This month marks five years since the General Data Protection Regulation (GDPR) came into force under EU law on 25th May 2018. In this time companies, organisations and private individuals have amassed over 1600 fines for breaching these regulations, for a combined sum of €2.78bn - and counting.
These laws are hardly the only attempt to regulate data usage - nor were they the first to do so - but since its introduction GDPR has become the ‘gold standard’ for privacy protection due to its strict nature. It is difficult to overstate the impact and influence that it has had not only within the UK and EU, but on a global scale as well.
Join us as we take a quick trip through these five years of GDPR.
In the beginning
Before GDPR there was DPD - the Data Protection Directive - which had been in use throughout Europe since 1995. This set of laws governed the ways in which personal data could and couldn’t be collected and used, but each jurisdiction had its own ways of enforcing the regulation which led to inconsistencies, complexity and resultant lack of trust. The technology surrounding data was also developing in leaps and bounds so from the turn of the millennium, the DPD was quickly expiring and being left in the dust.
Globally companies were becoming wise to the loopholes and blindspots of such legislation and using them to turn a profit using their customers’ data. This led to an epidemic of risky and unethical data practices, as well as lax privacy protections, effectively enabling data breaches to occur.
In the 2010s this reached a fever pitch with an onslaught of high-profile and high-cost data breach cases in quick succession. Yet, despite the damaging publicity and sky-high fines, it seemed that very little was changing. It was clear that governments needed to update regulations to reflect our increasingly digital lives.
Adopted in 2016, the GDPR set out to right the rampant data misuse epidemic and achieve greater privacy and protection for EU citizens. In contrast to the UK-specific 1998 Data Protection Act, the new legislation was a lot stricter and wider. It prioritised the individual’s privacy and consumers gained rights over businesses never seen before including:
- the right to be forgotten, the right to object to automated decision making and new data portability rights,
- the classification of ‘personal information’ grew to include cookies and other tracking IDs.
This greater to focus on the consumer meant a lot of key changes for businesses including:
- greater geographical reach: the GDPR applies to any size data processor in the UK or EU, not just the UK
- a requirement to demonstrate businesses were compliant to the law through data audits, training and external policies
- A requirement to request and obtain, not assume, clear and explicit consent
- a requirement, not just a recommendation, to notify regulators of data breaches.
- The potential to be issued a fine of up to grant regulators the power to issue fines of up to €20m or up to 4% of total turnover (instead of the DPA’s limit of £500,000).
The EU’s Data Protection Authority (DPA) announced a two-year period before the new laws would become officially enforced in May 2018.
Despite the scrabble to become GDPR-compliant in the months leading up to the enforcement date - many will remember the sudden widespread appointment of Data Protection Officers (DPOs) - companies were given the opportunity to catch their breath as regulators were surprisingly slow off the starting blocks. In fact a total of only 12 GDPR-related fines were issued before the end of 2018.
However, this was only the beginning. Regulators quickly became more adept at finding and evidencing breaches of the law, and in January 2019 regulators in France successfully levied a €50m fine (which was the biggest GDPR fine to date) against Google LLC for their failure to obtain user consent for data processing, repeating similar occurrences from 2012 and 2013.
From here GDPR gathered momentum; regulators were empowered to go after greater swathes of transgressors, including more high-profile cases with Meta (2022 - €405 million; 2023 - €390 million), Amazon (2021 - €746 million), and WhatsApp Ireland (2021 - €225 million). Not only has the frequency of fines increased, but so has their value of the fines. Cases within the last two and a half years account for two-thirds of the total number, and over 90% of the total value for all GDPR-related fines.
The sectors most affected by this regulation have been enterprise firms with 100,000s customers, over €1b revenue and large sprawling datasets: financial services, telecommunications and social media firms. The sheer volume of data which these companies were dealing with drastically increased the odds of it being mishandled, and the size of these companies left them the most likely to incur the maximum fines of either €20m or up to 4% of their total global turnover - whichever is higher.
