Monday’s €1.2 billion fine for Meta – by far the biggest fine issued under the GDPR since it took effect five years ago – has been taken by many as a sign that the Regulation is at last beginning to be enforced with sufficient vigour.
However, it also illustrates the ongoing difficulty of applying a consistent approach to GDPR enforcement, especially when it comes to cross-border and international data transfers.
In particular, the Irish DPC (Data Protection Commission), which is the supervisory authority for numerous US tech giants whose EU headquarters are in Ireland, has attracted criticism for its relatively lenient approach to GDPR enforcement.
In the case of Meta – as for some 75% of decisions on cross-border data processing in which the DPC was the lead supervisory authority – the DPC’s original judgement was overruled by the EDPB (European Data Protection Board), which demanded stronger regulatory action than the DPC seemed prepared to commit to.
Privacy campaigners were also unimpressed: the Meta fine comes after a ten-year investigation and three court cases involving Max Schrems and his organisation noyb (none of your business), which has spent years campaigning against US data surveillance.
Schrems commented:
The Irish regulator has done everything to avoid this decision, but was consistently overturned by the European Courts and institutions. It is kind of absurd that the record fine will go to Ireland – the EU Member State that did everything to ensure that this fine is not issued.
Given the scale and nature of its operations, Meta is obviously something of a special case, but the wider implications of the EDPB’s attitude towards personal data transfers from the EU to the US are concerning.
If the use of SCCs (standard contractual clauses) will no longer be permissible, what should US organisations – and the organisations on whose behalf they act – do, especially as the new EU-US DPF (Data Privacy Framework) is already on shaky ground.
(A recent resolution by LIBE (the European Parliament Committee on Civil Liberties, Justice and Home Affairs) found that the Framework doesn’t afford adequate protection for EU residents’ personal data when transferred to the US and therefore shouldn’t be used as the basis for an adequacy decision. Unless it is renegotiated, it seems the EU-US Data Privacy Framework is almost certainly going to go the way of its two predecessors – the Safe Harbor scheme and the EU-US Privacy Shield – both of which were declared invalid by the CJEU (Court of Justice of the European Union) following legal action by Schrems and noyb.)
For the countless other organisations that transfer personal data from the EU to the US, it seems that no mechanism is likely to be valid. In the meantime, SCCs appear to be the only way forward.
EU-US Data Transfer Assessment and Action Plan
If you transfer personal data from the EU to the US – or if you or your suppliers use services built by US-owned companies such as Microsoft, Salesforce or Facebook – you need to consider your regulatory requirements.
Our EU–US Data Transfer Assessment and Action Plan will help you ensure you stay on the right side of the law.
- Our data privacy experts will conduct a detailed review of your records of processing, process maps and data flow maps to identify the processes that need to be addressed.
- A set of questionnaires will be sent to your suppliers to review their data processing arrangements.
- The responses provided by your suppliers will be reviewed and assessed.
- A gap analysis will be undertaken to identify any missing information.
- Our team will review your suppliers’ privacy notices and other supporting information.
Data privacy in the age of surveillance capitalism
Data transfers from the EU have always been contentious. Indeed, regulating them was one of the reasons behind the GDPR’s creation.
As US corporations such as Meta (which owns Facebook) and Google increasingly commodified personal data in the early 21st century, it became clear that existing data protection laws needed to be strengthened and the powers available to the data protection authorities extended.
Companies that ostensibly offered services to consumers were amassing large data sets about how those consumers behaved.
They began profiting by selling targeted advertising and access to their analysis of this ‘behavioural surplus’ to other organisations that wanted to predict how consumers might behave. (As the much repeated aphorism had it: “If you’re not paying for the product, you are the product.”)
For lawmakers and privacy campaigners, the need to improve corporate responsibility towards personal data became increasingly urgent: leaving large-scale data processing in the hands of a few tech giants was at best unpalatable and at worst ethically dubious.
