Christopher Perrin | Senior Manager | Law | +44 20 7951 2768 | Chris.Perrin@uk.ey.com
A recent report from the Irish Data Protection Commission (DPC), the lead data protection authority for a large number of global blue chip tech companies operating in Europe. shows a significant increase in privacy complaints and data breach notifications since the EU’s General Data Protection Regulation (GDPR) came into force in May last year.
The DPC’s report shows that in 2018 the DPC received more than twice the number of complaints in the months post-GDPR (2,864) than it did in the months prior to the GDPR coming into force (1,249). Significantly, the total number of complaints received in 2018 (4,113) was 36% more than the DPC received in 2017 (2,642). These numbers suggest the GDPR encourages data subjects to exercise their rights in respect of their personal data which is being processed by corporates.
“The phenomenon that is the [GDPR] has demonstrated one thing above all else: people’s interest in and appetite for understanding and controlling use of their personal data is anything but a reflection of apathy and fatalism…” resulting in “a new level of mobilisation to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data…”, states Ireland’s commissioner for data protection in the report.
Businesses relying on processing the personal data of EU citizens should be particularly wary of the potential consequences of non-compliance with the GDPR as the data supports the claim that data subjects are now more willing to make formal complaints to EU data protection regulators under the GDPR.
As a reminder, GDPR empowers EU regulators to impose significant financial penalties on companies which breach the GDPR (as high as the greater of 20 million euros and 4% of annual turnover). However, we are yet to see any EU regulator impose anywhere near the maximum fine. Perhaps corporates (including tech giants) who process the personal data of EU citizens should be more concerned by the ability of data protection regulators to impose conditions upon how they process such data including, in extreme cases, ordering the data controllers to stop processing such data altogether. Whilst highly profitable companies may be able to allow for fines as part of their financial planning, data centric business could be crippled by being subject to such a condition.
It is still early days but, as the number of high profile investigations by EU regulators continues to increase, the GDPR could lead to a fundamental shift in the way some tech giants process personal data, with transparency and consent at the forefront.