GDPR: the story so far
Lessons learned and challenges ahead
27 March 2019
10 months after the implementation of the General Data Protection Regulation (GDPR), some of the text's provisions are still hotly debated. Many companies are in the midst of their compliance programs, and data protection authorities (DPAs) are grappling with their new roles and the increased workload. Eleven DPAs already imposed fines under the new regulatory framework, the highest amounting to EUR 50 million. In doing so, DPAs have made clear that the GDPR will not be a paper tiger. The time has come to take stock of the application of the GDPR and think about the upcoming months. As practitioners, what are the requirements we have seen companies struggle with? Have some of the mechanisms of the GDPR failed to deliver all their promises? On which requirements have DPAs focused their enforcement actions so far? And looking to the future, what are the emerging privacy trends and challenges?
Some lessons learned…
Companies that have initiated GDPR compliance projects in the last months have learned enormously about the new data protection regime. It would be laborious to gather all the knowledge they have gained. Rather, we focus below on a few lessons learned about some key GDPR issues:
1. The Achilles' heel of many GDPR compliance projects: implementation
Companies have concentrated much of their efforts so far on mapping processing activities, rolling out new policies, delivering trainings, allocating roles and responsibilities, taking decisions to change or even stop certain data processing… but everyday practices have often not followed at the same pace. More worrisome, certain companies have adopted a purely formalistic approach to the GDPR. As the European Data Protection Supervisor (EDPS) observed, "rather than adapting their way of working to better protect the interests of those who use their services, companies seem to be treating the GDPR more as a legal puzzle, in order to preserve their own way of doing things" – embodying The Leopard's dictum "everything must change so that everything can stay the same". For sure, DPAs will not stop at the documentation prepared by companies but will "look under the hood" and examine their actual processing activities. Companies that have completed the "documentation and processes conception" phase of their GDPR compliance programs should now "look beyond the paper" and check whether their staff follow policies and procedures in day-to-day business, whether privacy measures are deployed into systems, and whether individuals' requests are responded to in a timely manner.
2. Security, one of the biggest regulatory risks
DPAs have made data security an enforcement priority. They have already sanctioned organisations in all industries – from major tech players such as Uber and Facebook to smaller companies - for failing to adequately address this major issue.
Cases tend to show that investigations leading to fines often start with a reported security incident. The typical scenario is this: a company (or someone else) informs the DPA of a data breach; the DPA then investigates the breach and discovers that it was caused by the absence of elementary security precautions. Lack of basic security measures (e.g. no authentication to access an online database containing consumer data), clueless staff (e.g. generalised use of unencrypted USB keys, sending of an email to the wrong persons), weaknesses in the "data supply chain" (e.g. a service provider has access to the data but does not adequately protect it)... The procedure ends with the DPA fining the company for failing to seriously tackle security risks (and sometimes failing to notify the breach on time).
What can be learned from these cases? That companies that do not want to be the next targets of DPAs must make every efforts to avoid data breaches (e.g. visualise where risks come from in their organisation, deploy adequate measures for each risk, secure the "data supply chain" from one end to the other, test the measures), while at the same time prepare to handle data breaches in the most organized and "professional" manner (e.g. have a plan, conduct "data breach war games", develop a communication strategy, identify companies that may be mobilized to help individuals mitigate risks such as credit rating agencies, identity monitoring services and theft resolution services).
3. The "legitimate interests" legal basis is no panacea
Experts and non-experts alike have repeated countless times – with good reason - that the threshold to obtain consent was much higher under the GDPR than it was before . This had led companies to develop an aversion to consent and a strong preference for legitimate interests, viewed by them as an "easy" legal basis for processing. In reality though, legitimate interests is far from being the easy choice as the legal basis for processing. First, it does not always fit the processing. Second, it requires the company to carefully balance its interests against the interests of individuals in a "balancing test", and based on this test, conclude whether legitimate interests is the appropriate legal basis (and if so, whether measures to limit privacy impacts should be taken). On top of these efforts, the company is required to inform individuals that they may obtain the balancing test on request. Lesson learned: legitimate interests is no silver bullet.
