The European Union's broad privacy regulation was expected to transform the internet and how privacy rights work, but has it achieved its objectives?
The General Data Protection Regulation (GDPR) was enacted on April 14, 2016, and came into force on May 25, 2018. The GDPR was immediately binding and applicable since it is a regulation rather than a directive, although it did allow individual member states to change specific provisions of the legislation.
The regulation itself had the following main objectives:
“Lay down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
Protect fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
Free movement of personal data within the Union that is neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.”
On May 25, 2022 will be GDPR’s four-year anniversary from its date of enforcement and therefore we have four years of data and results to answer a simple question: “Has it achieved its objectives?”
In its first few years it is evident that the regulation was faulty and it did not achieve the internet transformation it aiming to.
Through this regulation individuals are supposed to have extensive powers over their data, including the right to demand that firms notify them how their data is used and the right to ask for their data to be deleted, a pillar of the legislation known as "the right to be forgotten." The regulation is accompanied by some of the most rigid fines available for a privacy law. An upper level fine on Amazon, for example, could result an almost $15.5 billion penalty for major infractions of the regulation’s provisions.
Even though the regulation was promising, nonetheless in its first few years it did not live to its potential and high expectations. In its 1st year of enforcement, companies, consumers and regulators became increasingly frustrated as the law created new bureaucracies that led to the confusion and frustration of consumers.
Despite its initial shortcomings, the regulation in recent years has picked up pace and the significant fines promised for infringements are finally materializing.
In the last year (2021), penalties of about 1.1 billion euros have been levied against corporations for violations of the European Union's GDPR. The 2021’s sum is over seven times the 2020’s penalties of €158.5 million. Two of the most noteworthy penalties imposed can be found below in summary format:
Amazon’s Luxembourg fine
The Luxembourg National Commission for Data Protection (CNDP) issued the largest fine for an infringement of the GDPR to Amazon on July 16, 2021, in the amount of €746 million (crashing the EU data privacy penalty record) for non-compliance with personal data processing principles.
The penalty came as a result of a complaint filed by 10,000 people, which allowed the CNDP to proceed with an in-depth investigation into the conglomerate’s privacy practices. The results of the investigation suggested that Amazon’s targeted advertising system had several infringements from the provisions of GDPR
WhatsApp’s Ireland fine
WhatsApp was fined €225 million by the Irish privacy authority, the Data Protection Commission (DPC), on August 20, 2021, for a series of cross-border data protection violations under the General Data Protection Regulation (GDPR). The fine came after a protracted investigation and enforcement procedure that began in 2018.
These two penalties alone almost make up entirely the total amount on privacy penalties for the year 2021. It is evident that the privacy watchdogs, regulators and authorities are starting to employ their powers in a stiffer way, penalizing corporations for their infractions on the GDPR provisions.
There was an 8% rise in breach reports per day in 2021, from 331 to 356, with more than 130,000 personal data breaches reported in total since the beginning of the year.
However, it seems that the big firms are taking a stance and are constantly challenging the penalties and fines imposed (Deutsche Wohnen, 1&1 Telecom, British Airways, Marriott and others).
Regulators are moving towards the right direction, nevertheless there is still room for improvement and better application of the provisions. Jurisdictions should aim for uniformity and unity in their decision making for imposing penalties whilst always having in mind the no.1 pillar of the regulation to protect the consumers’ privacy rights.
By fLEXI tEAM