It is five years since General Data Protection Regulation (GDPR) was introduced, with the promise of tougher penalties for mishandling the data of EU citizens.
The new laws, which came into force on May 25th, 2018, enforced strict data management and privacy protection requirements for organisations processing the data of EU citizens, regardless of their location, and data processed in the EU as a whole.
The headline fines for breaching the rules seemed enormous: up to 4 per cent of global turnover, rather than profit, for the serious offenders. And as companies scrambled to make sure their businesses were compliant ahead of the deadline, there was general optimism that this would, finally, get companies in line when it came to processing private data.
Five years on, how has that gone? While GDPR has certainly focused the attention of companies and entities processing data, the work has been slow. If you were to borrow an overused political slogan to sum things up, the consensus would be: a lot done, a lot more to do.
At first, it was a trickle. One fine a month, maybe two, as the new regulations bedded in and companies began to come to the attention of authorities under GDPR.
The fines are coming faster these days. On one hand, you could look at the growing number and argue that as a deterrent, the financial penalties aren’t really working. On the other though, you could say it indicates a growing awareness of rights and responsibilities under the data protection rules.
There is a concern that the DPC [Data Protection Commissioner] has been quite slow. It has been quite cautious and has been quite risk averse in the approach that it’s taking. And I think that is a fair criticism— TJ McIntyre, chairman of Digital Rights Ireland
To date, more than 1,600 fines have been imposed by data protection watchdogs across the EU. Spain is top of the list in terms of sheer numbers, with almost 650 fines to date. At fewer than 30 fines, Ireland doesn’t even crack the top 10.
That may be seen as unusual, given the number of big tech companies that call Ireland home, and therefore fall under the one-stop shop mechanism, but the size and scale of the investigations are also a factor.
“There is a concern that the DPC [Data Protection Commissioner] has been quite slow. It has been quite cautious and has been quite risk averse in the approach that it’s taking. And I think that is a fair criticism,” says TJ McIntyre, chairman of Digital Rights Ireland.
The five-year anniversary of the regulations also coincided this week with the news of the largest fine levied under GDPR: a €1.2 billion penalty against Meta Ireland over Facebook data transfers to the US, imposed by the Irish authorities. That eclipsed the almost €750 million fine that Belgian authorities hit Amazon with in 2021.
In total, Meta is responsible for four of the top five GDPR fines in the past five years – and all of those have been levied in Ireland. In total, the social media giant has been fined more than €2 billion under data protection rules.
The latest penalty is the result of a long 10-year battle with Austrian activist Max Schrems that has seen the case go all the way to the European Court of Justice to force an investigation into the transfer of Facebook data between the EU and the US.
It also puts Ireland at the top of the list of enforcement actions across the EU in monetary terms – perhaps reluctantly so. A recent study of GDPR decisions in Ireland found 75 per cent of the DPC’s recommendations were overturned by European counterparts in favour of stronger enforcement action. The record Meta fine was no different. The original draft decision put forward by the DPC did not include a financial penalty. The European Data Protection Board compelled the inclusion of the €1.2 billion fine – less than the maximum amount it could have levied – along with the requirement to delete the data that had been processed improperly.
“[The] news is not Ireland being tough, but rather Europe losing patience,” says Irish Council of Civil Liberties fellow Johnny Ryan.
The main architect of GDPR says the one-stop shop was not part of the original plans for the regulations. In fact, Vivienne Reding opposed its inclusion
The one-stop shop mechanism allows companies operating in the EU, with an EU base, to deal with a single European regulator. Most of the big tech companies operating in the EU have their base in Ireland, which means they must deal with the Irish watchdog. As a result, the Irish DPC often comes under the microscope.
According to former EU minister Vivienne Reding, the main architect of GDPR, the one-stop shop was not part of the original plans for the regulations. Reding opposed its inclusion, preferring instead that complaints against big companies would be handled by an EU-wide body. But the one-stop shop mechanism eventually made its way into GDPR as a key feature after lobbying by several EU states.
