May 25, the first anniversary of the RGPD. Companies that process the personal data of EU residents have celebrated the first anniversary of the implementation of the General Data Protection Regulation (GDPR).
The two years leading up to the 2018 implementation date saw an unprecedented rush of companies reviewing and modifying their practices to try to comply with the RGPD and avoid a potential fine of up to 4% of global revenue.
Over the past 12 months, this rush has given way to a more cautious and deliberate pace. As regulators develop their review process, hundreds of thousands of complaints have already been filed. To date, there have been very few repressive actions, resulting in relatively small fines, as regulators look at the RGPD and the most effective means of implementing it.
A look back at the World Summit on the Protection of Privacy
At a roundtable earlier this month in Washington, D.C. for the International Association of Privacy Professionals’ Global Summit on Privacy, an annual gathering of 4,000 privacy professionals from around the world, Helen Dixonof the Irish Data Protection Commission, in conversation with Elizabeth Denham of the UK Information Commission, and Andrea Jelinek, Chair of the European Data Protection Council, stressed that investigations take at least six months. During the cycle of a request, regulators first determine whether, on the face of it, the relevance of a complaint filed by an EU resident to the level of a potential violation of the RGPD.
Many of the hundreds of thousands of complaints received by data protection authorities during the year were simply requests to exclude advertisements, which is not in the regulations. In the case of a valid complaint, regulators then needed to better educate themselves about the technology in question, which of course involves contacting companies prone to complaints to solicit more information.
RGPD, between complaints and investigations
A back-and-forth between regulators and companies also serves as a way to resolve complaints. Indeed, as Helen Dixon, a member of the committee, pointed out, “carrots” should be used rather than “sticks”. This approach echoes comments she made last year that fines are not the only tools regulators have. The immediate lesson for businesses is that engaging with regulators can lead to better results than avoidance.
Aside from the surveys, the RGPD has also resulted in benefits for EU consumers as companies have redoubled their efforts to educate the public about their data practices. The introduction of mechanisms for accessing, correcting, and deleting queries has given millions of people an easy way to better control the use of their personal data. And the rights given to EU consumers have an impact on many non-EU consumers who benefit from improved practices as companies adopt a common denominator approach to data privacy.
In the absence of headlines on classified investigations that result in huge fines, one of the questions about the RGPD now is whether companies will become complacent and will reduce the scope of their privacyprograms.
Complacency and RGPD, an antinomy
Any retraction is inherently risky. Outdated privacy impact assessments and outdated inventories result in incomplete reports of data processing activities. They tell regulators that maintaining a privacy program is likely to be examined more closely. Another important question is whether corporate compliance claims will be verified by third parties. Or if they won’t be challenged until or unless regulators have reacted and are not satisfied with what they’ve seen.
The RGPD also sets an example for improving privacy laws in the United States. The California Consumer Privacy Act (CCPA), which is still in effect, contains similarities to the RGPD. Thus, it allows Californians the right to access personal data collected about them by companies subject to the law. However, the CCAC can go further than the RGPD by possibly allowing a private right of action. This could result in privacy class actions against companies that break the law. California is not alone in this case. Other states are turning the lessons learned through the RGPD into law.
This leads to a burdensome set to follow for companies. One potential consequence would be the passage of a federal privacy law. It would normalize the requirements, but with little chance of becoming law before various state laws come into force. In the meantime, the result will most certainly confuse consumers about their rights, corporate responsibility, law enforcement and education.
An interpretation yet to come
It was found that the 1995 Data Protection Directivewas still in effect 23 years later. This is before being replaced by the Regulations. The RGPD is in its infancy and will likely undergo changes in its interpretation as it progresses. However, one thing is certain about this first anniversary of the application is that the RGPD has already drastically shaped the approach taken by thousands of companies for data management. In addition, as the data protection environment and government regulations evolve, new questions and approaches to data privacy will continue to emerge around the world.