Claire Morrissey: The GDPR at four years old
Claire Morrissey, partner at Maples and Calder, examines the common themes which have dominated the GDPR landscape in Ireland and across Europe.
Yesterday marked the fourth anniversary of the General Data Protection Regulation (EU) 2016/679 (GDPR). Over the course of its first four years, some common themes have dominated the GDPR landscape. This update looks at those common themes in Ireland and across Europe.
The challenge of GDPR compliant international data transfers covered in our earlier updates has not receded. The US and EU announcement in March 2022 that a political agreement had been reached on a replacement for the Privacy Shield is welcome, however there is no firm commitment as to when the agreement will be published for European Commission review.
In the meantime, standard contractual clauses (SCCs) continue to be the primary means used to legitimise data transfers. The 27 December 2022 deadline for the old transfer SCCs to be replaced by the new agreed 2021 SCCs is fast approaching. Businesses that have not yet begun this transition will need to move swiftly to adopt the 2021 transfer SCCs and complete any necessary transfer impact assessments. To assist businesses in their transition to using the 2021 SCCs, the European Commission published Questions and Answers on the New Standard Contractual Clauses on 25 May 2022.
Data breaches continue to be a relatively common occurrence and a focus for the Data Protection Commission (DPC). In January 2022, the European Data Protection Board (EDPB) published the final version of its guidelines on examples regarding personal data breach notification to assist controllers in responding appropriately to data breaches.
Data access requests
For the fourth consecutive year since the GDPR’s introduction, data subject access requests were the most common category of complaint handled by the DPC. The DPC has expressed concern on the adequacy of responses by organisations to data subject access requests, noting that controllers who are the subject of a complaint have often:
- Failed to perform an adequate search for the relevant data;
- Not advised the data subject that certain data is being withheld; or
- Failed to respond within the required timeframe.
The DPC has also identified an emerging pattern of controllers not responding to data subject access requests received from data subjects and / or not responding to DPC complaint commencement correspondence. This highlights the importance of organisations having appropriate response procedures in place for access requests, as many of these complaints could have been avoided if adequate responses were given in the first instance.
Cookies and the adtech industry
Cookies compliance continues to be a key focus area for EU data privacy activists and regulators. Fines for non-compliance in relation to cookies are on the rise, with the French data protection authority fining Google and Facebook a combined €210 million for failing to have proper processes for cookies on their websites in January 2022.
Adtech has relied heavily on cookies for some time. It recently suffered a blow when the Belgian supervisory authority held that the IAB Europe’s transparency and consent framework (TCF) infringed the GDPR. Over 80 per cent of European websites and apps rely on the TCF to legitimise digital advertising via cookies, including Google and Amazon. IAB Europe is appealing the decision but with big tech companies such as Google announcing plans to phase out support for third-party cookies in the near future, it is likely that reliance on third party cookies in the adtech industry will reduce.
The number of headline-grabbing GDPR fines imposed on big tech has increased. The EDPB recently published draft guidelines on the calculation of administrative fines under the GDPR. These aim to harmonise the approach to fining across European supervisory authorities by introducing a five step methodology for calculating GDPR fines.
Until August 2021, Google’s 2020 fine of €50 million was the highest GDPR fine on record. As of May 2022, this is now only the sixth highest recorded fine imposed for breaches of the GDPR, with Amazon (€746 million), WhatsApp Ireland (€225 million), Google Ireland (€90 million), Facebook (€60 million) and Google LLC (€60 million) fines each exceeding this figure. The WhatsApp fine of €225 million is the largest imposed by the DPC to date. More recently, the DPC fined Meta €17 million following an inquiry into 12 data breach notifications.
Criticism of the DPC enforcement against big tech has escalated. In March 2022, Dr. Johnny Ryan brought judicial review proceedings in respect of the DPC’s alleged failure to progress its investigation into Google and IAB’s processing of personal data following a complaint filed in 2018. In April 2022, the DPC settled judicial review proceedings brought by the non-profit organisation, noyb, in relation to the delay in the DPC’s investigations into Facebook and Instagram. The European Ombudsman report on its inquiry into the European Commission’s monitoring of how the GDPR is applied in Ireland is expected in the coming days.
Looking ahead to the GDPR’s next 12 months, these themes will continue to occupy data subjects, businesses and regulators. The complexity of the GDPR landscape will increase with the finalisation of the Digital Services Act, the AI Act and member states’ implementation of the Collective Redress Directive while we await the long-anticipated adoption of the draft E-Privacy Regulation which appears to have stalled in negotiations between the European Parliament, Council and Commission.