GDPR: Our privacy is no longer left stranded and finally gets some protection
It’s been more than 3 years since the EU’s GDPR entered into effect, and the impact that this regulation has had in the world can no longer be ignored: personal information and privacy protection have become a hot topic. Enforcement is still far from perfect, but we’re in the right direction. By Adv. Idan Ben Yacov
According to recent publications, China’s National People’s Congress has released a draft of its personal information protection law, whose principals have been inspired by the GDPR. The draft follows up on several existing privacy protection laws in China, that although they exist they are unclear and therefore not easy to implement.
It is not clear whether this is yet another excuse for the Chinese administration to enhance its control over information in China (and consequently, its political and economic control) or whether the new suggested legislation is intended to provide authentic protection for Chinese citizens against foreign elements. Realistically, it is probably a bit of both. In any event, even China has “surrendered to” or is “riding the wave of” the trend that has taken Europe and the world in a storm: personal data protection.
In the last few years, privacy protection has become a hot topic, even in popular media. As our lives center on mobile devices and smartwatches, increasingly more elements try to use this to make a profit (at best) or collect the power to control large populations (at worst). The age old proverb – “knowledge is power” – is truer than ever.
Will we see more security for our personal data? Or should we simply become resigned to the fact that our personal information is now free-for-all?
More than 1,000,000,000 EURO in fines
The GDPR, a set of rules & regulations laid down by the European Union has entered into effect more than three years ago. Its purpose is to govern and provide guidelines to any contract, connections, establishments, etc. that uses (one way or the other) user data, personal information etc. – and as we all know – this effectively means the majority of contracts, connections taking place today. The GDPR rules also the interactions between the user who generates the information and the company that stores and uses it, and including with regard to the ability and manner in which such data may be transferred between states (within and outside of the EU) or to any third party.
Due to the EU economic scale, once the GDPR was enacted, the rest of the world had to follow its suite. Israel has also adjusted itself to the GDPR, with a suite of bridging legislation and agreements it has took on itself and have implemented on its citizens regarding privacy protection laws. These agreements relate to various privacy issues, and include adjustments to the unique attributes of the Israeli market.
Since 2018, the EU has imposed more than 661 penalties. Until recently, Italy has led the chart with the highest penalties, but recently Luxembourg (CNPD) has taken the lead, with a huge (or maybe not huge enough, depending on whom you’re asking) 746 million EUR imposed on Amazon for GDPR violations.
In the 12 months between July 2020 and July 2021, the aggregate number of GDPR violations went up 113.5%. 332 fines were imposed in 2020 compared to 709 in 2021. Penalties imposed by EU regulators went up 124.92% – from 130.69 million EUR in 2020, to 290.96 million EUR in 2021.
The top fines were given to technology giants, such as Amazon, with the 746 million fine as mentioned, and Google, which on July 18, 2021, received a 60 million penalty from the French regulator. Google Ireland does not lag far behind, with 40 million EUR in fines. The French regulator has also imposed a 35 million fine on Amazon Europe Core.
A drop in the ocean
These numbers sound impressive and seem to show that the regulation is working well. But there are still quite a few problems with which the regulators have been unable to contend. Testimonies from violating corporations indicate that it takes at least 3 months before the regulator starts investigating. While breaches may be dealt with at some stage, the violation of rights is not prevented. This is probably because the enforcement teams dedicated to this complex regulatory task are not big enough.
Johannes Caspar recently resigned from his job as Hamburg Commissioner for Data Protection and Freedom of Information. The GDPR is “broken” and has “massive flaws”, certainly in reference to the large tech firms, he said. Caspar explained that he was frustrated by the existing model, which requires collection of data and consent from various data protection agencies. Caspar specifically criticized the Irish enforcement agency, which plays a key role in trans-border decisions involving large tech firms operating in Ireland.
But the main problem that Caspar points out is simple: For the big corporations, the fines are negligible. The regulators are lagging behind.
For example, 28 breaches by large tech companies operating in Ireland have been investigated, but the local agencies only imposed the first fine at the end of 2020 – USD 547,000 against Twitter, for unauthorized exposure of private tweets. Germany was among the loudest critics of this amount.
More awareness, greater concern
At the same time, privacy has taken center stage, and is now the focus of everyone’s attention. The general public is more aware and more concerned. There is more at stake than unlawful operations such as NSO’s alleged surveillance.
It is now clearer than ever that companies are required to maintain dedicated data security controls in order to reduce the risk of unlawful use of customer data, and that they must continuously monitor compliance.
I believe that this trend will only intensify. Therefore, every organization must retain advisors to adjust its activity with respect to privacy matters. It is imperative to prepare for future operations, prepare internal monitoring and control systems, and verifies compliance with the constantly changing domestic and international privacy laws.
Adv. Idan Ben-Yacov of Ben-Yacov Law Firm handles privacy law, real estate and wealth management, and consults mature and startup companies.
Thinking about how and when to transfer your wealth to future generations? Contact us and we will tailormaid the best solution for your needs.