The GDPR Impact: Three Years On

It’s been three years since the European Union’s General Data Protection Regulation (GDPR) went into effect. What is the big GDPR impact? Did GDPR change anything?  Touted as the toughest data privacy law in the world. Data privacy regulations modelled on the GDPR have exploded across the world ever since. From unending privacy policy update emails to cookie pop-ups, a lot has changed on the internet for data privacy. 

The GDPR Impact: Key Stats

• €293 million in fines have been imposed in Europe since the implementation of GDPR.
• Over 281,000 data breach notifications have been reported to date.
• Google received a €50 million fine — the highest GDPR fine, issued by the French regulator, CNIL.
• $7.8 billion spent by Fortune 500 companies for GDPR compliance.

This article will look at how the last three years were for privacy in Europe and the important aftermaths of the GDPR.

First, the basics. GDPR became law on May 25, 2018, giving residents of the European Union rights over their personal data. It gave businesses the mandate to protect the personal data and privacy of EU residents, also regulating the transfer of data outside the EU. The GDPR replaced the EU’s Data Protection Directive from 1995 to reflect the changes that technology had brought in regarding data privacy. The law is enforceable in the 28 member states of the EU, which means businesses have a single, uniform data standard to meet. 

A European resident whose data is collected by a company is a data subject under the GDPR, and the company that processes their data is the data controller. If a third party handles data processing on behalf of a data controller, they are the data processor. This means businesses across the world, big or small, that have European customers fall under the purview of the GDPR.

Personal data is broadly defined as any information relating to the data subject. This could be social security number, mailing or email address, phone numbers IP address, login ID, or geolocation, biometric, and behavioural data. GDPR requires that personal data is processed only after establishing a lawful basis for processing.

For a quick recap on GDPR, read the Ultimate Guide to GDPR.

GDPR has two levels of fines for violations. The first is up to €10 million or 2% of a company’s annual global turnover, whichever is higher. The second is up to €20 million or 4% of the company’s annual global turnover, whichever is higher. 

Since its rollout in May 2018, there have been 692 GDPR fines worth €293 million issued by data protection authorities in Europe. Google was issued the largest GDPR fine to date of €50 million by French regulator CNIL in 2019 for violating the transparency principle and failing to get valid user consent for personalized ads.

This was not the highest GDPR fine issued by any regulator. In July 2019, the UK’s regulator ICO issued ‘notice of intent’ to fine £183 million on British Airways and, in July 2020 issued a notice to fine Marriott International over £99 million. But, due to the mitigating factors taken by the companies and the impact of COVID-19 on the economy, ICO drastically reduced the fines to £20 million for BA and £18.4 million for Marriott.

Every one of the 28 EU nations, and the UK, has issued at least one GDPR fine. Spain issued the largest number of GDPR fines by far, a total of 222 fines. Spain and Italy represent close to 50% of the fines issued while 13 countries in the EU and the UK have issued less than 10 fines in 3 years.

Given the proliferation of data breaches in recent years, breach notifications were also up, thanks to the GDPR impact. DLA Piper reported that, in 2020, 121,165 data breaches were reported i.e. an average of 331 breach notifications per day, an increase of 19% from 2019. More than 281,000 data breaches have been reported since the GDPR came into effect, with Germany (77,747) The Netherlands (66,527) and the UK (30,536) reporting the highest numbers. 

Although, the countries that reported the most data breaches were not necessarily the ones imposing the fines. We looked at a GDPR enforcement tracker and found that the Netherlands has only imposed 12 GDPR fines to date and the UK only 4, while these regulators received the highest breach notifications in 2020. There is also a similar disparity in the number of fines issued by many national regulators, especially notable in the case of Ireland. The Irish DPC did not issue any fines at all until mid-2020 despite being the lead regulator for most big techs that have regional headquarters in Dublin. 

The DPC has a current backlog of 27 cross-border probes on Google, Facebook, Apple, WhatsApp, and LinkedIn to name a few. Twitter is the only big tech fined by the Irish DPC in 2020. The microblogging platform was fined €450,000 for failing to report and document a data breach. This was also the first cross-border GDPR fine issued by a European regulator, after close to two years of investigation and disputes.  