4. Privacy notices: still TLDR (too long; didn't read)
The GDPR requires companies to provide individuals with a lot of information about what they do with their data while keeping all this information concise. This generates "an inherent tension" that many companies have "solved" by sacrificing concision for exhaustiveness. As a result, privacy notices on the market are often lengthy and thus still not read by individuals. Companies that are convinced that data protection is key to their consumers' trust and want their privacy notices to be read by them maximise the opportunities offered by design (e.g. layering, tables, icons, colours, pop ups, graphics) to turn their privacy notices into a showcase of their transparency and privacy-friendly culture.
5. Harmonisation of rules in Europe: a half-met objective?
The GDPR aims at creating a consistent data protection framework in Europe by reducing differences between national data protection laws . Its nature – a Regulation that directly applies in each country rather than a Directive that sets objectives to attain – serves that aim. Yet the GDPR also contains multiple "margins of manoeuvre", obtained by Member States through lobbying to safeguard their legislating power over issues they consider "national". These "margins of manoeuvre" have led to some variations between national data protection laws, in areas such as employees' data processing, mandatory appointment of the DPO, and individual rights.
In hindsight, companies that have adopted a "central conception / local implementation" approach to GDPR compliance - creating documentation and processes at the central level, "localizing" and implementing them at the local level - have been wise. Going forward, all projects that involve data processing in more than one country will have to be assessed from the standpoints of both the GDPR and the data protection laws of concerned countries. Not exactly the harmonisation expected…
6. DPAs' tools come handy
Since the GDPR became applicable, DPAs have made available a wide range of tools to help companies in their compliance efforts: record of processing activities templates , an open source software to carry out data protection impact assessments , a legitimate interests assessment template , guides to help in the drafting of data processing agreements , and many others. They are free and "regulators-approved" - so there are no reasons not to use them!
7. The "one-stop-shop": less bureaucracy… or more complexity?
Meant to "make it simpler and cheaper for companies to do business in the EU", the "one-stop shop" has been one of the most eagerly awaited "innovation" of the GDPR. The "one-stop shop" is a mechanism that designates one lead DPA – the DPA of the country where a company has its main establishment – as the company's unique point of contact and main regulator for its cross-border processing.
On paper, the "one-stop shop" makes life easier for companies carrying out cross-border data processing, by having them deal with one single DPA rather than 28. In practice though – and this has been the lesson learned by companies – identifying the lead DPA is not an easy one-off assessment but requires an in-depth analysis. In some cases, companies even have to reorganize their governance to benefit from the "one-stop shop". Indeed:
- the "one-stop-shop" functions on a "processing-per-processing" basis. This means that the assessment as to whether a company has a main establishment in Europe with the decision-making power over its cross-border processing must be made for each processing . As a result, a company that has separate establishments in different European countries taking decisions regarding different cross-border processing activities will have more than one lead DPA to deal with;
- a company's main establishment must correspond to the place in Europe where decisions about cross-border processing are actually taken (e.g. where decisions are made regarding the purposes for which data is processed, the individuals whose data is processed, the types of data processed) . This has two important consequences. First, it prevents "forum-shopping" (i.e. designating an establishment in Europe as "main establishment" and thus choosing the DPA mainly in charge of overseeing cross-border processing). Second, it means that tech companies that conceive and take all decisions regarding data-driven products and services outside Europe, while having mere "relays" in Europe to commercialize them, will not be deemed as having a main establishment in Europe with regard to these tech products' and services' cross-border processing.
Now, companies expect from data protection authorities that they "play their roles" and confirm to interested businesses whether they are their lead authority or point them to their lead authority. As the GDPR largely increased the cost of privacy compliance (e.g. by taking an "accountability" approach where compliance needs to be continually documented), companies are now craving for business-friendly measures that simplify their lives. The "one-stop-shop" could be one of them, provided authorities help companies identify their lead DPA or reorganize to have a lead DPA.
