In the ever-evolving landscape of data protection, the General Data Protection Regulation (GDPR) stands as one of the world’s most stringent laws for safeguarding individual privacy rights and shaping operating practices of businesses.
Since its inception in 2018, the GDPR has been updated and amended to reflect modern business ecosystems’ dynamic nature and increasing complexity. Originally designed to empower individuals with greater control over their personal data and establish a harmonized framework for data protection across the European Union (EU), the GDPR has continually evolved to strengthen its original intent.
For organizations under the GDPR’s jurisdiction, the journey toward compliance is far from static; it demands continuous vigilance and adaptation. As regulatory authorities refine enforcement mechanisms and introduce amendments to align with evolving business environments and technological innovations, organizations must remain vigilant and ensure their practices align with the latest regulatory requirements.
In this blog, we explore key updates and amendments that shaped the GDPR’s current form and take a look at a few organizations that had to learn the hard way the implications of falling foul of the Regulation.
A New GDPR Procedural Regulation
In 2023, on the Regulation’s fifth birthday, the European Union (EU) witnessed a significant evolution in its data protection framework. Building upon the foundation laid through the GDPR, the EU introduced new regulatory measures aimed at bolstering and refining its data protection regime. A notable development during this phase was the Commission’s proposal for a new GDPR Procedural Regulation, unveiled on July 4, 2023.
This proposal seeks to standardize and strengthen cooperation among EU Member State Data Protection Authorities (DPAs) in enforcing the GDPR, particularly in cases with cross-border implications.
The GDPR Procedural Regulation prioritizes several vital aspects:
- Simplifying the handling of individual complaints regarding the processing of personal data.
- Standardizing the procedures for DPA investigations in cross-border scenarios.
- Securing procedural rights for people and organizations involved in enforcement actions or investigations.
- Promoting cooperation and the exchange of information among DPAs across different member states.
For organizations, the new rules clarify their due process rights when the DPA investigates a potential GDPR breach. The rules were implemented to enable faster resolution of cases and more legal assurance for businesses.
Ensuring Cooperation and Consistency
The newly introduced procedural regulation is a foundation for facilitating the efficient operation of the cooperation and consistency mechanism established by the GDPR. It aims to harmonize rules across critical domains, ensuring a cohesive and effective approach throughout the region.
1. The Rights of Complainants: This aspect of the regulation emphasizes the empowerment and protection of individuals who file complaints regarding potential data protection violations. It lays out comprehensive rules governing the rights of complainants, including provisions for transparent communication, timely resolution, and fair treatment throughout the complaint-handling process. By establishing clear procedures and safeguards, the regulation aims to uphold complainants’ dignity and privacy rights, building trust in the data protection framework.
2. The Rights of Parties under Investigation (Controllers and Processors): Recognizing the importance of due process and procedural fairness, the regulation also outlines specific rights afforded to parties under investigation, including controllers and processors of personal data. These rights encompass principles of transparency, access to information, and the opportunity to present a defense. By ensuring parties under investigation have adequate recourse and procedural protections, the regulation aims to uphold the principles of fairness and accountability in data protection enforcement actions.
3. Streamlining Cooperation and Dispute Resolution: A central tenet of the regulation is the promotion of smoother cooperation and effective resolution of disputes among EU Member State Data Protection Authorities (DPAs). The regulation establishes mechanisms for improving collaboration, information sharing, and coordination among DPAs through detailed guidelines and frameworks, particularly in cross-border cases. By encouraging a culture of cooperation and mutual assistance, the regulation aims to expedite the resolution of disputes and promote consistency in enforcement actions across the EU. Additionally, the regulation provides avenues for alternative dispute resolution, such as mediation and arbitration, providing more flexible and efficient means for resolving conflicts.
It’s important to note the Commission’s new procedural regulation does not affect any major elements of the GDPR, for instance, the rights of data subjects, the obligations of data controllers and processors, or the lawful grounds for processing personal data as set by the Regulation.
What You Need to Know about GDPR in 2024
As we approach the halfway mark of 2024, the regulatory landscape surrounding data protection in the European Union remains dynamic and action-packed. Data protection laws continue to evolve, with critical developments in various areas poised to shape the future of information governance in the region.
We can expect the European Commission to publish a review of the EU GDPR toward the middle of 2024. Although major changes are not likely, the Commission will delve into areas where the implementation of GDPR is complicated, including:
- The exercise of data subject access requests (DSARs)
- The application of the GDPR in small to medium-sized enterprises (SMEs)
- International transfers and the impact of the GDPR on approaching innovations and new technologies
One standout is the EU Council recognized the compliance burden for smaller businesses as well as the need to provide better guidance and practical tools to these entities.