After Brexit on December 31, 2020,  the UK is no longer regulated by the European GDPR, instead, the UK now has its version known as the UK GDPR which came into effect on January 31, 2020. The UK GDPR is an adaptation of the original GDPR, which is incorporated into the UK’s privacy law, the Data Protection Act, 2018.

While the requirements of the UK GDPR are largely the same, it deviates in certain scenarios such as national security, crime and legal proceedings, and other types of special data categories. The EU GDPR may still apply in the UK because of its extraterritorial effect. Businesses with a pan-European presence will likely have to comply with both the regulations along with the risk of dual enforcement action by Data Protection Authorities in the EU and the ICO in the UK in the event of any violation.

Notably, after Brexit, the UK is now categorized as a ‘third country’ by the EU under the GDPR. However, during the interim six-month (till June 2021), there will be no restrictions regarding data flow between the UK and the EU, until an adequacy decision has been made by the EU. In February 2021, the European Commission (EC) published a draft adequacy decision regarding cross-border data transfer to the UK. If the draft decision is adopted, organizations in the EU will be able to continue to transfer personal data to the UK without restriction, and will not need to rely upon data transfer mechanisms, such as the Standard Contractual Clauses (SCC) of the GDPR.

However, in May 2021, the European Parliament urged that the EC should amend its draft decision to ensure that the EU standards for citizens’ privacy are respected. In particular, concerns were raised about the UK’s data-sharing agreements with the US which could risk personal data being shared from the EU to the US, potentially in conflict with the Schrems II decision of the Court of Justice of the European Union. This could ring alarm bells for businesses in the UK that will have to face additional costs for compliance. A NEF report noted that the cost of GDPR compliance could be between £1 billion and £1.6 billion if the UK does not receive an adequacy decision

Schrems II 

An important GDPR impact that affected international data transfer from the EU, is the Schrems II decision. In July 2020, the Court of Justice of the European Union issued the Schrems II judgement which invalidated the EU-US Privacy Shield Framework. More than 5000 companies in the US relied on Privacy Shield to conduct trans-Atlantic operations in compliance with EU data protection rules. The verdict came about as a result of the legal saga following a complaint filed by privacy activist Max Schrems against Facebook back in 2013.

Schrems had called on Irish DPC to invalidate the SCC used by Facebook to transfer personal data to its headquarters in the US. He argued that personal data could be accessed by US intelligence agencies while in transit or when stored in the US, a key violation of the GDPR. Schrems II, therefore, ruled that companies must ensure that the recipient country has data protection standards equivalent to that of the EU. Businesses now have to conduct individual assessments of each data transfer to any non-EU country to ensure compliance. 

The Schrems II judgement, the big GDPR implication, could have broader consequences for global data transfers in the future. It could add another layer of complexity for cloud services, as 92% of all the data in the west is stored on US-owned servers. This is especially noteworthy because EU leaders have now called for European digital sovereignty to defend the data sovereignty and rights of European citizens. 

COVID-19 

The third year of the GDPR saw the world facing a pandemic, while the question remains if privacy regulators in the EU were prepared for it. A large amount of personal data, especially the ‘sensitive’ data of GDPR such as health symptoms, diagnosis, travel history, information on self-isolation or quarantine are collected by electronic health record systems, government health organizations, and hospitals. While digital surveillance became the modus operandi, concerns were rising if it came at the expense of privacy. 

Government agencies are developing more technology to address various issues raised, while tech giants Apple and Google together developed contact tracing systems called exposure notifications. EU member states like Hungary declared states of emergency, suspending GDPR protections in the interim, drawing ire from various quarters. The UK government was also found to violate GDPR in the NHS Test and Trace program. 

On the other hand, there has been criticism of Europe’s failure to use AI to combat COVID due to the restrictions put by the GDPR. Addressing such concerns, EDPB noted in its COVID-19 guidelines that GDPR allows the processing of sensitive personal data if it is “necessary for reasons of public interest in the area of public health.” 

The pandemic has also seen a sharp increase in the number of cyber-attacks and data breaches especially directed at health care systems. The European Medicines Agency faced a cyber attack in 2020, leaking confidential vaccine data, while a German data breach made 136,000 COVID-19 test results public. The UK’s NHS reported 40,000 phishing scams in the first few months of 2020 alone. 

We have already seen how 2020 saw a massive increase in data breaches. This could in part be attributed to remote work and security risks that came along with it.  Remote work has also increased the use of digital surveillance measures in the home, video software like Sneek and Zoom raise many privacy concerns. 

