Increased breach notifications after GDPR

The first month after the General Data Protection Regulation (GDPR) was implemented, regulators across Europe have seen a sharp increase in the number of complaints, showing strong public interest in the new rules.

The GDPR 2016/679 came into force on May 25, 2018 across the European Union (EU) and the European Economic Area (EEA).

Background

Data privacy is an issue of increasing concern. Governments across the world have noticed that data is being weaponized. The Russian misinformation and influence campaigns during the 2016 US Presidential elections are an example of the fact that data may be used maliciously to undermine democratic processes and institutions.

Facebook’s Cambridge Analytica scandal brought the issue of data privacy into the spotlight once more. It drew global attention to the degree of control corporations, such as Facebook, have over personal information, sparking debates on privacy and data use. Cambridge Analytica, a data mining organization and political consultancy, received the personal information of approximately 87 million Facebook users through a third-party app. Facebook has faced litigation in European courts due to this issue and is currently under investigation by the Federal Trade Commission (FTC).

The European Union has shown initiative in updating its policies to tackle cyber issues. This year alone, a German court ruled that Facebook’s use of personal data was “illegal.” Belgium banned the company from tracking non-users on third-party websites. Britain and France have begun to hold tech companies accountable for not countering inflammatory content propagated on their sites. Facebook has been fined by Spain for collecting, storing, and using data without informed user consent. The EU has slapped Alphabet with a record $2.7 billion fine for using its dominance in the industry for pushing its own advertising business.

In 1995, the Data Protection Directive (DPD) (Directive 95/46/EC) came into force in the EU. This directive interpreted human rights law to protect personal information. According to the DPD, “Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes”.

Analysis

On May 25, 2018 the General Data Protection Regulation legislation came into effect, replacing the DPD in the European Union. The GDPR intends to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy”. As GDPR is a regulation rather than a directive, it is applicable across all member nations.

The GDPR provides EU citizens with new rights to access, erase, transfer, or correct any personal data held by information companies. It allows organizations to manage data better and implement personal data risk management, policies and procedures. Corporations are now compelled to notify users of data breaches and obtain informed consent from all subjects before collecting any data on them. Customers are to be informed what their data is being used for. GDPR also provides regulatory bodies with greater powers and impose new fines. Under the GDPR, if privacy laws are breached, a company can be fined up to 4% of its global annual turnover or €20 million. “It’s changing the balance of power from the giant digital marketing companies to focus on the needs of individuals and democratic society,” said Jeffrey Chester, founder of the Center for Digital Democracy.

The UK’s Information Commissioner’s Office (ICO) said it has seen a rise in breach notifications from organizations, as well as more data protection complaints following the implementation of the law. The French data protection regulator, CNIL, reported a 50% increase in the number of complaints since the legislation came into effect, compared to last year. Twenty-nine new cases are under investigation at the European level. In Austria, more than 100 complaints have been filed in the last month, along with 59 breach notifications. This number is typically received over eight months.

Across Europe, the regulation has stimulated more transparency from firms that have encountered a data breach. GDPR increases maximum fines for malpractice to €20m (£17.6m) or 4% of a company’s global turnover – whichever is higher – and companies are more likely to face higher fines if they delay reporting breaches.

Isabelle Falque-Pierrotin, the head of CNIL said: “The general public is interested about all the transparency obligations, consent and all the new rights.” The response to the legislation has been a considerable number of complaints against companies, such as Facebook and Google, filed by privacy campaigners at the consumer rights organization Noyb. The complaints accuse the two companies of forcing consumers into providing “consent” for data processing in a “take it or leave it” deal, which Noyb argues is against the principles of the law.

Fearing such complaints, many companies have exited European operations entirely. Operations at the LA Times, Chicago Tribune, and other papers owned by the Tronc media group are blocked to EU readers; the Pinterest-owned reading app Instapaper has been down for maintenance for a month; and USA Today is offering those in Europe a slimmed-down, ad-free experience.

Counterpoint:

The GDPR has been criticized for not going far enough. It does not make any direct references such as “data mining”, or “data harvesting”. It has been noted that its hefty fines could affect small businesses disproportionately. Additionally, at nearly 100 articles long, it is highly complex and weighty.

Assessment

Our assessment is that the European Union has made steps to adapt to a world where data privacy is under threat. The GDPR is a strong move to give consumers agency over their own data. We believe that the GDPR is likely to have a global impact. Companies across the world may have to adjust their business practices to comply with the GDPR. Additionally, the GDPR is a recognition of the fact that self-regulation may no longer be a viable option for technology firms. There has been a breach of trust between these firms and their users. It remains to be seen whether other nations will follow the EU in implementing regulation.