GDPR after the storm: an update
GDPR after the storm: what's the current status?
As of 25 May 2018 the General Data Protection Regulation is in full effect in the Netherlands. It’s been a year and a half, and we’re hundreds if not thousands of cookie notifications later. What have been the consequences in real life and what happened to the big penalties that were threatened with?
Looking back
The new European law was announced in 2016: the GDPR legislation will be introduced in May 2018. Up to that point, few frameworks had been set for the online collection of personal data. And more importantly: the rights of the website users were not specifically guaranteed in legislation. The GDPR legislation would change this: "asking permission" was more or less central, as well as the rights of the user. Want to know more about the how and why of the GDPR legislation? Read more about it here.
Agitation in anticipation towards GDPR
Many organizations were consciously or unconsciously in violation of GDPR. Earlier they did not have the necessity to think about the privacy of their users. With the announcement of GDPR, it was also the first time that there were major fines against the collection of data (read: personal data) without permission: up to 20 million euros or 4% of the total annual turnover.
In the year leading up to GDPR, there was a lot of speculation about the fines. Big data was a "hot topic" at that time, and many organizations wondered if they had to stop with it so suddenly? There was a slight sense of uncertainty, nobody really knew what the introduction of the GDPR would mean for companies.
Dutch Data Protection Authority
Following the AVG legislation, the 'DPA' was established, known as the Dutch Data Protection Authority. Before the announcement of the GDPR and extension of the commission, the Data Protection Authority was named the Personal Data Files Act. The main task of the DPA is to supervise the compliance of the GDPR in Dutch companies and protecting the data of Dutch citizens. Every country has its own comparable administrative body, like the FTC (Federal Trade Commission) that supervises the compliance of the GDPR in America.
Since May 2018, consumers can report complaints via the DPA site. On 9 September 2019, the DPA announced in a news report that in the first half of 2019 they received more than 15,000 complaints from consumers about violations of their privacy rights.
Complaints
Since May 2018, consumers can report complaints via the DPA site. On 9 September 2019, the DPA announced in a news report that in the first half of 2019 they received more than 15,000 complaints from consumers about violations of their privacy rights. This is a sharp increase compared to the previous year, where "only" 9661 complaints were reported throughout the year.
Sectors with the most complaints are Business service providers (46%), the government (14%) and the IT sector (13%). Most complaints concern the provision of data to third parties without permission, or the failure to handle a request for access to or deletion of data (correctly).
Challenges and fines
A problem currently experienced by the DPA is that the flow of complaints is growing faster than the organization can keep up. As a result, they are currently not (yet) able to handle all complaints in a timely manner, and this can also partly explain why large fines for organizations that are in violation of the aforementioned sectors are still not being paid.
That, of course, does not mean that the DPA isn't doing anything. If you take a look at the sectors where the DPA does actively conduct research, you can see that they have chosen a clear direction. This mainly concerns organizations that have a lot to do with special personal data, such as hospitals with medical records, and government institutions such as the Tax Authorities and the UWV.
In general, the DPA will first contact the organization concerned during an investigation or complaint handling and give them a chance to get their affairs in order. In most cases, organizations respond promptly and sufficiently and no further sanctions will follow. Nevertheless, the DPA imposed a penalty of € 50,000 on Menzis early this year for not complying with the privacy rules, they recently reported in a news article on their site.
Larger fines have already been imposed across the border. For example, YouTube received a $ 170 million fine in September of this year for placing cookies that track children's surfing behavior. This happened without the permission of parents or guardians.
Jurisprudence
The GDPR legislation is intentionally vague and broadly formulated so that it should be included as much as possible. Further case laws will show how it should be applied in practice.
On the one hand, it's enormously frustrating for the marketers. On the other hand, it also gives room to find the loopholes of the law. For example, there are currently hundreds of cookie banners that do not actually comply with the GDPR, but there is nowhere to be found in concrete terms that a cookie banner must comply with. This has also changed in the meantime. For example, in November 2018 the DPA determined that cookie walls were in conflict with the GDPR, and in October 2019 the European Court of Justice ruled that no valid permission was requested when cookie banners were checked in advance.
Jurisprudence
Given the current challenges of the DPA, I suspect that it will be a few years before they are ready to investigate and possibly fine the more commercial sectors. Until then, they will mainly act if there is a specific reason to do so, for example in the event of a substantial data breach or a large number of complaints.
GDPR has up to now mainly contributed to organizations becoming more aware of the personal data of their users. In addition, it is also good that the users themselves are more aware of what data they leave behind where, and what their rights are with regard to giving consent and withdrawing it.
All the unrest and fine threats have been exaggerated afterward, and I don't think organizations should suddenly start worrying about huge fines in the coming years. The core message remains, in my opinion: think about what personal data you collect and why, and deal with it the way you would like others to handle your data. So my advice: ask nicely for permission, be open in your communication towards your users about what you collect and why. In most cases, you'll be GDPR compliant.