open search
close

Europe – What was the first year of GDPR like? Where is it heading?

Print Friendly, PDF & Email

This article initially published on the Open Access Government page on 16 October 2019 explains the current and future effects of the GDPR one year after its implementation.

Ius Laboris share their thoughts on what the first year of GDPR looked like and where they see it heading in the future.

In the run-up to 25 May 2018, preparations for the implementation of the European Union (EU) General Data Protection Regulation (GDPR) were a key priority for organisations. The GDPR’s entry into force was viewed with concern, given its complexity, the challenges of putting the new data protection rules into practice and the extremely high fines that can be imposed for breaches. The majority of infringements can be punished by a fine of up to €20 million or 4% of an organisation’s total worldwide annual turnover for the previous financial year (the higher of the two). Over a year on, with the first wave of decisions and fines issued by a number of national data protection authorities (DPAs) and many ongoing investigations, it is interesting to examine if and how the GDPR rules are actually having their desired effect.

Enforcement authorities in many countries have used this first year as a grace period to educate and promote compliance with the GDPR. Corporate awareness of the GDPR rules and potential repercussions of breaches has increased and new or enhanced data protection policies have been implemented as companies’ ability to handle personal and sensitive data safely and in compliance with the data protection principles has been subjected to fresh scrutiny. These include a significant increase in the employment of Data Protection Officers (DPO). If a DPO is appointed (which is not always mandatory), it is the DPO’s responsibility to inform and advise with respect to data protection obligations, to supervise compliance with these obligations and to cooperate with the DPA(s).

As awareness has risen, there have been a growing number of complaints and breach notifications across the EU. DPAs in some Western European countries such as Germany and France appear to have been very proactive in enforcement. For example, the French Data Protection Authority (‘CNIL’) imposed a €50 million GDPR fine on Google LLC in January 2019. The huge fine was based on a lack of information and transparency for users and took into consideration the large volume of data and number of individuals involved in this violation of privacy.

The UK’s Information Commissioner’s Office (ICO) also recently announced its intention to impose large fines on Marriot and British Airways, as a result of data breach-related incidents. The proposed fines announced were £99.2 million for Marriot and £183.4 million for British Airways, highlighting the seriousness with which the ICO treats such cases.

Others, however, have been slower to take significant enforcement action and in Eastern Europe, many countries have taken a mild approach to enforcement. While the Polish and Lithuanian DPAs have imposed relatively significant fines, Latvia, the Czech Republic and Hungary have only imposed very minor penalties. At the time of writing, the Slovak DPA has only fined organisations for failing to comply with inspections and not for GDPR breaches and the Bulgarian DPA has mainly issued warnings and reprimands. Slovenia is one of the EU Member States that has not yet completed the process of implementing the GDPR into national legislation. Warnings have been issued in a number of jurisdictions and the various DPAs are making orders for bringing processing activities into compliance; there should be further activity over the coming year.

The GDPR has faced some criticism, with commentators noting that the law in its current state is broadly worded, meaning the regulations are open to differing interpretation. This means there is a risk of divergent decisions in different jurisdictions when investigations are carried out.

Further, given that GDPR is an EU Regulation, its validity in the UK will come into question following Brexit. Most experts believe that the GDPR will be enacted in UK Law after Brexit under section 3 of the European Union (Withdrawal) Act 2018.

In light of recent high-profile cases, however and with more predicted imminently, global businesses now have a better insight into the financial and reputational repercussions of failure to comply with data protection principles. The trend towards stricter data protection rules is likely to intensify, as the value placed on an individual’s data privacy continues to rise. It is clear that compliance is key to avoid very significant penalties and organisations and individuals should continue to invest in education and training and promote compliance and best practice.

This article is based on information contained in a comprehensive report ‘The GDPR: One Year On’ prepared by Ius Laboris in May 2019. Further information on how the GDPR has been enforced across various European jurisdictions in the year following its entry into force can be found in the full report, here.

KLIEMT.Arbeitsrecht is a member of Ius Laboris, an international alliance of leading law firms providing specialised services in employment law.

72 beiträge

Ius Laboris




Ius Laboris is a leading international employment law practice combining the world’s leading employment, labour and pension firms. Our role lies in sharing insights and helping clients to navigate the world of labour and employment law successfully.
Verwandte Beiträge
Datenschutz Neueste Beiträge

Kopie personenbezogener Mitarbeiterdaten – Keine Pflicht zur Herausgabe umfassender Unterlagen

Nach der DSGVO kann der Arbeitnehmer vom Arbeitgeber eine Kopie der personenbezogenen Daten verlangen, die Gegenstand der Verarbeitung durch den Arbeitgeber sind. Die Reichweite dieses Anspruchs ist nach wie vor umstritten. Eine Klärung durch das BAG ist bislang nicht erfolgt. Nun hat sich das ArbG Bonn (Urteil vom 16.07.2020 – 3 Ca 2026/19) gegen ein weites Verständnis des Anspruchs ausgesprochen und klargestellt, dass nur die…
Internationales Arbeitsrecht Neueste Beiträge United Kingdom

How can UK employers manage immigration and travel for European employees in 2021 and beyond?

EEA nationals and their employers are now turning their minds towards how frequent business/work travellers and cross-border commuters can continue to come to the UK from 2021. For some, the best solution may be offered by the EU Settlement Scheme (EUSS), but there are also other options to consider. This article is not intended to cover the position for Irish citizens, who will continue to…
Allgemein Denmark

Denmark – The European Data Protection Board takes stock

The European Data Protection Board (EDPB) has issued its annual report for 2018. The report provides information on the EDPB’s work in the first seven months after the GDPR entered into force and outlines the EDPB’s plans for the future. Since the entry into force of the GDPR on 25 May 2018, the European Data Protection Board (EDPB) has been tasked with ensuring consistent application…
Abonnieren Sie den KLIEMT-Newsletter.
Jetzt anmelden und informiert bleiben.

Die Abmeldung ist jederzeit möglich.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.