Vodafone España alone has been fined on 63 separate occasions, amounting to over €15m across frequent, almost monthly cases.
So where are we now?
Five years on and the regulators are showing no signs of slowing down. If anything, we may be about to see an increase in the number of fines being issued as greater pressure from the EU will spur on regulators to get more results.
Additionally, several high-profile cases worth hundreds of millions of euros have catapulted GDPR into common parlance. Consumers are feeling more informed than ever before and are now much more willing to stop doing business with companies that fail to comply with regulations.
Enterprises around the globe are already learning this lesson – last year’s Optus data breach exposed the private data of 9.8 million Australians, which led to approximately 10% of their customers leaving for firms they felt could provide better data security.
We’re also seeing a rise in recurring fines as regulators review past cases which have failed to improve. Google and its subsidiaries have been fined a further 6 times by EU regulators since their first infringement in 2019, for eye-watering amounts totalling more than €215m.
That said, there is some uncertainty as to the future of UK data regulation as post-Brexit changes loom. The legislation is due to get an overhaul in the upcoming Data Protection and Digital Information Bill no. 2 (DPDI 2), which sees the definition of ‘personal data’ become narrower, as well as an increase in the maximum fines that regulators can levy.
Although many of the changes proposed promise businesses greater freedom for innovation by changing data privacy requirements, firms which still fit the definition of PII data processors or controllers will naturally come under increased scrutiny from regulators. Considering the increase in maximum fines too, once again it is the highly-regulated industries such as financial services and telecommunications which we anticipate being affected the most.
What can we do?
It is more crucial than ever for companies to demonstrate that they have strong data privacy measures - and that they are consistently improving on them - if they want to continue doing good business. They can neither afford the hefty fines nor the loss of customer trust, so where do they go from here?
Thanks to recent, rapid advances in technology - particularly privacy enhancing technologies (PETs) - there are now many ways in which companies can use their data in an ethical and privacy-preserving way.
Techniques used to enhance privacy include anonymisation, masking, homomorphic encryption, differential privacy, and synthetic data. Hazy combines the power of the last two in this list: generating synthetic data that uses differential privacy to reduce the risk of leakage or re-identification whilst preserving all the patterns, insight and value in the source data. The resulting synthetic datasets are considered sufficiently anonymous that the UK GDPR does not apply.
One European tier 1 bank experienced the force of the GDPR first-hand – they were hit with a 7-figure (€) fine for use of non-compliant data for testing customer deletion processes required for GDPR compliance. The bank was populating test environments manually with augmented production data, an expensive and time-consuming approach which created room for errors in handling the production data. These errors became direct contraventions of Article 5 - which requires personal data to be processed lawfully, fairly, and transparently - and which is by far the most frequently quoted clause across all GDPR cases, yet one of the easiest to remedy.
As a result, the bank set out to find a synthetic data solution that could allow teams to produce large datasets that are high quality, representative, and can be easily shared across both secure and non-secure environments.
The bank is using synthetic data to generate test data instead of using real data. With Hazy, the firm is building a vision for synthetic data’s long-term value as a strategic technology to power the next generation of compliance, efficiency and growth.
Looking forward: The next 5 years
The story so far has shown that for many companies compliance is not an easy road to follow. It seems that GDPR fines are not a matter of “if” but “when”.
As regulators continue taking more deliberate strides in enforcing GDPR, and the legislation itself shifts and changes, gaining and maintaining compliance must be treated with greater urgency than ever before. However, due to the development of PETs such as synthetic data this is also becoming easier than ever before.
Through sincere concerted efforts it will be possible to stem the rising tide of infractions, and even reduce these figures. Let’s double down on commitments to data privacy, and see where the next five years will take us.
To learn more about ensuring your GDPR compliance get in touch here.
If you'd like to see more about the GDPR fines to date, check out CMS.Law's Enforcement Tracker.