GDPR: The journey so far
General Data Protection Regulation is a law that had millions of people on their toes even before it came into force. Companies across the globe that could be impacted by the regulation have taken various measures to be compliant with this regulation. Even though people were taking it seriously, there was always the nagging question as to how successful would the law be in action. Well, with GDPR firmly in its place for nearly 8 months now, it is apparent that the regulation has been a success. In our previous articles, we have dealt with how this regulation has impacted the data subjects, the data controllers as well as the processors. Indubitably, it is a law that was the need of the hour and so far it looks like it has been effectively implemented and is here to stay.
The first ruling on GDPR was passed on 29th May 2018, i.e., within 5 days of the implementation of the law by a German court in case number 10 O 171/18 (Judgment in German). The court was called upon by Internet Corporation for Assigned Names and Numbers (ICANN), to rule on an issue related to the applicability of the General Data Protection Regulation. Further, the fate of the regulation became clear when nearly 4000 complaints were lodged in 18 out of the 28 countries of the European Union within the first month of implementation of the regulation. Moreover, with more and more data subjects becoming vigilant about their data privacy, the number of requests and complaints is constantly increasing.
As per a survey conducted in October 2018, the European Data Protection Board claimed that more than 42,230 complaints had been lodged across Europe. The numbers may be even higher when we take into consideration that the GDPR also allows citizens to file lawsuits directly with courts.
It’s not just individuals, but also data privacy activists who have filed complaints against tech giants for violation of data privacy under GDPR. Austrian privacy campaigner Max Schrems has already launched legal broadsides against internet giants. He has filed three complaints worth a total €3.9bn against Facebook and its subsidiaries, WhatsApp and Instagram, via regulators in Austria, Belgium and Germany. He has also filed another complaint worth €3.7bn in France, focused on Google’s Android mobile operating system.
It is therefore evident that GDPR has had a wide impact all over the world and has strengthened data privacy laws manifolds. Even though it has been established that the penalty of 20 million euros or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, will be applicable in extreme cases, the courts have the discretion to levy pretty high fines on the data controllers or processors for violating a data subject’s rights or being non-compliant with GDPR.
Even though GDPR has been a boon for data subjects, it has a few downsides too. A major side effect of GDPR implementation is that the Internet Corporation for Assigned Names and Numbers (ICANN) WHOIS database could “go dark,” detrimentally impacting public safety, and the security and stability of the Internet. The WHOIS database plays an indispensable role in ensuring good governance, accountability, and transparency for the Internet. The success of GDPR as a policy depends on whether it allows data privacy to coexist with other important policy priorities, such as cybersecurity. While ICANN is still working toward a solution where the WHOIS database is compliant with GDPR, the database had become harder to access even before the implementation of the law as some registries and registrars limit access to avoid potential GDPR fines.
Limiting the information or the ability of those with a legitimate purpose to access information in the WHOIS database will undermine the security of the internet, resulting in an uptick of cyber criminals as well as spam and phishing attacks in your inbox.
Another issue has been that many companies have already opted out of the European market. GDPR poses a threat to any company processing the data of an EU citizen. Therefore, certain companies are avoiding involvement with the European market altogether. The cost of complying with the new law has already forced companies to close key businesses or shut down entirely. Not only this, the law has also impacted the smaller companies and start-ups which may think twice before investing in the European market.
All and all, it is apparent that the General Data Protection Regulation has impacted the companies worldwide. Many countries have adopted GDPR in order to ensure that the European Union deems them fit for data transfer. Considering more than 120 countries have data protection laws in place, the challenge now becomes ensuring interoperability and the movement of data between these different privacy regimes.
Therefore, it is safe to assume that the General Data Protection Regulation has widely been a successful law and is here to stay. In our next article, we will deal with how GDPR has been a torch-bearer for data privacy laws in other parts of the world.