The GDPR’s territorial scope meant its provisions would apply to all organisations that processed EU residents’ data, irrespective of where that processing took place.
Much was made of its penalty regime of “effective, proportionate and dissuasive” fines of up to 4% of annual global turnover or €20 million – whichever was greater. However, in the Regulation’s early days, enforcement action was nowhere near on the scale many people expected.
GDPR enforcement and compliance: the early years
For organisations that had taken advantage of the relatively low-key compliance environment under the GDPR’s predecessors – EU member state laws based on the Data Protection Directive 1995, such as the UK Data Protection Act 1998 – complying with the GDPR meant considerable work overhauling their data processing practices.
The GDPR introduced stringent requirements relating to technical and organisational measures to secure personal data, data protection impact assessments, data protection officers and the like, which many organisations found onerous.
Unsure of how it would be enforced, boards seemed to take a ‘wait-and-see’ approach to compliance, refusing to regard the Regulation seriously until they saw evidence of fines and other regulatory action.
For their part, the data protection authorities understood that in the early days of the GDPR, they needed to guide organisations towards better habits rather than punishing them for not changing their ways.
As Andrea Jelenik, the chair of the EDPB, told a recent panel discussion at the IAPP 2023 Global Privacy Summit:
When we started from scratch we had to give guidance because everyone wanted to have guidance because the elephant in the room in 2018 was the GDPR. Everybody was thinking now it’s done. No, it was the start of a really big journey.
Over time, however, the supervisory authorities have shifted their position from guidance to enforcement.
Where they once steered non-compliant organisations towards improved data protection practices – especially during the coronavirus pandemic, when the sudden introduction of remote working provided a host of new challenges for organisations – they now issue fines.
As Jelenik said, organisations now “have to show that they’re compliant and if they’re not, they will be fined”.
It’s impossible to formulate an entirely accurate appraisal of GDPR enforcement across the EEA and UK. For one thing, not all supervisory authorities publish information about the regulatory action they take; for another, the various free GDPR fines trackers are prone to inaccuracy, with duplicate entries and erroneous dating.
However, DLA Piper’s 2023 GDPR Fines and Data Breach Survey gives an indication of the extent of this shift in enforcement: supervisory authorities across Europe issued €1.65 billion in fines between January 2022 and January 2023 – a 50% year-on-year increase.
Across the EEA, EU GDPR fines now total about €4 billion (€1.2 billion of that is the Meta fine, which Meta intends to appeal).
It’s clear that the GDPR is beginning to bite.
Most common types of GDPR breach since 2018
In the face of this increase in regulatory action, it’s important to understand which GDPR breaches are most likely to see organisations fined.
We’ve been analysing GDPR fines since the Regulation took effect in May 2018. Unsurprisingly, breaches of Articles 5 (data processing principles), 6 (lawfulness of processing) and 32 (security of processing) accounted for more fines than any other GDPR violation.
This is somewhat unsurprising: how personal data is processed and secured is the heart of the GDPR.
You cannot process personal data unless you can demonstrate you have a lawful basis for doing so, follow the six data processing principles, and implement appropriate technical and organisational measures to maintain its confidentiality, integrity and availability.
(Brexit and the introduction of the UK GDPR does nothing to change this: the core principles of the UK and EU versions of the Regulation remain in step and many UK organisations are bound by both laws.)
Reflect – Review – Refresh
As GDPR enforcement increases across the UK and EEA, it’s critical to ensure you continue to meet your data processing obligations. IT Governance can help you – whatever your resources or expertise.
We’ve been at the forefront of GDPR compliance solutions since before the Regulation took effect. Since then:
- More than 4,000 people have taken our GDPR training courses;
- We’ve delivered GDPR staff awareness training to more than 78,000 people;
- We’ve provided GDPR consultancy to more than 750 organisations; and
- Hundreds of organisations have bought our GDPR books, documentation templates and toolkits.
If you need to update your GDPR compliance activities to ensure you still meet your obligations, we have everything you need.