27 Sept 2019
The EU’s Data Protection Rules: European Commission Takes Stock of Results Achieved So Far Under the GDPR
The European Commission has presented a Communication to the European Parliament and Council on the application of the General Data Protection Regulation (Regulation 2016/679, more commonly known as the GDPR). The GDPR applies across the European Union since over one year. With the Communication, the Commission takes stock of the results achieved so far regarding the consistent implementation of the data protection rules across the EU, and its impact on consumers and businesses. A key objective of the Regulation has been to do away with a fragmented landscape of 28 different national laws that existed under the previous Data Protection Directive, and to thereby provide legal certainty for individuals and businesses throughout the EU. That objective, according to the Commission, has largely been met.
Hong Kong traders may already know that the GDPR equips the Member States’ data protection authorities with stronger enforcement powers. Contrary to fears expressed by some stakeholders before the GDPR’s entry into effect date of 25 May 2018, national data protection authorities have adopted a balanced approach to enforcement powers. It may be noteworthy for Hong Kong traders handling the personal data of their EU customers that authorities have focused on dialogue rather than sanctions, in particular for the smallest operators which do not process personal data as a core activity.
At the same time, it is noted that the authorities did not shy away from using their new powers effectively whenever this was necessary. This included the launching of investigations in the area of social media: for instance, the Irish Data Protection Commission opened 15 formal investigations in relation to the compliance of multinational technology companies with the GDPR.
Authorities have also imposed administrative fines ranging from a few thousand euros to several million, depending on the gravity of the infringements of data protection rules. The following are examples of fines imposed by data protection authorities:
- EUR 5,000 on a sport betting café in Austria, for unlawful video surveillance;
- EUR 220,000 on a data broker company in Poland for failure to inform individuals that their data was being processed;
- EUR 250,000 imposed on the Spanish football league LaLiga, for lack of transparency in the design of its smartphone application;
- EUR 50 million on Google in France, because of the conditions for obtaining consent from users.
Aside from fines, Member State data protection authorities have other tools at their disposal such as imposing a temporary or definitive limitation on processing, including a ban, or ordering the suspension of data flows to a recipient in a third country (i.e., outside the EU).
Hong Kong businesses may also like to know that individuals in the EU are increasingly aware of data protection rules and of their rights: the Communication notes that 67% of respondents to a May 2019 Eurobarometer (an EU survey) are aware of the GDPR, while 57% know that there is a national data protection authority to which they can turn for information or to lodge complaints. This increased awareness of rights has led individuals to exercise them more intensively by means of customer queries and by turning more often to data protection authorities to ask for information or lodge complaints. Businesses also report that requests for access to personal data have increased in several sectors.
Individuals have also more often withdrawn their consent to the processing of their data, and exercised their right to object to commercial communications (e.g., unsolicited emails or text messages).
It is reported that, in general, businesses have indicated that they were able to implement the new data subject rights, although it was sometimes challenging to meet deadlines due to an increased number of requests and their more wide-ranging character, or to check the identity of the person making the request.
As regards micro and small-sized businesses which do not process personal data as their core business, these have been among those with the most questions about the application of the GDPR. While these seem to stem partially from a lack of awareness of the data protection rules, their concerns are also sometimes exacerbated by campaigns spreading incorrect information, for instance on the need to systematically obtain consent from individuals, and by additional requirements imposed at national level. In this context, micro and small-sized enterprises are calling for guidelines that are tailored to their specific situation and that provide very practical information. Such guidelines would likely be of assistance also to Hong Kong traders selling their goods to EU customers. Some data protection authorities have, it is reported, already done this at national level.
In conclusion, on the basis of information available to date and the dialogue with stakeholders, the Commission’s preliminary assessment is that the first year of application of the GDPR has been overall positive. Nevertheless, as shown in the Communication, further progress is necessary in a number of areas. For example, the Commission would like the Member State data protection authorities to step up their cooperation, for instance by conducting joint investigations; indeed, Member States should facilitate the conduct of such investigations. The Commission has also pledged to continue its awareness-raising activities and its work with interested parties.
Please click on the following for the Communication.