Pan-European Collaboration
We also foresee increased enforcement of the Digital Services Act (DSA) and Digital Markets Act (DMA), alongside heightened cooperation among regulators concerning privacy, competition, and consumer protection. The European Commission will continue collaborating with national authorities to enhance the enforcement of pivotal EU regulations like the DSA and the Artificial Intelligence Act.
For instance, to improve DSA oversight, on December 19, 2023, the European Commission entered into an administrative agreement explicitly targeting significant online platforms, with the Authority for Consumers and Markets (ACM), the Dutch competition and consumer authority, to support the Commission’s supervisory and enforcement powers under the Digital Services Act (DSA). This collaboration will prioritize practical exchanges encompassing information, data, best practices, methodologies, technical systems, and tools with the Dutch authority, mirroring similar arrangements with other nations such as France, Ireland, and Italy.
Additionally, the European Commission may adopt the GDPR Procedural Aspects Regulation this year, aiming to streamline procedural facets of data protection investigations and enhance the effectiveness of the GDPR’s “one-stop shop” mechanism.
Rise in EU Privacy Collective Actions
The EU Directive on Representative Actions prompted several Member States to revise their procedural laws to facilitate collective redress. This directive is set to further fuel the trend toward collective redress within the region. Recent rulings by the Court of Justice of the European Union (CJEU) regarding non-material damages, particularly its affirmation there is no threshold of severity for non-pecuniary damages to claim compensation under the GDPR, are likely to stimulate an increase in collective redress claims.
Numerous privacy cases are already in progress. For instance, in September 2023, two nonprofit organizations initiated a class-action lawsuit against Google in the Netherlands, alleging violations of European privacy laws and demanding cessation of consumer tracking and profiling, along with compensation for what they term as “widespread privacy infringements” under the EU’s data protection regulations.
In December 2023, global technology firm Adobe also became embroiled in a large-scale privacy lawsuit in the Netherlands over allegations of unauthorized cookie placement and data sharing. A nonprofit organization filed a lawsuit on behalf of 7 million internet users in the country, seeking compensation and urging the company to delete unlawfully collected data from these users.
Continued Clarification on Key GDPR Principles
We anticipate several judgments and cases from the CJEU concerning the GDPR, as currently the Court is handling multiple data protection cases. Among these, some pivotal issues include whether individuals whose personal data has been unlawfully transferred onward by a controller possess the right to obtain a prohibitory injunction against further unlawful onward transfers, even if they haven’t requested data erasure from the controller (C-655/23); and the extent of “meaningful” information regarding profiling that a data controller must disclose in response to an access request (C-203/22).
Furthermore, we can expect a surge in new privacy-related cases addressing the implementation of other significant legislation, such as the Data Act, Digital Services Act, Digital Markets Act, or even the AI Act.
Critical privacy themes
In 2024, it’s likely that enhanced direction and implementation regarding key privacy themes, such as AI, children’s privacy, and cookies, will occur. The European Data Protection Board (EDPB) outlined its intention to release guidance concerning the handling of children’s data, processing data for medical and scientific research purposes, and blockchain technology.
Data protection authorities will maintain a proactive stance on enforcement, as shown by the increased use of urgent binding procedures by various EU Member States in the domain of targeted advertising last year.
The enactment of the DSA, DMA, Data Act, and AI Act may facilitate an escalation in enforcement measures relating to personal data. Regarding AI, the EDPB established AI task forces as early as 2023, such as the ChatGPT Task Force to regulate AI chatbots and forthcoming AI-related innovations.
At the domestic level, EU Member States issued guidelines on specific AI subjects, such as generative AI (notably France, Germany, Luxembourg, and Spain), to ensure the responsible development and utilization of AI systems in anticipation of the adoption and implementation of the AI Act in the EU. In addition, we anticipate further guidance and enforcement concerning AI in 2024.
Falling Foul of Regulators
Many organizations suffered severe consequences for violating regulations in the past few years. The regulation enables independent Data Protection Authorities (DPAs) to impose fines on entities found to be in breach of the GDPR.
There are two tiers of administrative fines that can be levied as penalties for non-compliance, depending on which articles are held to be infringed:
- Up to €10 million, or 2% annual global turnover – whichever is higher
- Up to €20 million, or 4% annual global turnover – whichever is higher
Some of the major factors that are weighed when it comes to fines are the nature and duration of the infringement, intentional negligence, as well as how the organization handled the event when it became aware of the infringement. The more serious the offense, the higher the fine. These fines regularly amount to millions of euros. Penalties have increased year over year, and by 2021, we saw Amazon fined €746 million; then, in 2023, Meta was fined a record €1.2 billion.