But Castlebridge’s Darragh O’Brien says the DPC’s hesitance to frequently impose headline-grabbing fines on companies does not mean GDPR is failing. He notes it was an unproven law where the Irish regulator was the lead and taking the “first punt” while establishing policies and procedures.
“[The DPC] has been taking possibly an overly conservative approach to landing those cases. But on the other hand, if they’d gone in big and gone with large fines straight out of the gate, and all the enforcement actions had fallen apart straight away, the DPC would be getting criticised now for being too aggressive and bumbling their decision-making process,” he says.
“They were playing the strategy of not wanting to have or trying to avoid having decisions appealed in the Irish courts because of excessively high penalties. So you will actually get to meaningful enforcement because once the appeal goes in, the decision is stayed until the appeal is heard. What we’re seeing now is a policy and the approach of big tech firms is, the decision lands, they appeal and they try to kick the impact further and further down the road.”
It’s a huge piece of law, so it’s very hard to attribute particular outcomes and particular aspects but I think it attracted a lot of attention. And that in itself is good because it’s enabled people to know what their rights were— TJ McIntyre, chairman of Digital Rights Ireland
Reducing the measure of the legislation’s success to raw numbers may downplay the impact of GDPR on the data privacy landscape. There are effects beyond the enforcement actions that have been taken to force companies to comply with GDPR requirements.
“I think focusing on fines as a measure of success is focusing on the number of dirty dishes in the sink is a measure of whether or not the dinner was nice,” says O’Brien. “Anyone who had been doing this for more than a blink of an eye had been saying from 2012 the penalties proposed were not going to be the mechanism for change that people were saying they were. They were fantastic headline grabbers, but they were not going to have the effect, because the legal hurdles and the required due diligence you would have, the rigour of investigation you would have to make a massive penalty like that stick and not be appealed is huge. Those investigations take time.”
The laws, and the subsequent attention they have brought, have also been key in focusing consumer attention on the subject of data privacy and our entitlements. In many cases, these were rights that existed before GDPR was introduced, under various data protection laws. But the focus on GDPR since its introduction in 2018 has also focused attention on those rights. People now throw around phrases such as “subject access request” or cite GDPR as a reason why certain material shouldn’t be uploaded to social media.
“It’s a huge piece of law, so it’s very hard to attribute particular outcomes and particular aspects but I think it attracted a lot of attention. And that in itself is good because it’s enabled people to know what their rights were,” says McIntyre.
Those headline-grabbing potential fines were initially the key factor, turning attention to compliance.
“They encouraged companies to start taking this seriously and complying. Very often they had existing duties that they had largely not been aware of. But it was the fact of these possible administrative fines that didn’t exist previously that got their attention,” says McIntyre.
The less-than-stellar impact of the financial penalties can be seen elsewhere. Castlebridge’s O’Brien points to Spain and Italy, where a lot of penalties are appealed, many successfully. The UK’s ICO has “effectively given up on regulation” because big decisions of the past three or four years have been appealed successfully, with fines knocked down to about a 10th of their original value.
“What’s more important is the behavioural change in companies and the awareness in society about the fact that there are rules,” says O’Brien. “People have changed behaviour. We’ve seen this with public bodies, government agencies now actually having to think through potential impacts of data protection issues on people. And what you have to bear in mind is GDPR isn’t about stopping people doing things with data, its making you think about the risks to individuals when you’re doing things with data. And that’s a societal values change. That’s a societal conversation.”
It is, he says, a work in progress. GDPR has been an evolution, contributing to and accelerating the global conversation on data protection. Next on the list should be encouraging governments to comply, including within Europe. While the EU has cast scrutiny on other countries, including the US, it is inevitable that the spotlight will be turned back.
“If we are going to be criticising surveillance regimes and looking for equivalence in government oversight, we need to make sure that our oversight is effective,” says O’Brien.