Happy birthday, GDPR five lessons from five years of EU data protection law

On 25 May 2023, the European Union’s General Data Protection Regulation will have been in force for five years.

It may not be an occasion that you mark with cake and candles, but for those of us in the data protection world it is an important anniversary and a moment to reflect on the huge changes that this landmark legislation created.

So what have we learned over the past five years?

GDPR made the European bloc a leader in digital policy and gave citizens expansive rights as to how their data was used, but its implementation has been - and still is - a long and sometimes challenging process.

When it came into effect in 2018, many businesses struggled to understand what was required and how they needed to change. Regulators responded by providing guidance and collaborating with businesses to help them understand what was expected of them. By 2020, the gloves were off and we entered a new era of enforcement with multi-million euro fines issued to international companies.

Over the past five years organisations have developed a much more sophisticated understanding of the field of data protection. Many now understand the benefits of looking after their data, including measures that demonstrate their accountability, such as privacy management programmes. Companies have also stepped up their investment in this area and it is now a board-level issue at many organisations.

But while understanding of the GDPR has improved, key issues around its interpretation and application are far from settled. The past five years have illustrated that data protection in Europe is a dynamic area requiring companies to be nimble, understand the EU and local context and have robust strategies in place.

On GDPR’s fifth birthday, we round up some of the big lessons we have learned from the first five years of implementation to help companies tackle the next five years:

Be willing to adapt

When GDPR was introduced many companies assumed that they could create a privacy policy, file it away and then largely forget about it. In reality, GDPR is constantly evolving.

We see new technologies, such as artificial intelligence, emerging, new guidance being issued on a national and EU level and new data protection cases hitting the courts. It means that companies need to be ready to adapt their policies and governance on an ongoing basis.

One clear example of how GDPR has evolved is in the area of data transfers.

Back in 2018, companies had a level of stability in how they moved data between the EU and US. Many companies relied on the transatlantic ‘Privacy Shield’ agreement as a legal basis to transfer data. Others relied on the European Commission’s standard contractual clauses (SCCs) as the legal basis to transfer data to the U.S. and other third countries.

That all changed in July 2020 when the Austrian privacy activist Max Schrems won his court case at the European Court of Justice (ECJ). The ruling invalidated the Privacy Shield agreement and provided further binding case law on how companies assess the impact of national security laws in third countries when using SCCs. For the past three years companies have faced much uncertainty about how to safely and legally transfer personal data to the US and compliance costs have increased significantly.

For the past three years, the U.S. Government has been negotiating terms for a new framework to replace the Privacy Shield with the EU Commission. On October 27, 2022, President Biden signed an Executive Order that will hopefully lead to a new EU-US privacy framework. The new arrangement addresses the two main issues raised in the ECJ ruling regarding national security data collection and redress mechanisms for EU residents.

The European Commission, together with the member states and data protection authorities including the European Data Protection Board, will proceed to assess and approve the new framework. The U.S. will establish a new Data Protection Review Court to ensure compliance by agencies and companies, and update the privacy principles under the new arrangement.

It is unclear how long these processes in the EU and US will take, but we are hopeful that U.S. and European governments will reach a new agreement on data transfers within the next few weeks.  Max Schrems has also indicated he will challenge the new proposed legal framework in the EU courts. 

Even if the new framework is passed it will likely come under legal scrutiny by the ECJ. This serves to illustrate how even GDPR issues that appear to be settled can and do change. We expect this to continue as new technologies become more widely adopted in the years to come.

As such, companies need to similarly keep an eye on how the privacy landscape is evolving and be nimble in adapting their own policies and governance.

Take note of the local context

When GDPR was first introduced, many business leaders hoped it would provide a consistent and harmonised approach to data protection across Europe.

In many ways, it has achieved this. Businesses now have more clarity about what is expected of them, particularly when it comes to being transparent around how data is used and what customer consent is needed to collect personal data.

But there is still a great deal of nuance in the way that different national data protection authorities interpret the GDPR, investigate breaches and identify emerging themes. It means that we see many different ‘flavours’ of GDPR across the bloc.

For instance, local regulators in Germany, Spain, France and Belgium regularly issue their own guidance on specific GDPR topics. While in Luxembourg and Ireland, the regulators have taken a more hands-off approach, seeking guidance at European level from the Data Protection Board.

