implementation and enforcement of GDPR

Release of overview European Data Protection Board (EDPB) on the implementation and enforcement of GDPR, February 26, 2019.

As many of you will recall, GDPR came into force on May 25th, 2018. Lots of work, people working overtime (and sometimes still are) to get all the GDPR-requirements in place, becoming GDPR-compliant, as good as it gets before that date. GDPR-goeroes told us after that date that many companies were not even close to being compliant, some did not even start working on GDPR. Estimates were that not even 10% of companies which should be, were near being compliant. Those estimates did not change much since.

What happened over the past 9 months since GDPR is in force when it comes to the work of authorities? The EDPB provides us with an update from May 25th last year until the end of February 2019. What is done, what is still te be done and what everyone is wondering about: how about those fines everyone is (and should be) worried about?

Before I get to the figures, first some clarification: what is the EDPB and what is purpose of this board? the EDPB is an independent European body, which promotes cooperation between national EU data protection authorities (DPAs) and which contributes to the consistent application of data protection rules throughout the EU. In the EDPB all national authorities are represented. The EDPB is established by GDPR. The European Data Protection Supervisor (EDPS) is also represented within the EDPB. The EDPB adopted 5 new guidelines of its own and makes use of the 16 Guidelines already prepared by the so called Article 29 Workgroup (a cooperation between DPAs before GDPR).

The overview EDPB provides, contains mainly important statistics on the amount of cases reported by DPAs of 31 EEA countries, and the fines related to those cases. But not only enforcement. The question that needed answering as well regards to which DPA is leading in specific cases. To start with the last question that refers to the One-Stop-Shop cooperation mechanism as stated in GDPR, 642 procedures have been initiated to identify the lead DPA, concerning in many cases cross-boarder cases. 281 cases were registered in the Internal Market Information System, an IT system in which information is shared amongst supervisory authorities. Those cases almost all related to topics such as exercising individual rights, data breaches and consumer rights.

The total number of reported cases by DPAs throughout the EEA is 206,326 thousand. Of which 94,622 were complaints and 64,684 of the cases are related to data breach notification by controllers. Also interesting: only 1% of the above cases were challenged before national courts while 52% of the cases were concluded outside court.

What about the administrative fines? We heard about high fines imposed on Facebook and Google recently, but those were mainly fines related to cases before GDPR came into force. During the period this overview relates to, 11 DPAs reported imposing fines totaling an amount of euro 55,955,871.00.

The conclusion of the EDPB is, that members of the EDPB find GDPR works well in day to day business and the workload of DPAs is manageable due to thorough preparation for the GDPR over the past 2 years. I am not sure, however, whether this conclusion can be drawn after only 9 months and considering only 11 of the 31 DPA-members of the EDPB reported imposing any administrative fines. Reading the overview it appears the cooperation between DPAs functions well, but it does not really reveal detailed information on enforcement and how DPAs “pick their fights”.

If you need more information on GDPR please do not hesitate to contact me.