The General Data Protection Regulation (GDPR) has successfully passed its second-year mark, and with that, the European Commission (EC) has issued its first evaluation report highlighting progress made, challenges encountered, and objectives for moving forward. Additionally, the GDPR has proved itself to be a flexible regulation in support of digital solutions during the coronavirus pandemic.These days, when substantial portions of the workforce are being asked to work from home and children are being taught in virtual classrooms, the requirement for robust data privacy and protection is needed now more than ever. The GDPR offers guidance, support, and standards as the world follows its new routine in response to COVID-19.
Two Years In: The EC Reports on the GDPR
On June 24, 2020, the EC published its first GDPR evaluation report, “Data Protection as a Pillar of Citizens’ Empowerment and the EU’s Approach to the Digital Transition - Two Years of Application of the General Data Protection Regulation.” It reviews GDPR objectives, focusing on how many of these targets were met. To date, the success of the GDPR has been spearheaded by citizens exercising their enforceable rights, governance, and compliance enforcement.
Moving forward, the EC understands the need to have a common culture of data protection with more efficient data-handling throughout all member states, stressing that all GDPR tools must be used to their utmost capacity to ensure that the regulation is applied to its fullest. GDPR assessment remains ongoing; the EC has drafted a list of action items to focus on before the next evaluation report comes out in 2024.
Your Rights Matter: Data Protection and Privacy
At the request of the EC, the European Union (EU) Agency for Fundamental Rights (FRA)—which is tasked with promoting and protecting human rights in the EU—conducted a study focusing on GDPR awareness and the way people share data about themselves. This study, “Your Rights Matter: Data Protection and Privacy - Fundamental Rights Survey,” was published on June 18, 2020.
The following two survey questions that we will look at fall under the topic of awareness:
- Awareness of the GDPR—“Have you heard of the General Data Protection Regulation - GDPR?” Survey takers could answer yes or no. Overall, 69% of people in the 27 (this number excludes the U.K.) EU countries are aware of or hear about the GDPR. Results are broken down by country.
- Awareness of data protection authorities—“Have you ever heard of any of the following? Please respond with the first thing that comes into your head.” In the survey, this question was followed by the name of the respective supervisory authority for data protection (DPA) in that country. Overall, 71% of people in the 27 EU countries have heard about their national DPA. Topping the charts was the Czech Republic, where most have heard about their DPA (90%). Of the EU countries, Belgium showed that the fewest number of individuals had heard about their respective DPA (44%), and outside the EU, even fewer in the U.K. (35%).
Two Years of Litigation and Fines: An Overview
Over the past 2 years, subjects of the GDPR’s enforcement range from large corporate multinational organizations to charities, nonprofits, and even individuals. It was estimated that in the first 20 months of the GRPR, approximately €114 million (about $135 million) in fines were issued. The following handpicked examples show the depth and breadth of the GDPR’s reach.
Google
Google has been subject to several violations, totaling €57.6 million (about $68.4 million). Cases were filed in Belgium, Sweden, and France. Violations of Articles 5 and 6 appear in all three examples listed below.
Source:
GDPR Enforcement Tracker
GDPR articles:
Article 5
Article 6
Article 12
Article 13
Article 14
Article 17 (1) (a)
British Airways
British Airways has pending litigation due to a cybersecurity incident in 2018 in which users were diverted to a fraudulent site that collected customer data. It is estimated that approximately 500,000 individuals were affected beginning in June 2018.
Source:
GDPR Enforcement Tracker
GDPR article:
Article 32
Tusla Child and Family Agency
Tusla is a state agency in Ireland responsible for improving the well-being and outcomes for children. It has been fined twice under the GDPR. The first was for three instances in which information about children was wrongly disclosed to unauthorized parties. The second was for insufficient fulfillment of a data breach notification. In this case, a letter documenting allegations of abuse was sent to a third party. The third party then uploaded this letter to social media.
Source:
GDPR Enforcement Tracker
GDPR article:
Article 33
GDPR Enforcement Against Individuals
While high-profile litigation peppers the news, it is important to recognize that GDPR enforcement is not limited to the business community. The following two examples highlight situations in which individuals were fined.
The first example is from Germany, where a man was fined for a YouTube video containing license plates. In the second example, a soccer coach in Austria was fined after filming players taking a shower (without their consent).
Source:
GDPR Enforcement Tracker
In addition to these handpicked examples, there is litigation pending due to GDPR violations for tech giants Twitter, Facebook, and WhatsApp (which is owned by Facebook). It is unclear how soon decisions on these cases will be released.
A Global Crisis Doesn’t Halt Data Protection
The EU’s stance is clear: Its data protection legislation does not negatively impact measures taken in fighting COVID-19, nor are the provisions of the GDPR to be overlooked due to the pandemic. Prior to the pandemic, there was still a distributed workforce, meaning employees would work from home, while on the road, or from other off-site locations. The pandemic greatly increased the number of home-based workers, of course, meaning that employers were urged to comply with internal, local, or national directives supporting the health, safety, and well-being of their employees.
While it’s both a legal and ethical obligation for organizations to keep the health and well-being of their employees at the forefront, it is also critical that they have data safety and security measures in place for their workforce. Data protection should not be viewed as a barrier to working from home, but organizations will need to factor in the same types of security measures they had in place when employees were on-site or using company devices. These measures are especially important if employees are expected to use personal devices for work-related tasks.
Regardless of where an employee is working, the GDPR’s Recital 83 stipulates that personal data must be protected at rest and in transit. Data in transit is when data is being accessed, and data at rest refers to storage (e.g., on a hard drive or USB device).
Due to the pandemic, organizations have reported concerns that their data protection practices may falter and not meet their usual standard or that response times may lengthen. While statutory timetables cannot be altered, the U.K.’s Information Commissioner’s Office (ICO), for example, acknowledges that there may be delays when responding to information rights requests during this time.
The following are five good practices to stay GDPR-compliant with a newly distributed workforce:
- Update your cybersecurity policy to include “working from home.”
- Train employees on the cybersecurity policy and what is expected from them.
- Keep data encrypted whether in transit or at rest.
- Limit access to sensitive data.
- Keep your connections secure (e.g., organization or corporate VPN).
For more information, click here, here, and here.
How the GDPR Impacts Community Groups During the Pandemic
During these difficult times, individuals are coming together to help vulnerable populations. Neighborhood groups, church groups, homeowner associations, and other small groups are working alone or joining together to help those in greatest need. These types of groups must generally handle sensitive personal information and share it with others, which then triggers data protection legislation. But this should not stop groups from helping those in need.
The following are five general guiding principles for community groups:
- Be clear with your intentions. Be open and honest about why you need the information, what you will do with it, and who it will be shared with.
- Share the information when it benefits public safety. Share data that could help someone who is homebound receive resources that will improve their quality of life. Not sharing this data could do more harm.
- Keep it lawful. Assess legitimate interest, vital interest, and consent to use personal data received.
- Ensure data is secure. You’re responsible for the data you collect. Data should be secured on a device or in a locked location, for example.
- Only collect what you need. Collect only data you need to help the vulnerable person. When the data is no longer needed, ensure it is destroyed.
For more information, click here, here, and here.
Looking Ahead
The GDPR will continue in its forward-thinking trajectory, focusing on strengthening objectives, informing citizens of their rights, and coordinating practices of EU member states. In 2024, when the next evaluation report is published by the EC, it will be interesting to see not only how the GDPR has advanced, but also how it has globally impacted data protection and privacy partnerships.