The General Data Protection Regulation (GDPR) was enacted on May 25, 2018, in response to the need for updated and uniform data protection and privacy laws in the European Union (EU) and the European Economic Area (EEA). The GDPR provides individuals with control over their personal data and streamlines international business practices.How the GDPR Relates to Older Legislation
The 3-year-old GDPR supersedes the EU’s Data Protection Directive (Directive 95/46/EC) from 1995 and the U.K.’s Data Protection Act 1998. While these directives dealt with the protection, lawful processing, and handling of personal data, they were in accordance with the technological capabilities of yesteryear. The dated directives were no longer in line with the technological advancements of current times, prompting the need for the GDPR. Note that the U.K.’s Data Protection Act 2018 complements the GDPR.
Six Data Protection Principles
The GDPR cites six protection and accountability principles that must be complied with (Articles 5–11). Personal data must be:
- Processed lawfully, fairly, and transparently
- Collected for legitimate purposes specified to the data subject at the time of collection
- Limited only to what is necessary
- Accurate and kept up-to-date
- Stored only as long as necessary
- Processed in such a way that ensures the appropriate levels of security, integrity, and confidentiality
The data controller is responsible for compliance with the six principles.
Eight Key Rights of Data Subjects
The GDPR also assigns eight rights to data subjects (i.e., people with personal data):
- The right to be informed (Articles 13–14)
- The right of access (Article 15)
- The right to rectification (Article 16)
- The right to erasure (Article 17, Article 19)
- The right to restrict processing (Articles 18–19)
- The right to data portability (Articles 19–20)
- The right to object (Article 21)
- Rights related to automated decision making and profiling (Article 22)
According to Article 3, Territorial Scope, “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” When the processing of personal data of any individual is located within the EU/EEA, the GDPR is enacted and enforceable.
2021 Enforcement
2021 GDPR violations are diverse and come from businesses, municipalities, individuals, and other data controllers. The following examples show the breadth of GDPR rulings. These examples do not include international violations.
Violations by Individuals
The Romanian National Supervisory Authority for Personal Data Processing fined the general secretary for a political party in Bucharest €500 (about $605) on March 4, 2021, for violating Article 32(1)(2), Article 58 (1)(a), and Article 58 (1)(e) of the GDPR. These articles deal with measures to ensure information security. The secretary published data on a social networking site containing personally identifiable information of 10 political party supporters (including signatures) and did not adequately cooperate during the investigation.
An individual was fined €1,500 (about $1,790) on March 12, 2021, by the Spanish Data Protection Authority for noncompliance with Article 5(1)(c), lawful basis for data processing. The individual unlawfully videoed a public right-of-way that included parts of a nearby apartment complex patio. No visible signage alerting the public of the surveillance system was present.
Violations by Businesses
Spain’s Predase Servicios Integrales S.L. professional organization was fined €5,000 (about $6,049) for noncompliance with data subjects’ rights and the lack of a privacy policy on its website, a violation of Article 13. This article focuses on what information should be provided to data subjects when personal data is collected. Website privacy policies are often used to provide this information.
Vodafone España, S.A.U., a mobile communications operator, has received several substantial fines by the Spanish Data Protection Authority in 2021, including the following:
- On Feb. 12, Vodafone was found in violation of GDPR Articles 5 and 6 and received a €120,000 (about $145,182) fine (originally €200,000, but reduced for immediate payment). The data controller continuously sent electronic bills to a data subject who objected and terminated its contract. The data controller had already received two fines for this in the past.
- On March 11, Vodafone was found in violation of Articles 24, 28, 44, 48(1)(b), 21, and 23 and fined €8,150,000 (about $9,860,280). The Spanish Data Protection Authority received 191 complaints since 2018 for unsolicited marketing calls. Without consent, Vodafone continued to send materials, even to individuals on a data exclusion list.
To date, the largest fine in 2021 was issued on Jan. 8 by the Data Protection Authority of Niedersachsen, Germany, to the retailer notebooksbilliger.de for the sum of €10,400,000 (about $12,582,444) for noncompliance with GDPR Articles 5 and 6 (unlawful data processing). In short, notebooksbilliger.de could not provide a legal basis for 2 years’ worth of video surveillance of its employees. Also, some recordings were kept for more than 60 days (longer than the required time). In addition to staffers, customers were impacted by the surveillance, as it covered seating areas.
Violations by Municipalities
The Italian Data Protection Authority fined the municipality of Castellanza €4,000 (about $4,760) for noncompliance with data processing principles Articles 5(1)(a), 5(1)(c), 6(1)(c), 6(1)(e), 6(2), and 6(3)(b). The municipality uploaded documents containing legal proceedings, which contained the personal data of data subjects, to its public website.
Since 2018, the largest fine has been €50,000,000 (about $60,492,518) for Google, Inc., and the smallest, €28 (about $34 for an unknown party). See the GDPR Fines Tracker & Statistics from Privacy Affairs for more information.
GDPR and the COVID-19 Pandemic
COVID-19 presented new data protection challenges due to the immediate need for track-and-trace systems, contact-tracing apps, biomedical research with regard to data-sharing, and a growing remote workforce (from diverse sectors) interacting with subject data in their own home.
There is a dichotomy in thought on the usefulness of the GRPR during the pandemic. One view is that it continues to protect data as intended, while proving its adaptability. The other is that it has stalled research, necessary data processing, and sharing. The GDPR has shown its resilience in times of uncertainty, such as the pandemic and Brexit (a topic unto itself), and continues to act as a catalyst for new privacy regulations in non-EU/EEA countries. I look forward to seeing what lies ahead.