open search
close
Internationales Arbeitsrecht

Europe – What was the first year of GDPR like? Where is it heading?

Print Friendly, PDF & Email

This article initially published on the Open Access Government page on 16 October 2019 explains the current and future effects of the GDPR one year after its implementation.

Ius Laboris share their thoughts on what the first year of GDPR looked like and where they see it heading in the future.

In the run-up to 25 May 2018, preparations for the implementation of the European Union (EU) General Data Protection Regulation (GDPR) were a key priority for organisations. The GDPR’s entry into force was viewed with concern, given its complexity, the challenges of putting the new data protection rules into practice and the extremely high fines that can be imposed for breaches. The majority of infringements can be punished by a fine of up to €20 million or 4% of an organisation’s total worldwide annual turnover for the previous financial year (the higher of the two). Over a year on, with the first wave of decisions and fines issued by a number of national data protection authorities (DPAs) and many ongoing investigations, it is interesting to examine if and how the GDPR rules are actually having their desired effect.

Enforcement authorities in many countries have used this first year as a grace period to educate and promote compliance with the GDPR. Corporate awareness of the GDPR rules and potential repercussions of breaches has increased and new or enhanced data protection policies have been implemented as companies’ ability to handle personal and sensitive data safely and in compliance with the data protection principles has been subjected to fresh scrutiny. These include a significant increase in the employment of Data Protection Officers (DPO). If a DPO is appointed (which is not always mandatory), it is the DPO’s responsibility to inform and advise with respect to data protection obligations, to supervise compliance with these obligations and to cooperate with the DPA(s).

As awareness has risen, there have been a growing number of complaints and breach notifications across the EU. DPAs in some Western European countries such as Germany and France appear to have been very proactive in enforcement. For example, the French Data Protection Authority (‘CNIL’) imposed a €50 million GDPR fine on Google LLC in January 2019. The huge fine was based on a lack of information and transparency for users and took into consideration the large volume of data and number of individuals involved in this violation of privacy.

The UK’s Information Commissioner’s Office (ICO) also recently announced its intention to impose large fines on Marriot and British Airways, as a result of data breach-related incidents. The proposed fines announced were £99.2 million for Marriot and £183.4 million for British Airways, highlighting the seriousness with which the ICO treats such cases.

Others, however, have been slower to take significant enforcement action and in Eastern Europe, many countries have taken a mild approach to enforcement. While the Polish and Lithuanian DPAs have imposed relatively significant fines, Latvia, the Czech Republic and Hungary have only imposed very minor penalties. At the time of writing, the Slovak DPA has only fined organisations for failing to comply with inspections and not for GDPR breaches and the Bulgarian DPA has mainly issued warnings and reprimands. Slovenia is one of the EU Member States that has not yet completed the process of implementing the GDPR into national legislation. Warnings have been issued in a number of jurisdictions and the various DPAs are making orders for bringing processing activities into compliance; there should be further activity over the coming year.

The GDPR has faced some criticism, with commentators noting that the law in its current state is broadly worded, meaning the regulations are open to differing interpretation. This means there is a risk of divergent decisions in different jurisdictions when investigations are carried out.

Further, given that GDPR is an EU Regulation, its validity in the UK will come into question following Brexit. Most experts believe that the GDPR will be enacted in UK Law after Brexit under section 3 of the European Union (Withdrawal) Act 2018.

In light of recent high-profile cases, however and with more predicted imminently, global businesses now have a better insight into the financial and reputational repercussions of failure to comply with data protection principles. The trend towards stricter data protection rules is likely to intensify, as the value placed on an individual’s data privacy continues to rise. It is clear that compliance is key to avoid very significant penalties and organisations and individuals should continue to invest in education and training and promote compliance and best practice.

This article is based on information contained in a comprehensive report ‘The GDPR: One Year On’ prepared by Ius Laboris in May 2019. Further information on how the GDPR has been enforced across various European jurisdictions in the year following its entry into force can be found in the full report, here.

KLIEMT.Arbeitsrecht is a member of Ius Laboris, an international alliance of leading law firms providing specialised services in employment law.

Ius Laboris




Ius Laboris is a leading international employment law practice combining the world’s leading employment, labour and pension firms. Our role lies in sharing insights and helping clients to navigate the world of labour and employment law successfully.
Verwandte Beiträge
Internationales Arbeitsrecht Neueste Beiträge

ECJ rules data subjects entitled to know of recipients

The decision clarifies the scope of the Data Subject Access Request under the GDPR. The ECJ decided the previously open question of how much detail the employer must provide about the recipients or groups of recipients of the personal data upon request.   The right to information under data protection law Under Article 15 of the GDPR, the data controller (in the employment context, usually the…
Datenschutz Internationales Arbeitsrecht Neueste Beiträge

GDPR: five years on

For those  impacted by the EU General Data Protection Regulation, known as the GDPR since its entry into operation across the bloc on 25 May 2018, it’s quite something to think that the legislation has been with us for five years today. So what has gone well and what has gone less well? One of the main purposes of the legislation was to get the…
Compliance Datenschutz ESG Neueste Beiträge Unternehmensführung

Diversity Monitoring: In Deutschland (noch) problematisch

Viele Unternehmen haben sich mittlerweile die Förderung einer diversen Belegschaft zum Ziel gegeben. Hierfür könnte ein Diversity Monitoring ein erster sinnvoller Schritt sein. Bislang stößt eine derartige Abfrage von Diversity-Faktoren auf rechtliche Bedenken. Doch das könnte sich demnächst aufgrund europarechtlicher Vorgaben ändern. Bedeutung von Diversity Monitoring in Deutschland Das Diversity Monitoring, d.h. die gezielte Sammlung von Informationen über Diversity-Eigenschaften der Belegschaft (wie Migrationshintergrund, Religion, Behinderung,…
Abonnieren Sie den kostenfreien KLIEMT-Newsletter.
Jetzt anmelden und informiert bleiben.

 

Die Abmeldung ist jederzeit möglich.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert