On 25 May 2019 it will be one year since the General Data Protection Regulation (GDPR) came into force. This article considers its impact so far in Ireland, the EU and beyond.
Awareness
In the EU, the public are more aware than ever of their data protection rights and the obligations of those who process their personal data. According to a recent European Commission survey, 67% of EU citizens have heard of the GDPR and 57% are aware of the existence of a data protection supervisory authority in their own country. This increased awareness is reflected in the volume of communications that EU supervisory authorities have received from data subjects since the GDPR came into force. According to the European Data Protection Board (EDPB), over 144,000 queries and complaints and over 89,000 data breach notifications have been made to EU supervisory authorities since May 2018.
The GDPR has also paved the way for the introduction of enhanced data protection legislation beyond the EU. Brazil, Japan, the state of California and a number of other jurisdictions have introduced, or are considering the introduction of, GDPR-like data protection measures. It is clear that the introduction of the GDPR marked the beginning of a new age of enhanced data protection rights and obligations, and increased public awareness of those rights and obligations, around the globe.
Cooperation and Consistency
The EDPB promotes cooperation between EU supervisory authorities and maintains consistency in the application of data protection law throughout the EU. Established under the GDPR, the EDPB replaced the Article 29 Working Party (WP29) and is comprised of representatives from each EU supervisory authority and the European Data Protection Supervisor. In the past year, the EDPB has endorsed a number of the WP29’s data protection guidelines, and has itself adopted six further guidelines in relation to the GDPR.
Enforcement
Enforcement under the GDPR is in its very early stages. Supervisory authorities throughout the EU are still dealing with the backlog of pre-GDPR issues, and investigations take time.
While the Irish Data Protection Commission (DPC) is conducting a number of statutory inquiries in respect of Irish established multinational technology companies (including its recently announced inquiry into Google Ireland’s online Ad Exchange), it has yet to issue an administrative fine. The expectation is that more decisions and enforcement actions will be issued by supervisory authorities in 2019, as many ongoing investigations reach their conclusion. The most recent annual report published by the DPC stated that a number of inquiries concerning multinational technology companies’ GDPR compliance “should reach the decision and adjudication stage later this year”.
But there has been some significant enforcement in other jurisdictions.