8. Relationship with vendors: beyond contract remediation
"Contract remediation" is usually one the check boxes in GDPR compliance projects' checklists. Companies check it once they have signed newly drafted data processing agreements with their vendors and the companies for which they process data as processor. Of course, contract remediation is an important step in the direction of GDPR compliance - but many companies forget that checking this item in the list is not the end of the story. Bringing relationships with third parties in line with the GDPR requires more than "just" contract remediation. It goes deeper and notably encompasses:
- processors' selection: to meet the requirement that only processors able to comply with the GDPR must be used , controllers should deploy processes to select processors based on their capacity to satisfy the GDPR standards (e.g. request potential processors to provide certifications and/or respond to questionnaires, carry out pre-contractual audits);
- granular qualification of the roles: not all the activities of vendors fit in the "processor" box. For some of them (e.g. activities where the vendor has the freedom to decide which data to analyse, which individuals to process data about), the vendor can qualify as joint-controller. In that case, a joint-controllership arrangement must be entered into with the vendor and its substance made available to individuals;
- fulfilment of their obligations by processors: controllers must verify whether their processors have taken the measure of their new obligations and mobilized resources to fulfil them.
…and some predictions for the near future
Forecasting the future is a perilous exercise, especially when the object of the predictions is the rapidly evolving data protection legal landscape. We nevertheless try our luck with 4 predictions about the GDPR in 2019 and beyond:
1. GDPR compliance to increasingly impact consumer choices and become an expected quality of tech products and services
One of the side effects of the GDPR has been to popularise the subject of privacy. Privacy has become an everyday newspaper topic; a regular theme of discussion for citizens.
On the one hand, the "privacy buzz" has made consumers better informed about the way companies handle their private information, correlatively more worried about it, more demanding of privacy-friendly tech products and services and more prompt to exercise their rights (as shown by the massive increase in the number of complaints submitted to DPAs in 2018). On the other hand, consumers still find it hard to know the degree of privacy-friendliness of what they consume (data protection labels are not widespread yet). They crave for more transparency to make the right choices in a tech-driven world. In the future, data protection labels and certifications will be expected by consumers just like they today expect environmental labels, and will increasingly influence their buying decisions and trust in brands.
Companies that view GDPR compliance as a consumer trust-enabler should not wait to undertake certification procedures.
2. Convergence of privacy, competition and consumer protection
Regulators and courts will increasingly examine companies' data practices in the wider context of competition and consumer protection . The President of the EDPS even goes as far as advocating for the creation of "a unique, digital regulator, responsible for a coherent and linear monitoring of our markets and societies in the digital age", with powers to protect both competition and privacy . This should encourage companies to embrace a larger view of the lawfulness of their processing activities, by systematically assessing them from both a data subjects', competitors' and consumers' standpoints.
3. DPAs' coordinated actions to become the new normal
The GDPR has created a new framework for the enhanced cooperation of DPAs, breaking with the previous regime in which DPAs "were working separately even on cross-border cases" . The new cooperation framework aims at ensuring a consistent interpretation and enforcement of the GDPR across Europe. Concretely, it provides DPAs with various tools to coordinate their actions, such as mutual assistance (where one DPA provides information to another DPA or takes measures upon request from another DPA) and joint operations (where DPAs carry out joint investigations and joint enforcement measures together in the context of cross-border cases or cases with a cross-border component). DPAs are already making regular use of their new cooperation tools , and it is expected that they will increasingly work and join forces together in the future. What can companies making business in or in connection with Europe expect from this enhanced cooperation? First, that there will be less and less diverging interpretations of the GDPR between DPAs, which should facilitate compliance across countries. Second, that DPAs will become more and more efficient in gathering facts and coordinating their enforcement actions against companies carrying out cross-border processing in breach of the GDPR, with very little time separating the discovery of potential breaches and their sanctions.
4. The rise of privacy activism
As we wrote in September 2018, the GDPR has granted privacy activist groups new tools to fight what they deem violations of rights. The GDPR indeed empowers them to bring claims before data protection authorities and judicial actions before courts on behalf of individuals, or without a mandate from data subjects where local law allows it. The effect of these new "private" powers is the increased probability that GDPR breaches be brought to the attention of authorities, investigated, and sanctioned. So far, privacy activist groups have focused their actions on the highly visible GAFAM. With their new powers and the increased popular consciousness around privacy issues, it is likely that privacy activist groups will vigorously pursue their actions in 2019 and beyond, including against less obvious targets from traditional industries.