"Time flies so fast", is what we often say when we arrive at an anniversary and look back. As 5 years have already passed since the GDPR became applicable on May 25, 2018, it´s worth asking some questions regarding the experiences of GDPR application, also with regard to the fact that data protection is a relatively new field of law (we celebrated the 50th anniversary of the adoption of the first national data protection law earlier this May) and 5 years can be a particularly long time in this field, especially when we also take the speed of technological developments affecting privacy also into account.
1. To what extent has GDPR met the expectations for its adoption?
At the time of the adoption of the GDPR, significant expectations have emerged regarding data protection law enforcement. The possibility of imposing huge fines provided by the GDPR, which represented a huge step compared to the previous regime, indicated much more effective enforcement actions, primarily against big technology (BigTech) companies.
Indeed, the amount of fines imposed has become more significant, with fines of more than €4 billion imposed over the past five years based on IAPP´s chart, while according to DLA Piper's annual report for 2022, the amount of fines imposed in 2022 (in EU 27 + Norway, Iceland, Liechtenstein and United Kingdom) was €1.64 billion, 50% higher, than in 2021, when the total fines amounted to around €1.1 billion. (Please note that the above data may not contain all fines from all EU countries but can give a good overview regarding the trends in GDPR enforcement. CMS´s GDPR Enforcement Tracker can also be a good source of information regarding enforcement actions within the EU. A "5 years of GDPR" report is also available at the CMS GDPR Enforcement Tracker webpage.)
The increase in the aggregated amount of fines is significant (especially since the €1.2 billion fine imposed by DPC on Meta earlier this week probably marks a further significant annual increase for 2023), but there are also many criticisms of the enforcement of the GDPR. For example, a report by the Irish Civil Council of Liberties (ICCL) highlights that there has been no proper breakthrough in cross-border cases at EU level, with 64% of cross-border cases ending merely with a reprimand.
BigTech companies are essentially based in Ireland, consequently the Irish DPA (DPC) acts as the lead supervisory authority in cross-border cases of such companies, but the firmness of the DPC's actions against BigTech companies´ violation of privacy rules has been regularly criticised in recent years. According to the ICCL report, DPC prefers to close its proceedings against tech companies without fines, by issuing "amicable resolutions", and in cases before the EDPB (when the lead supervisory authority and the other authorities concerned cannot reach an agreement), the DPC´s draft decisions are overruled in 75% of cases. Nevertheless, 5 of the top 10 GDPR fines issued in the EU up to now were imposed in Ireland related to Meta (€1.2 billion, €405 million, €390 million, €265 million, €225 million).
What have been the privacy "hot topics" of recent years?
We have read and heard a lot about data protection in recent years. If we want to mention just a few priority topics, the subject of international data transfers should definitely be at the top of the list. In 2020, the Schrems II judgment posed a serious challenge to the existing order of data transfers, which the majority of data controllers have essentially failed to tackle to date. The issues regarding cookie management can also be mentioned among priority topics, also in connection with international data transfer issues, but questions regarding the e-Privacy aspects and cookie walls were also frequently raised.
Among the topics of recent months, discussions related to the application of artificial intelligence should be also mentioned, including the investigations launched concerning ChatGPT. With regard to data protection cases concerning AI solutions, it is worth pointing out that the data protection procedures regarding ChatGPT were not the first ones regarding the use of AI, but - as I wrote about it in more details here - data protection fines have already been issued in several countries (e.g. France, Italy, Hungary) on data controllers for unlawful processing of personal data by the use of AI systems (for example, please see the cases regarding Clearview AI).
Why was the highest GDPR fine to date imposed?
One of the things that brought the GDPR to the forefront of attention after its adoption was that it allowed for very heavy fines compared to previous data protection rules. As time went by after the GDPR became applicable, those opinions arguing that the authorities did not use their fining powers boldly enoug became more and more frequent and although there were large fines, there was no real breakthrough. However, just this week, following proceedings by the European Data Protection Board, the Irish Data Protection Authority imposed a fine of EUR 1.2 billion on Meta for transferring data to the US based without complying with the requirements of the GDPR.
What are the biggest challenges in applying GDPR today?
A very wide range of data controllers are currently affected by the challenges related to cookie management and international data transfer, and the use of cloud services can also cause serious headaches, since, among others, the issue of data transfers comes up regularly in connection with the use of cloud services (which are often provided by technology companies linked to the United States). Of course, some all time "hot topics" are still on the agenda, such as data processing related to direct marketing or matters related to CCTV surveillance. Data protection issues related to the use of artificial intelligence, as well as topics related to cybersecurity, are likely to increase in the future, especially given the very serious regulatory wave in this area within the EU (see, for example, the Cybersecurity Act, the NIS2 Directive, DORA Regulation and the upcoming Cyber Resilience Act).
How future-proof are GDPR rules?
When the GDPR was adopted, the goal was to create technology-neutral rules that can stand the test of time, even at the current speed of technological development. In the longer term, it can be a question whether this attempt was successful or not, since certain anomalies in the enforcement of the rules - briefly touched upon above - also indicate that corrections may be necessary in some areas (see the European Commission's early-stage initiative on further specifying procedural rules relating to the enforcement of the GDPR in cross-border cases).
However, despite all its flaws, we have to admit that the GDPR plays a very important role in an increasingly data-driven world and will remain relevant as the main legislative tool in the protection of personal data in the EU.