Are EU Privacy Regulators Starting to Find GDPR Consensus?Legal Experts Predict Growing Pains Will Last Several Years More Years - At Least
More than two years after Europe's tough new General Data Protection Regulation came into full effect, are each EU member state's privacy watchdogs finally finding consensus?
See Also: A Guide to Passwordless Anywhere
Outstanding questions have included the severity of penalties to be imposed on organizations that violate GDPR, for example, by not reporting data breaches to relevant authorities within 72 hours of discovering them. Organizations also face sanctions if they fail to properly secure Europeans' personal data, regardless of whether a breach occurs.
Multiple legal and security experts say that some consensus has been building between each EU member state's privacy watchdog, aka data protection authority, or DPA.
"There is some general consensus emerging on what is a lack of technical and organizational measures," says attorney Jonathan Armstrong, a partner at London-based Cordery. "But in some respects it's like a meal - it is easier to say when you’ve had a bad meal rather than what are the essential ingredients for a good one. Data breaches by their nature are judged in hindsight. So proving that you had good technical and organizational measures in place will always be a high bar, because something has happened despite the measures you had to stop it."
Even though GDPR enforcement is more than two years old, attorney Rocco Panetta, the founder and managing partner of Panetta & Associates in Rome, predicts that it will take at least two more years - if not more - for enforcement and sanctions efforts to gain greater consistency, not just between EU member states but also inside any given country.
Such consistency would also provide more predictability for organizations facing sanctions. "The EU regulation gives a range of values without imposing any standardization," says Panetta, who's also on the board of directors of the International Association of Privacy Professionals.
"If anything, the issue is mostly about the difficulty facing companies that try to predict the potential consequences of a GDPR breach," he tells Information Security Media Group. "As a data protection officer and legal consultant for local and multinational enterprises and groups of companies, I’m getting to witness such difficulty more and more frequently."
From Directive to Regulation
One major change brought about by GDPR is that it made data protection a law. Previously, EU member states were subject only to a data protection directive - specifically, Directive 1995/46/CE - that each nation transposed as it saw fit into its own, national law. As a result, different EU member states sometimes took wildly different approaches to data protection, including potential sanctions.
Just one example: In 2008, prosecutors in Milan, Italy, charged four Google executives with having failed to prevent the uploading of a video to Google Italia YouTube of four high school boys bullying another boy with Down syndrome - the video was removed 24 hours after being uploaded - as well as for Google failing to fully disclose how it uses people's personal information. The charges carried a maximum sentence of three years' incarceration, and three of the executives were convicted of the charges in 2010. The convictions were overturned by a Milan court in 2013.
'Better Specified Legal Framework'
Now, GDPR is a law that applies to all member states, which the European Parliament did to increase uniformity in how the rules get applied, Panetta says. "For this reason, although the legal and cultural background of each member state - and its DPA - still has an impact upon the interpretation and application of data protection rules, GDPR provides for a better specified legal framework."
In addition, the European Data Protection Board - an independent EU body charged with ensuring that GDPR gets consistently applied and that DPAs work together - "serves as a fundamental consistency factor," he says.
"The big difference between pre-GDPR and now is that there is a consistency and cooperation mechanism with a dispute resolution process to help establish consistency for cross-border cases that have the involvement of multiple supervisory authorities," he says.
But using GDPR to sanction organizations remains far from straightforward, Panetta says.
For example, the law says a DPA can fine an organization up to 20 million euros or 4% of its annual global revenue - whichever is greater. Even so, "the list of criteria to be assessed - in order to weigh the amount of the sanction - is quite detailed," he says. In addition, it can be "difficult to apply consistently within even a single DPA, regarding different cases and scenarios."
Regulators' Challenge: Fines Can Be Appealed
Privacy watchdogs can set any GDPR fine they choose. But sanctioned organizations can also appeal the fines in court, and there have already been some "embarrassing reversals" as a result, specifically in final fines or court cases involving the U.K. Information Commissioner's Office as well as regulators in Germany, says Daragh O Brien, managing director of Castlebridge, an information management consultancy based in Ireland.
In recent months, the ICO wrapped up two long-running investigations by announcing final GDPR fines of 20 million pounds for British Airways and 18.4 million pounds for Marriott, which were respectively 90% and 80% of the amount the ICO had originally proposed. Working with other DPAs, the regulator says it took into account the current economic climate - including the pandemic - when setting the revised fines. But legal experts say the final amounts were also designed to withstand any appeals court challenges.
In November, meanwhile, a German court slashed by 90% the fine imposed on 1&1 Telecom by the country's federal privacy regulator, over call center data protection shortcomings.
Cordery's Armstrong tells ISMG that one lesson from the 1&1 case is that consensus is building for fines to be calculated in part based on real-world impact, rather than as a more punitive measure. He says that "1&1 tells us that the courts will look at severity, and factor that into the fine if you ask them to look at it objectively."
Additional Consensus-Building Efforts
GDPR enforcement remains a work in progress. "The real need for consensus development is around what actually constitutes effective enforcement," Castlebridge's O Brien tells ISMG. "Changing behaviors, encouraging the prevention of breaches and the implementation of good practices is an effective approach."
Avoiding headline-grabbing fines for fines' sake - might also be a reliable long-term approach for ensuring better GDPR compliance. "Repeated, guaranteed, low fines levied consistently and repeatedly - like parking tickets or speeding fines - have a cumulative effect, without risking the embarrassing reversals we’ve seen from the ICO and the German regulator," O Brien says.
Another innovation, pioneered in Italy, is that any organizations on the receiving end of a GDPR fine, which choose to pay the fine promptly - without contesting it - get a 50% discount. Any organization that chooses to contest the fine in court, however, faces paying the full amount.
Look Beyond Fines
For gauging how GDPR is maturing, Panetta says it's important to not just look at fines, but other important benchmarks too, including the attention being paid now to privacy and data protection by many organizations.
"Thanks to this new regulation, companies and public organizations have started to give serious consideration to personal data protection in their day-to-day activities," he says, not only to avoid fines, but also to realize specific, new types of benefits. "Greater competitiveness, higher transparency vis-à-vis the data subjects - consumers or citizens - and, as a consequence, an increased level of trust from the public" are new possibilities wrought by GDPR, he says.
In addition, privacy has become much more of a board-level discussion, he says, with many organizations now having a data protection officer to improve their organization's privacy and data protection "awareness and effectiveness."