Different regulators also have different priorities for the coming years. In Belgium, the regulator is focused on the use of biometric data by employers. While in France, the regulator is looking at data collection through smart cameras in the lead up to Paris hosting the Olympic games in 2024. And, at a European level, the authorities are prioritising compliance with the rules on data protection officers.

These nuances in local GDPR interpretation mean that companies need to work with advisers who have a good grasp of the distinct local context of each European jurisdiction as well as broader EU initiatives in order to understand what is expected of them. 

Spotlight on the UK

The UK has sought to chart its own course on data protection since Brexit.

While the UK has kept GDPR as its data protection law since its exit from the European Union, the British government is planning to reform how certain rights and principles work. We expect these changes to be an evolution rather than ripping up of the GDPR rulebook given that the government has recognised the importance of maintaining adequacy with the EU. The UK Data Protection and Digital Information Bill is currently before Parliament and should pass during 2024.

You can find more information on what is expected, including reducing barriers to innovation, here.

Have a strategy for investigations

GDPR fines can be eye wateringly large if companies fail to comply with the rules. Penalties depend on the global annual turnover of the undertaking, which may encompass the group of companies to which the entity that violates the GDPR belongs. Enforcement orders can also impact business operations, business models, customer trust and company reputation.

This is reason enough for companies to take their data protection obligations seriously, but in recent years we have seen how investigations in one jurisdiction can potentially spiral into a much larger and more material business issue.

High profile investigations can inspire regulators in other countries to launch their own inquiries against a company. While the growth of class actions across the EU also means that a judgement for non-compliance in one jurisdiction can trigger potentially costly and time-consuming group litigation against a company in several other countries. In practice, the CJEU recently confirmed that the mere fact that a company has violated the GDPR will not automatically award damages to an individual concerned. It will have to demonstrate the infringement, the material or non-material damage resulting from that infringement and a causal link between the damage and the infringement. You can find more information on this here.

That makes it imperative to have an effective cross-border strategy for dealing with an investigation as early as possible. Sometimes fines or judgements for non-compliance can be avoided all together by effective engagement with the regulator at an early stage. But whatever the outcome, we always advise our clients to get a grip on an investigation and game plan how it might spread to other countries, as early in the process as possible.

Balance your conflicting requirements

GDPR has ensured that privacy issues have risen up the agenda for all business leaders, but data protection does not operate in a silo.

Organisations must meet all their data protection requirements yet balance this against the other demands being made on them by industry specific legislation and even their own employees.

This is not always easy for clients. For instance, some organisations are under pressure to collect and publish data on the diversity of their workforce but this can be at odds with GDPR guidance from local regulators on the collection of sensitive employee data.

That tension between GDPR and other business requirements is only likely to increase with the new suite of digital laws coming out of the EU over the next few years, including the Digital Services Act and the AI Act. As such, we advise clients to take a sensible risk based approach to data protection that balances the sometimes conflicting needs of different legislation and stakeholders.

Look to the EU to see how digital governance will evolve

GDPR has not just been a landmark piece of legislation within the EU, its effect has been felt worldwide.

Lawmakers across the globe closely watched the design and implementation of GDPR. While there have been debates around the cost of compliance and whether a more risk-based approach is needed in some countries, the EU’s adoption of GDPR has prompted many countries to rethink their approach to data protection.

In the U.S., numerous states will implement stringent privacy legislation in 2023 and 2024. GDPR has also influenced recent data protection laws and reforms in countries such as Brazil, Canada and India. In APAC, lawmakers have taken inspiration from the GDPR principles of lawfulness, fairness and transparency, and have increased fines to levels similar or higher to those in Europe. Across the region, GDPR-style legislation entered into force in 2022 and 2023. Further data protection reforms are under way. You can read more about these developments in this article.

More broadly, GDPR’s success has meant that the EU is now seen as a trailblazer when it comes to the protection of digital rights. This is a trend that will only increase as the EU brings in a suite of digital reforms in the coming years, including the Data Governance Act, NISD2, the AI Act, and the Digital Services Act. This package of measures aims to keep the EU at the forefront of digital rights.

Privacy issues are only becoming more important as we live more of our life online and as new technologies, such as artificial intelligence, come to the fore. So we believe that business leaders across the world to need to continue to keep an eye on how digital and privacy issues are evolving in the EU if they want to understand how their own market may change in the next five years.