The past few years have been expensive for some. In 2023 alone, approximately €2.1 billion in fines were imposed in the EU due to Regulation violations.
Meta in hot water
Ireland’s Data Protection Commission (DPC) has determined that Meta violated GDPR guidelines on international data transfers. As a result, Facebook’s parent company faces a landmark fine of €1.2 billion for mishandling personal data during transfers between Europe and the United States. At the core of this breach is Meta’s reliance on standard contractual clauses for data transfers to the U.S. since 2020, the sole approved method for such transfers between the EU and the US, contingent upon ensuring an adequate level of data protection — something Meta failed to uphold.
Alongside the fine, Meta has been instructed to align its data transfers with GDPR standards. The penalty imposed on Meta pertains to the inadequate protection of European users’ Facebook data during transfers to the United States, a violation deemed by the European Data Protection Board particularly egregious due to its systematic, repetitive, and ongoing nature.
Meta could have avoided this penalty had it taken steps to comply with the GDPR from the start. More specifically, it should have obtained explicit and valid consent from users to collect and process their personal data for targeted advertising.
Amazon’s non-compliance
In 2021, Luxembourg’s National Commission for Data Protection (CNPD) imposed a historic fine of €746 million on Amazon Europe for its use of customer data for targeted advertising. The fine stemmed from a complaint filed in 2018 by the French privacy rights group La Quadrature du Net, which also targeted Apple, Facebook, Google, and LinkedIn. This complaint, representing over 10,000 customers, alleged Amazon engaged in manipulative practices by selectively determining the advertisements and information customers received for commercial purposes. In response, the CNPD mandated Amazon revise its business practices.
Had Amazon secured “freely given,” informed, and unambiguous opt-in consent prior to placing cookies on its users’ devices, it likely could have avoided this massive fine.
TikTok’s failure to shield underage users
Also, in 2023, the Irish Data Protection Commissioner (DPC) levied a fine of €345 million against TikTok for violating several regulations. These breaches included exposing accounts of users aged 13-17 to default public settings, failing to provide transparent information to these users, and neglecting to verify whether the adult participating in the ‘family pairing’ scheme was indeed a parent or guardian. Additionally, the DPC determined that TikTok overlooked the potential risks posed to underage users accessing the platform.
TikTok could have avoided this fine by ensuring strict compliance with privacy regulations, including implementing default privacy settings for underage users, providing transparent information, verifying adult guardians in family pairing schemes, and conducting comprehensive risk assessments to safeguard underage users.
Criteo unclear on cookies
Again, in 2023, the French Data Protection Authority (CNIL) imposed a €40 million fine on Criteo, an online advertising specialist, following complaints from nonprofit organizations Privacy International and None of Your Business (NOYB). CNIL’s ruling stems from Criteo’s failure to ensure its partners, such as publishers, obtained user consent for the use of Criteo’s cookies.
Despite partners primarily bearing responsibility for securing user consent, CNIL holds Criteo accountable for verifying such consent. The wording of Article 7 (1) of the GDPR states: “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.” The €40 million penalty constitutes approximately 2% of the company’s global revenue.
Criteo should have made sure its privacy notices and other communications were clear, concise, and comprehensive and been able to demonstrate consent had been obtained, as it was not the organization responsible for requesting consent.
More clarity for Clearview
In 2022, Italy’s data protection agency fined facial recognition company Clearview AI €20 million for violating EU law, discovering during their investigation that the firm processes personal data illegally, including biometric and geolocation information.
Additionally, Clearview AI failed to meet transparency obligations by not informing users about using their selfies and utilizing user data for undisclosed purposes. The company also refused to acknowledge it was at fault; in each instance in which it was sanctioned, it adopted the same approach, denying that it had committed any breach and denying that the data protection authority has jurisdiction.
Remaining GDPR Compliant in an Evolving Landscape
Even five years down the line, it’s clear that some organizations still misinterpret the GDPR and need to stay informed about regulatory developments.
Understanding the GDPR of five years ago is essential and serves as a foundational knowledge base. However, relying solely on past insights is not enough in the rapidly evolving landscape of data privacy and regulation.
The GDPR, like many regulatory frameworks, continually is refined and reinterpreted through court cases, regulatory guidance, and technological advancements. To remain compliant and mitigate the risk of fines or penalties, businesses must stay abreast of these changes.
Embracing ongoing education and actively monitoring updates ensures organizations align their practices with the current legal expectations for GDPR. Moreover, by staying proactive and adaptable, businesses uphold their legal obligations and foster trust with their customers, demonstrating a commitment to safeguarding personal data in an ever-changing digital world.
Learn how Fortra’s Alert Logic security solutions can help you reach and maintain your compliance objectives.
