On May 25, 2018, the GDPR went into effect, putting the world’s attention on data privacy. Since the enforcement deadline has passed, there have been questions about how to comply with the law, who must comply with the law, how the law will be enforced, and so much more. Now a full year later, let’s take a look at developments and predictions for GDPR throughout 2019 and beyond.
What is the Future of GDPR Certifications?
While the EU announced the GDPR enforcement deadline nearly two years before the law went into effect, many organizations were left scrambling last-minute to comply with the law. In large part, this was due to the ambiguity of the law, leaving organizations unsure if it actually applied to them and the data they collected. A year later, the future of official GDPR certifications is still relatively unclear, but the European Data Protection Board (EDPB) recently issued guidelines that will assist in certifying controllers and processors as GDPR-compliant.
GDPR Enforcement Updates: Who’s Been Fined?
Perhaps one of the most talked-about components of GDPR was the potential fines organizations were faced with. According to the law, organizations who fail to comply with GDPR could face fines of up to €20 million or 4% of annual global turnover – whichever is greatest. For many enterprises, this meant that non-compliance could lead to tens of millions of dollars in fines, or worse, bankruptcy. As the first few months after enforcement passed, EU supervisory authorities saw an influx of reported data breaches, with DLA Piper indicating that nearly 60,000 data breaches were reported since the May enforcement date. However, enforcement of the law has been relatively small with only three companies having been fined: Google, an unnamed German social media platform, and an Austrian entrepreneur.
- Google: Receiving the largest GDPR fine to date, Google’s €50 million fine by French regulator, CNIL, was the result of Google’s insufficient transparency and vague consent agreements.
- Social Media Platform: This German social platform received a fine of €20,000 from the German data protection authority, LfDl Baden-Wurttemberg, for failing to hash data subjects’ passwords, leading to a breach of personal information.
- Austrian entrepreneur: This business owner received a fine of €4,800 for placing an unmarked CCTV camera system outside of their establishment, unlawfully surveying a public sidewalk.
Will Facebook Be Fined Under GDPR?
The debate over whether or not Facebook will be fined under GDPR has been a hot topic since the law went into effect. In July 2018, the social media giant was hit with a €500,000 fine by Britian’s ICO due to the infamous Cambridge Analytica data breach. In recent developments, it was also discovered that Facebook has been storing the passwords of hundreds of millions of users in plain text. While the investigations of the social platform’s data privacy practices could take years, the outcome could help clarify GDPR requirements and expectations for the future.
How Has GDPR Influenced Data Privacy Laws in the US and Abroad?
GDPR was viewed as the top regulatory focus of 2018 and for good reason; however, it has also become the catalyst for many other data privacy laws going into effect around the globe. In the United States, the California Consumer Privacy Act went into effect, Washington state introduced the Washington State Privacy Act, and Congress has introduced several data privacy bills, including the American Data Dissemination Act (ADD Act) and the Social Media Privacy Protection and Consumer Rights Act of 2019. Internationally, there’s also been many developments in data privacy laws, many of which resemble GDPR, including: Canada’s PIPEDA, China’s Cybersecurity Law, Singapore’s Cyber Security Agency of Singapore, the Brazilian National Monetary Council’s Resolution No. 4,658, and many others. Throughout 2019 and beyond, it’s expected that many more data privacy laws will go into effect throughout the world.
In just one year, GDPR has had a tangible impact on the way the world views data privacy. If your organization has questions about GDPR compliance or complying with the many other data privacy laws either in effect or in the process of going into effect, contact us today.