5 years of GDPR
By Grace Donnellan, Account Executive
On May 25, 2023, the General Data Protection Regulation or GDPR turns five years old. The regulation is considered by some to be the European Union’s greatest achievement and has influenced many new national, regional and local laws across the EU and further afield. However, as we approach its fifth anniversary and have the opportunity to judge the successes of the regulation thus far, there have been calls for reform to GDPR. Is it time we looked at the EU’s most famous data protection law again?
The origins of GDPR
In 2016, after over four years of negotiation, the EU adopted GDPR to replace the 1995 Data Protection Directive. Member States had two years to ensure that it was fully implementable in their countries and GDPR officially took effect on May 25, 2018. The 1995 Directive was created when the internet was in its infancy and allowed member states to control their own data protection laws. By the 2010s the EU had decided it needed new guidelines to adapt to the modern connected world. GDPR was designed to harmonise data privacy laws across the EU as well as to provide greater protection and rights to individuals or “data subjects”. It places limits on what organisations can do with people’s personal data. It has been considered the world’s strongest set of data protection rules and has influenced data protection laws worldwide including the California Consumer Privacy Act (CCPA).
One of the most talked about elements of GDPR is the ability for regulators to hit businesses and organisations who don’t comply with large fines. There are two tiers of fines that regulators can issue: up to €10 million or 2% of annual global turnover or up to €20 million or 4% of annual global turnover. In both cases the maximum the regulator can fine is whichever figure is higher. Just this month the Irish Data Protection Commission issued a record GDPR fine of €1.2 billion against Meta. The total amount of fines issued by European data regulators since the regulation came into force currently stands at almost €4 billion.
Does GDPR need reform?
GDPR has received criticism for enforcement failures that penalise some industries over others and leave companies in the dark about how to follow its rules with a handful of big tech companies bearing the brunt of GDPR fines. While some feel that American big tech companies are being unfairly targeted with fines, others such as the Irish Council for Civil Liberties have accused regulators and the EU of still being unable to police how big tech firms handle data and properly enforce GDPR.
There have also been concerns that EU Data Protection Authorities (DPAs) are underfunded and therefore unable to adequately enforce GDPR. While budgets are rising, 10 national DPAs still have budgets under €2 million.
While some ambiguity within GDPR is necessary to allow it to adapt to ever evolving technology, overall it is considered by many as difficult to comply with and difficult to enforce.
Despite this intentional ambiguity, concerns have also been raised about challenges regarding GDPR and new emerging technologies such as AI. As technology which uses personal data in ever-more sophisticated ways develops organisations may face challenges in articulating how an individual’s data will be used in the straightforward, clear and transparent terms required by GDPR.
Irish law firm McCann FitzGerald and professional services firm Mazars carry out an annual survey on the impact of GDPR. Their latest survey found that 54% of Irish organisations believe that GDPR in is need of reform, with 66% stating the costs of GDPR compliance are greater than those envisaged when the Regulation was commenced in 2018. 45% say supervisory authorities interpret the GDPR in a way that makes compliance more difficult to achieve. In particular, 75% of respondents agreed that complainants should be required to attempt to resolve complaints with the organisation processing their data before initiating a complaint with the Data Protection Commission (Ireland’s DPA) while 52% said that data subjects should be required to pay a reasonable fee for making a data subject access request.
Despite its criticisms GDPR is likely still the most comprehensive and progressive data protection law globally. Nonetheless, this does not mean it is beyond reproach or reform.