EU Regulators Publish First-Year Review of GDPR

Last month, the European Data Protection Board (Board) (comprised of EU member state data protection authorities), published its first report (Report) on the EU General Data Protection Regulation’s (GDPR) implementation and enforcement since May 25, 2018. The Report notes  that cross-border regulatory enforcement actions are increasing and EU privacy regulators are cooperating efficiently to investigate GDPR violations.

Key Findings:

• Investigation and Enforcement: The majority of the 206,326 cases (as of February 2019) involved individual complaints and data breaches. The total amount of GDPR fines for the reporting period is €55,955,871.
• Cooperation and “one-stop shop”: Regarding the functioning of the “one-stop shop” (the mechanism that empowers the member state regulator where a company has its “main establishment” to lead oversight, investigations, and enforcement), 45 procedures were initiated by regulators from 14 EU countries, and 6 final decisions were issued. These actions involved data deletion and other rights requests; the “lawful basis” for processing (e.g., consent or “legitimate interest”), and data breach notifications. The Report highlights an increase in the one-stop shop.
• Consistent GDPR Interpretation: The Board adopted 28 ‘consistency’ opinions to promote consistent application of the GDPR by the various state regulators (including in relation to the ePrivacy Directive). In addition, opinions on binding corporate rules and draft standard contracts between controllers and processors will be issued in the coming months. However, the Report is silent on the issuance of long awaited processor-to-processor Standard Contractual Clauses for transfers.
• Budgets and Staffing: The majority of EU regulators reported an increase in their GDPR regulatory budgets and headcount for 2018-2019.

Key Takeaways:

The Report confirms the regulators’ commitment to effectively protecting individual privacy rights through enforcement of the GDPR. Companies operating in the European Economic Area should monitor developments, including the release of additional interpretative guidance, GDPR enforcement activity and applicable court decisions. The GDPR’s promotion of cooperation among regulators appears to be playing out as anticipated. Nonetheless, in light of the French action against Google (discussed here) it remains to be seen whether the analysis employed by the French regulator concerning the one-stop shop will be followed in future actions involving established technology companies with multiple EU affiliates.

Goodwin’s Data, Privacy and Cybersecurity Practice is one of the longest-standing privacy practices of any global 50 firm and has been ranked among leading law firms for privacy and cybersecurity, including by Legal 500 and Chambers. It fully integrates and leverages the firm's core strengths, with the group's lawyers coming from the technology, financial institutions, licensing, litigation and regulatory practices. The team has handled hundreds of data breach investigations, litigated landmark privacy cases, and defended clients in investigations and enforcement actions brought by state attorneys general and federal data protection regulators. Goodwin provides clients practical advice on all aspects of information-related management, including the establishment of comprehensive privacy programs, audits, transactional due diligence and compliance with domestic and international privacy laws.

Goodwin’s European team includes a former Department of Homeland Security Chief Privacy Officer, Gretchen Scott (London), Federica De Santis (Boston) and Jacqueline Klosek (New York).