The GDPR has just celebrated its second birthday and, to mark the occasion, the European Commission (‘EC’) has published an assessment of its effectiveness so far. While praising the ground-breaking data protection leviathan for what it has achieved to date, the EC has admitted that more needs to be done, particularly in the field of enforcement, if it is to create a genuinely level playing field for personal data rights across Europe and beyond.
In retrospect, by introducing the GDPR in 2018, Europe caught the rising tide of privacy awareness, sparking global interest in the rights of data subjects. Whether through the Regulation’s extended territorial scope, which also covers foreign operators active in the EU, or because it has become a benchmark for those seeking to offer a high level of data protection, regions across the world have introduced fresh data legislation adopting aspects of the GDPR’s approach, including the California Consumer Privacy Act, effective from January 2020, and more recently, attempts to introduce a Washington Privacy Act.
Self-congratulation apart, the EC acknowledges that there is still room for data protection improvement, particularly in the field of enforcement, highlighting the need for national Data Protection Authorities (‘DPAs’) to engage with the EU representatives of overseas operators rather than the operators themselves who, sitting overseas, may feel less urgency about compliance. The EC also drew attention to the problem of under-resourced DPAs, hampering GDPR enforcement. Welcoming the EC’s assessment, the influential European Data Protection Board, collectively representing DPAs across Europe, was blunter, warning that resources were insufficient when going up against powerful global players.
Such complaints about data enforcement are not new, nor is the UK’s comparatively well-resourced DPA, the Information Commissioner (‘ICO’) immune from criticism. Some commentators have rounded on it as a ‘toothless tiger’ after it further postponed a final decision on swingeing fines aimed at British Airways and Marriott International for data breaches. Doubts have begun to creep in about whether the ICO dares wield its strongest GDPR powers, or whether it is perhaps holding back for fear of deterring inward investment to the UK post-Brexit.
In fact, the ICO is not the only enforcement laggard on the ‘European block’, with several national DPAs not yet having imposed administrative penalties at all in the GDPR’s two year lifespan. Of the 785 fines imposed across the EU to the end of November 2019, the vast majority numbered only thousands of Euros. And despite not being in the vanguard of data regulators, the UK data watchdog has certainly shown its ability to think big numbers by threatening eye-watering fines totalling £282 million on BA and Marriott, easily dwarfing the highest GDPR penalties elsewhere. Bear in mind too that, pre-GDPR, the ICO did not shy away from levying on Facebook the maximum permitted penalty for the social media giant’s role in the Cambridge Analytica scandal involving the personal data of 86 million of its users. At the time, the ICO made clear that, had it been possible, it would have imposed an even higher penalty.
As the EC has identified, lack of resources is a common bugbear for regulators when holding data controllers to account. The Irish DPA, for example, has a budget of €16.9 million and a total staff of 138, but has only 21 specialist tech investigators to supervise the multiple European HQs of global technology titans located there, including Google, Facebook, Apple and Microsoft. The enforcement picture is still more threadbare elsewhere across the EU with 14 DPAs having an annual budget of less than €5 million and five or fewer technical experts. Even the ICO employs only 22 such specialists. Inequality of arms between the data watchdogs and those they oversee risks regulators simply being outgunned by better resourced opponents when litigating over data protection legislation.
Importantly, fines are not the only tool in the data regulator’s arsenal, and while not expressly stipulating them as a last resort, guidance collectively adopted by the EU’s data regulators warns against using financial penalties in a way that devalues their effectiveness. In common with other European DPAs, the ICO reserves its heaviest sanctions for organisations and individuals suspected of repeated or wilful misconduct affecting large numbers of individuals where formal regulatory action would serve as a deterrent to others. Intentional breaches explicitly authorised by senior management for financial gain, or despite advice from data protection officers, also risk fines at the upper end of the spectrum.
Inevitably, though, companies’ straightened financial circumstances in the wake of the COVID-19 pandemic will affect DPAs’ appetite to impose severe punishments for data breaches. The GDPR already mandates a proportionate approach when determining the level of fines, and the ICO’s Regulatory Action Policy expressly includes ability to pay as a factor in determining the size of financial penalties. Given the economic ‘hit’ suffered by many industries since the pandemic was declared, the pressure on data watchdogs in the short/medium term will be to act with restraint over GDPR breaches rather than threatening the continued existence of already ailing businesses with crowd-pleasing fines at the uppermost end of the spectrum. Added to this, given tight national finances in the wake of the pandemic, it seems unlikely that governments will feel inclined to provide DPAs with more tax payers’ money in the short term. For now, at least, the EC’s call for better resourced data regulators seems likely to fall on deaf ears.