The GDPR: origin, rationale and key principles. Record-breaking fines, legal discussions on controversial legislation – the GDPR is clearly reshaping the data protection landscape.
Why was the GDPR implemented and why does it appear to be so successful?
What is at stake?
In our ultra-connected world, where the amount of data circulating is growing exponentially, the issue of personal data protection is fundamental. But why the GDPR?
With the evolving technological standards for processing personal data, the older European directives on privacy protection have become outdated.
Each country applies them differently, and the fines levied in case of non-compliance are relatively small, making them insufficiently dissuasive and thus failing to ensure the appropriate safeguards for personal data processing.
Given the extent to which companies benefit economically from the collection, use and transfer of our data, strong European regulations have become vital.
Whether in marketing, advertising, human resources, management, organization, or security, big data is everywhere. The reality is simple: we no longer know how our data is being used, why, or by whom. Worse, with the emergence of sophisticated profiling, we are losing control over our own decisions. Consent, which should be at the core of most processing, is not always requested, and the rights and freedoms of individuals are often ignored.
GDPR – or the largest EU lobbying campaign
The emergence of single European framework empowered to levy heavy penalties thus became essential. The General Data Protection Regulation, or GDPR, came into force on May 25, 2018. Given the financial stakes in play (GAFA, etc.), the text gave rise to the biggest lobbying campaign in the history of the European Union.
The GDPR does not hinder innovation. Quite the opposite.
Why the GDPR?
The GDPR is not intended to prohibit or prevent organizations from implementing data-related technologies. On the contrary, it’s about making companies accountable in order to protect the rights and freedoms of individuals and the interests of all players.
Anything is possible as long as the required measures are taken:
- transparency toward individuals when data is processed (especially concerning the purposes, i.e. why the data is being collected and processed)
- security and confidentiality of data, and analysis and documentation of the reasons for, and limits of, the processing
- accountability of subcontractors by the principals.
The new regulation requires organizations to comply with the GDPR and to designate their own data protection officer.
The CNIL, which is the French supervisory authority for enforcing the GDPR, has enhanced auditing powers and can levy fines of up to 2-4% of an organization’s global annual revenues. The main purpose of these fines is to encourage compliance.
What are the GDPR sanctions?
The main reason behind the GDPR’s current success – in terms of communication and awareness by organizations – is the amount of the fines it imposes. Under the previous French legislation, for example, administrative fines for violating data protection rules were capped at €150,000, and twice the amount for repeat offenders. And that’s not to mention the supervisory authority’s need for investigative powers to conduct investigations.
For companies whose business consists in making huge profits off the data they process, those amounts were insignificant.
With the GDPR it’s a whole new ballgame. Record fines are approaching those imposed by the supervisory authorities in competition law (e.g. abuse of dominant position, illicit agreements). GDPR fines are scaled according to a company’s revenues:
- 2% of global annual revenues for minor infringements
- 4% for serious violations
There are actually several types of sanctions.
GDPR Sanctions: Formal notice
The GDPR requires that each EU member state designate a supervisory authority that is responsible for its application in that country. The authority can receive complaints from data subjects or initiate unsolicited audits. In either case it is empowered to:
- on-the-spot and documentary audits
- Request documents
- Obtain testimony, etc.
On completion of the investigation, the authority may give legal notice and order the audited entity to take a series of compliance measures such as:
- implement security measures
- suspend or terminate processing
- delete data
Administrative fines under the GDPR
If the corrective measures taken by the entity following a formal notice are inadequate, the supervisory authority may consider that a fine is necessary to ensure GDPR compliance. The GDPR and European authority guidelines provide the criteria for evaluating the amount of the fine.
Key criteria are:
- the number of data subjects
- the duration of the breach
- the level of knowledge that the entity had of the breach
- whether the entity has a collaborative relationship with supervisory authority
- whether the breach involves sensitive data.
GDPR fines can be as high as €20,000,000 or 4% of an entity’s global annual revenues, whichever is higher. There are of course remedies against these sanctions.
The amount of the fines may vary greatly. For example, the French supervisory authority may fine a real estate development company up to €400,000 for a failure to secure tenant data, while a company such as Google could be fined up to €50,000,000.
GDPR judicial sanctions
The GDPR is applied and enforced by the supervisory authorities, but like any legal text, it can also be upheld by the regular courts. If an individual or group of individuals (i.e. class action specifically provided for the protection of personal data) considers that they have been harmed through a GDPR breach, they may seek redress through the courts.
If several companies, acting either as controller or processor, were involved in a single data processing activity that proved harmful to an individual, the GDPR firstly protects the individual.
The companies in question bear joint and several liability towards the data subject: the latter obtains full damages from either company regardless of their respective shares of responsibility, which will be determined by the concerned companies at a later time.