The EU’s GDPR is one of the strictest data privacy laws in the world. Now entering its fourth year, enforcement of the regulation has evolved since it first went into effect in 2018.
GDPR was, in part, created to counterbalance the rapid expansion and innovation of giant tech companies. Such companies have revolutionized individuals’ online presence — and forever changed the face of online privacy. Many users are unaware of how their personal data is used and disseminated across platforms such as Facebook and Google. GDPR intends to clarify any gray area. For one, the regulation requires organizations to seek consent to save and use personal data, rather than implied consent.
2021 saw an increase in noncompliance fines. Why? Many factors, including new challenges faced by companies, issues with consent, an ongoing pandemic, a growing remote workforce and the pending ePrivacy Regulation have affected the state of GDPR and its 2022 outlook.
Uptick in GDPR fines in 2021
In GDPR’s first three years, only one major tech company was fined for noncompliance. The last six months, however, found two tech giants guilty of noncompliance — with record-breaking multimillion dollar fines.
In July of this year, Amazon was hit with the largest GDPR fine to date — $887 million, which also exceeds the amount of all previous GDPR fines combined. Regulators from Luxembourg found the tech giant guilty of not receiving proper consent from users regarding their personal data.
In September, messaging service WhatsApp, owned by Meta Platforms, was fined $266 million by Ireland’s Data Protection Commissioner for not adequately receiving consent and not meeting data transparency requirements.
Google was found guilty of noncompliance in 2019 for allegations related to the company’s ad personalization techniques. It was fined $57 million — a record-breaking fine at the time but a fraction of Amazon’s and WhatsApp’s fines.
Large companies aren’t the only ones breaking the law, though. Small to medium-sized enterprises — those with more than 250 employees — must also follow GDPR requirements. While large organizations have faced higher fines, more small to medium-sized enterprises have been targeted with fines since the regulation went into effect as well.
Trends highlight lack of consent and transparency
The increase in noncompliance fines is a troubling trend, one that often stems from consent and transparency.
“Organizations have to find a way to provide meaningful consent mechanisms for consumers,” said Müge Fazlioglu, senior research fellow at the International Association of Privacy Professionals and author of “IAPP-EY Annual Privacy Governance Report 2021.”
“Otherwise, they will face the consequences,” she said.
But why the challenges now? It’s not to say data privacy and GDPR aren’t top of mind for most organizations. Seven out of 10 respondents to the 2021 IAPP-EY report rated GDPR compliance as their top privacy priority.
For one, companies’ perceived challenges are changing as they grow accustomed to GDPR. Respondents to the 2018 IAPP-EY survey listed issues such as the right to be forgotten, fulfilling subject access requests and data portability as their greatest GDPR challenges. Three years later, the 2021 IAPP-EY report found consent and international data transfers among respondents’ top gripes.
Additionally, strategic documents released by European data protection authorities (DPAs) in July 2021 indicated EU regulators are more actively enforcing GDPR online tracking and international data transfer requirements. This follows a January 2021 opinion by the Court of Justice of the EU (CJEU) that gives regulators in all EU member states the right to file complaints against Facebook. The opinion is nonbinding but sets a potential precedent for rulings against other tech giants.
The CJEU’s opinion and increased number of noncompliance fines surrounding consent align. Belgian DPAs, for example, filed regulatory complaints in 2015 against Facebook for using cookies to track Belgian users. In 2018, the year GDPR went into effect, Belgian courts ruled in favor of the complaint. Facebook retorted that the Irish Data Protection Commissioner was the only regulator allowed to enforce noncompliance rules because Facebook’s European headquarters are in Ireland. Under the CJEU ruling, however, Belgian DPAs acted lawfully.
“Consent cannot just be a box-ticking exercise. … It needs to be a choice based on information,” Fazlioglu said. “Companies must find ways to inform users about how their data is being used so that they understand what they are agreeing to.”
Impact of the pandemic
The pandemic has also brought up many questions surrounding data privacy and, in turn, GDPR.
“Right now, the hot topic for companies to deal with is employee vaccination data,” Fazlioglu said. “How should companies retain it? How should they protect it? Should they require that information?” She emphasized this concern relates to GDPR but isn’t specifically a GDPR issue.
It does, however, affect privacy professionals by raising questions about how to protect employees’ personal data. The European Data Protection Board released a statement in March 2020 emphasizing that GDPR should not hinder measures to fight the pandemic, but even during these times, personal data protection must be kept a priority.
As new variants continue to spread throughout the world, organizations must continue to balance health priorities and data privacy in 2022 and the foreseeable future.
Potential changes to the law
In February 2021, the European Council finalized negotiations over the ePrivacy Regulation — a set of data privacy laws first proposed in January 2017 that are intended to complement GDPR and were meant to go into effect alongside GDPR in 2018. The regulation focuses heavily on cookies and consent, putting the responsibility for obtaining consent to store cookies “on the entity that makes use of processing and storage capabilities of terminal equipment or collects information from end-users’ terminal equipment, such as an information society service provider or ad network provider.”
Cookies are only mentioned once in GDPR: “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.”
If the ePrivacy Regulation proposal passes — it is pending approval and under negotiations as of December 2021 — it won’t go into effect for 24 months. It would, however, clarify consent compliance regulations — the root cause of the Amazon and WhatsApp GDPR noncompliance cases.
GDPR moving forward
Consent isn’t the only aspect of GDPR companies should be worried about. Fazlioglu encouraged organizations to focus on all GDPR requirements, despite growing concerns surrounding consent. “Instead of being careful about specific things, look at the whole picture, assess the risks and try to mitigate risks to better protect consumers’ data,” she said.
Moving forward, Fazlioglu predicted developing technologies will also affect GDPR compliance. “Privacy risks posed by AI, machine learning and facial recognition and profiling will be top of mind for EU regulators,” she said.
While 2021 was relatively slow for new data privacy regulations, it was quite the opposite for enforcement — with regulators enforcing the law and imposing fines at higher rates than ever before. Going forward, EU data privacy regulations may undergo another change depending on the outcome of the ePrivacy Regulation proposal, which would create additional challenges for privacy teams.
“We will see the [data privacy] landscape get more complex, not less,” Fazlioglu said.