It’s the GDPR’s 4 Year Anniversary: These are the 4 Biggest Impacts It Has Had on Global Privacy
Europe’s landmark General Data Protection Regulations (GDPR) came into effect (just over) 4 years on 25 May 2018. To mark the fourth anniversary of the regulations, we’re outlining four of the biggest impacts the GDPR has had on global privacy:
GDPR Impacts on Businesses
The GDPR & The Age of Enormous Privacy Fines
At the time of writing, enforcement of the GDPR has resulted in fines cumulatively totalling more than 1.6 billion Euros. The regulations permit European data protection authorities to impose fines up to 20 million Euros or 4% of a company’s worldwide turnover for the prior financial year – whichever is higher.
This has proved to have significant impacts on global companies, where enforcement of the GDPR has resulted in mammoth fines. Amazon, Google, H&M, Facebook, and WhatsApp rank amongst the companies that have received the largest fines under the GDPR. Grindr’s €6.5m fine was another notable penalty.
While there are individual takeaways for companies from each enforcement action under the GDPR, the broad impact of these GDPR fines is that they have made companies start to pay attention to privacy and security.
Data Minimisation is Becoming More of a Priority
Several of the largest fines handed out under the GDPR to date relate to the overcollection of data. The enforcement action against Clearview AI is one example, as is the 35 million Euro fine against H&M for overcollection and sharing of personal information about its employees. The H&M fine was the second-largest ever levied at the time. These enforcement actions are encouraging companies to reconsider their data collection practices.
We’re also seeing individuals becoming more sensitive to the overcollection of data. We revealed in our Privacy Awareness Week article that 81% of Australians consider an organisation collecting personal information that doesn’t seem relevant to a transaction as a misuse. This trend of consumers prioritising personal privacy likely has links to the GDPR’s enactment.
Companies Must Carefully Manage Extra-Territorial Data Flows
The SCCs saga has highlighted how important it is for companies to consider the privacy impacts of inter-jurisdictional data flows.
Amongst other protections and changes, the new SCC introduced tougher rules on onward data transfers. Any onward transfer is only permitted where the data subject is offered equivalent protections, either through the onwards party acceding to the SCCs, informed consent of the data subject, or another measure that promises continuity of the protections. This change means that companies transferring data out of the EEA must consider the privacy risks for EU residents and implement safeguards to overcome them.
Companies Increasingly Evaluating Data Sharing Practices
3 of the largest fines under the GDPR in 2021 related to inadequate consents and third-party data sharing. As a result, companies are paying more attention to their data sharing practices, as well as the data hygiene and data needs of the third parties they share personal information with.
Individuals are also becoming more alert to data sharing practices – again, at least in part due to the GDPR. In fact, privacy breaches relating to pregnancy information, such as the 2019 GDPR enforcement against a UK pregnancy and parenting package provider Bounty and the Flo period tracking enforcement in the US, have been thrust into the spotlight recently due to the leaked Roe v Wade draft decision.
The draft decision has highlighted an example of where data sharing practices could result in actual harm to data subjects. Because the sharing of information about pregnancy could have significant real-world impacts for pregnant women in the US if the federal right to abortion is overturned.
Is your company GDPR compliant? If you’re uncertain, reach out. Our experienced privacy lawyers are familiar with GDPR compliance and are available to assist you.