How will regulators deal with the many GDPR infractions during the pandemic, only time can tell. But, French regulator CNIL in its 2020 activity report noted that “the year 2020 has put the GDPR to the test, bringing to the fore in the public debate many points of tension likely to shift perceptions and concerns about personal data and privacy”.

GDPR’s cost of compliance can be a huge burden placed on businesses as compliance cannot be a one-time cost. Experts believe that organisations, especially small and midsize businesses may not be able to afford the high costs of GDPR compliance. In 2018, the Fortune 500 companies were estimated to have spent $7.8 billion to comply with GDPR while the FTSE 350 companies have spent $1.1 billion, according to figures by the IAPP and Ernst & Young. In the US, PwC reported that 68% of 200 businesses surveyed intended to spend between $1 million and $10 million. 

The cost of GDPR compliance depends on various factors including the size of the business and the amount of data processed. An Egress report in 2019 found that more than half, 52% of businesses in the UK were not fully compliant with the GDPR. Many small businesses attribute it to costs of compliance with 26% reporting the highest investment in data mapping and auditing. Businesses also spent on collaborating with privacy lawyers, data security experts and DPOs. IAPP estimates that 500,000 European organizations have registered DPOs within the first year of the General Data Protection Regulation (GDPR) with an average DPO’s salary in Europe is $88,000.

A 2020 report by Data Grail noted that “the cost of compliance cannot be measured in dollars alone: it must also include the operational expenses of human resources and time”. According to the report, 74% of companies spent more than $100,000 on compliance consulting services and technology solutions, and 20% spent more than $1 million. The report also mentions that on average, a company spent 2,100 hours for GDPR meetings alone while enterprise companies are estimated to have spent over 9,000 hours in meetings, and thousands of additional hours preparing for GDPR.

Incorporating security measures also involved another increasing GDPR cost for businesses as data breaches have become a common occurrence. According to IBM’s recent ‘Cost of a Data Breach’ report, the average cost of a data breach in 2020 is $3.8 million globally. 70% of respondents surveyed noted that the shift to remote work would raise the cost of a breach by $137,000.

The GDPR impact on cookies has been the law’s most visible effect. Cookies are mentioned only once in the GDPR, but the repercussions are seen everywhere – the proliferation of cookie popups and banners. Since the GDPR came into effect, several data protection authorities, the EDPB guidelines and the Planet49 judgement have clarified that consent has to be active, explicit, specific and that it cannot be bundled. 

So, does this mean websites in the EU now have GDPR compliant cookie consent banners? Studies have found that cookie consent banners are in effect not compliant with GDPR and the ePrivacy Directive. A study noted that consent banners had ‘dark patterns’ and 57.4%  of the consent banners studied had designs that nudged users into making privacy-unfriendly choices. 

Similar research on cookie banners found that while 60% of the most popular websites in the EU had cookie banners, they don’t necessarily result in free and informed choices for the users. The study looked at 10,000 websites in the UK and found that over 50% of the sites did not have a ‘reject all’ button and made rejecting cookies difficult for the user. Irish DPC surveyed popular websites and found that two-thirds of them relied on implied consent and 26% of them used pre-checked boxes.

In 2020, CNIL imposed hefty fines on Google and Amazon for cookie consent violations — €100 million on Google and €35 million on Amazon! (Read more about it here). The same year, Twitter was also fined €30,000 by Spanish AEPD for an unlawful cookie banner.  While these fines were headline-grabbing, there hasn’t been much enforcement for cookie consent considering that websites are still not GDPR compliant. This could be a reason why Privacy rights group noyb (of Schrems II fame) has started a campaign to file complaints against CMPs and websites that use manipulative cookie consent practices.

CookieYes for GDPR Cookie Consent

Before the enforcement gets stricter, start your cookie compliance journey with CookieYes. It is an all-in-one cookie consent solution that will help you display a cookie consent banner, scan your website for cookies, keep consent records and generate a custom cookie policy for your website.

You can geo-target the banner as per the user’s location, auto-translate it in 30+ languages, add custom branding and design. CookieYes features automatic block third-party script blocking, built-in DNT feature, advanced CSS customization, privacy policy generator and much more. Join the 1 million+ websites that use our cookie compliance solution.