The EU’s General Data Protection Regulation went into effect on May 25, 2018, but online privacy experts are already scrutinizing the policy’s effects. Last week in London, the International Association of Privacy Professionals hosted a retrospective panel on the GDPR’s first year, which French regulator Mathias Moulin emphasized “should be considered a transition year.”
Transition year or not, early numbers for the GDPR make clear that the policy has been a success as a breach notification law, but largely a failure when it comes to imposing fines on companies that fail to adequately protect their customers’ data. At the panel discussion, Stephen Eckersley, the head of enforcement at the U.K. Information Commissioner’s Office, said the U.K. had seen a “massive increase” in reports of data breaches since the GDPR’s implementation. In June 2018, companies self-reported 1,700 data breaches, and Eckersley estimated that the total will be around 36,000 breaches reported in 2019, a significant increase from the previous annual reporting rate of between 18,000 and 20,000 breaches. Across Europe, nearly 60,000 breaches were reported during just the first eight months of the GDPR, according to a survey released last month by law firm DLA Piper.
Doubling the number of annually reported breaches is not an insignificant feat. That’s valuable information for consumers whose information may have been stolen, for regulators and technology designers trying to understand and mitigate the root causes underlying breaches, and for researchers working on examining the impacts and costs of these breaches. Europe’s success at ramping up breach notification is instructive for the United States and other countries that have struggled to implement a unified breach-notification policy framework.
Prior to the GDPR, there was no single breach-notification regulation for the European Union. Instead, the EU’s 1995 Data Protection Directive (which the GDPR replaced) allowed individual member nations to write and pass their own breach-notification laws. Some countries, such as Austria, Germany, and Norway, mandated breach notification. But their approaches differed: In Austria, for instance, companies were required to notify individuals whose data had been accessed, while in Norway only the data protection authority had to be notified; but in Germany, notification of both affected individuals and the state authority was required. There were differences, too, in what kind of data was considered “personal” and what types of information about the breach had to be reported. Other countries, including Ireland, Italy, and the U.K., put in place voluntary reporting schemes.
The GDPR swept away all these different statutes. It requires organizations to report data breaches to both the affected individuals and the appropriate regulatory authorities within 72 hours of being discovered. It also established a common, broader definition of personal data. The DPD defined personal data as names, photos, email addresses, phone numbers, addresses, and personal identification numbers, while the GDPR widened that category to include IP addresses, biometric data, mobile device identifiers, and other types of data that could potentially be used to identify an individual. By expanding the definition of what constitutes personal data—and by extension, what constitutes a breach of personal data—and applying a standardized notification requirement to the entire EU, the GDPR appears to have generated a much larger data set of reported incidents and thereby significantly widened our window into what types of breaches are occurring.
It’s an important lesson for the United States that a unified framework for breach notification can be a more effective tool than the patchwork of state laws that we currently have. Critics of a federal data breach-notification law have wondered whether such an approach in the United States might actually weaken breach reporting because it would likely be less stringent than the strictest state laws, such as California’s. But the success of the GDPR suggests that there may be more to be gained than lost in having a single countrywide policy around how and when breaches have to be reported.
While the GDPR seems to be a positive model for breach notification policy, it appears to have done less well at its most discussed purpose: allowing regulators to fine companies for mishandling personal data. One of the most controversial—and in some circles, most celebrated—elements of the GDPR was that it granted European data authorities the ability to levy truly significant fines against companies for violating the law. Those penalties could reach up to 4 percent of a company’s annual global revenue under the GDPR, vastly more than the token fines that had previously been levied against tech companies in Europe and the United States.
During the first nine months that the GDPR was in effect, the total penalties imposed under the statute added up to 55,955,871 euros, according to a report published in late February by the European Data Protection Board. That sounds impressive until you remember—as Refinitiv chief privacy officer Vivienne Artz pointed out at the retrospective panel in London—that a single 50 million euro fine levied against Google in January accounts for nearly 90 percent of that sum. The vast majority of companies are still not being fined for failing to protect their customers’ data, and the vast majority of fines are still too small to register with the companies that are being penalized. (Arguably, even 50 million euros is a fairly trivial sum to Google, which brought in $136.8 billion in revenue in 2018. For comparison, 50 million euros is equivalent to roughly $57 million, or 0.04 percent of Google’s 2018 revenue.)
As we come up on the one-year mark of the GDPR in May, it makes sense to take stock of what seems to be working well—and what may be working less well. The breach notification plank of the regulation has clearly had a significant impact, while the fining authority has been less obviously valuable in the GDPR’s first year of implementation. The EU may yet adjust to correct some of these problems: For instance, Eckersley said at the panel that several EU countries are working to define a matrix for calculating fines under the GDPR that may help the various countries’ data protection authorities harmonize their penalties, so that one company is not hit with nearly 90 percent of the total fines for an entire year. But in the meantime, other countries should take note of the GDPR’s successes and failures, and consider seriously how they can adopt some of its more effective elements while avoiding its most problematic features.