. PRIVO is at the heart of developments in this space and will be updating its GDPRkids™ Privacy Assured Program to ensure it remains relevant and mapped to the regulation, the latest guidance and codes. For more information on the program, which demonstrates compliance in relation to children, contact us!