The ongoing data privacy challenge: Will European businesses comply?

The ongoing data privacy challenge: Will European businesses comply?

The European Union Agency for Cybersecurity (ENISA) has discovered how technologies can support personal data sharing in practice, while global law firm, DLA Piper, focuses on how European businesses must pay closer attention to GDPR legislation. 

The European Union Agency for Cybersecurity (ENISA), recently published its report on how cybersecurity technologies and techniques can support the implementation of the General Data Protection Regulation (GDPR) principles when sharing personal data.

“In an ever-growing connected world, protecting shared data is essential if we want to generate trust in the digital services,” said Juhan Lepassaar, Executive Director of the EU Agency for Cybersecurity. “We therefore need to rely on the technologies at hand to address the emerging risks and thus find the solutions to best protect the rights and freedoms of individuals across the EU.”

Data today is at the heart of everything and central to our economy – it has therefore been coined as the new currency. No transactions or activity can be performed online nowadays without the exchange and sharing of data. Organisations share information with partners, analytic platforms, public or other private organisations and the ecosystem of shareholders is increasing exponentially. Although we do see data being taken from devices or from organisations to be shared with external parties in order to facilitate business transactions, securing and protecting data should remain a top priority and adequate solutions implemented to this end.

Since the GDPR legislation was brought into force in May 2018, government bodies have been coming down hard on organisations failing to comply. Last year, European data regulators issued €2.92 billion (US$3.10 billion/£2.54 billion) in GDPR fines since 28 January 2022 – a 168% increase on the previous year – according to global law firm, DLA Piper.

The organisation has published the 2023 edition of its annual GDPR and Data Breach survey revealing total fines issued for a wide range of GDPR infringements and the league table of fines issued by country since January 28, 2022. The survey covers all 27 Member States of the European Union, plus the UK, Norway, Iceland and Liechtenstein.

Among the largest fines levied were those against Meta Platforms Ireland Ltd. (Meta) demonstrating that social media and its reliance on extensive processing of personal data, have been a particular focus of regulatory action. Several of the largest fines imposed against Meta this year by the Irish DPC relate to Facebook and Instagram’s behavioural profiling of users and whether the lawful basis of ‘contract necessity’ can be used to legitimise the mass harvesting of personal data. While the Irish DPC originally concluded that this was possible, the influential European Data Protection Board disagreed. The resulting fines raise serious questions about the grand bargain struck between consumers and service providers and how ‘free’ online services will be funded going forward. Given what’s at stake, DLA Piper expects these decisions to be appealed and years of subsequent litigation. 

The survey also reveals a year which saw the volume of data breaches notified to supervisory authorities decrease slightly against the previous year’s total. The average daily total dropped from 328 notifications per day to 300 per day this year. This may in part be a sign that organisations are becoming more wary of notifying data breaches to regulators for fear of investigations, fines and compensation claims. 

While personal data issues around advertising and social media have dominated headlines this year, there is a growing focus on Artificial Intelligence and the role of personal data used to train AI. Most prominently this year, multiple investigations into facial recognition company, Clearview AI, took place following complaints by digital rights organisations, including Max Schrems’ organisation, My Privacy is None of your Business (NOYB), with several fines issued. As AI and Machine Learning (ML) platforms continue to become more ubiquitous, the survey predicts more regulatory investigations and enforcement for the year ahead with a focus on both providers and users of AI.  

The survey also reports some notable decisions made by data protection supervisory authorities this year considering the application of the Schrems II and Chapter V GDPR requirements to specific international transfers of personal data. Data protection supervisory authorities have argued that it is not possible to adopt a risk-based approach when assessing transfers of personal data to ‘third countries’, in essence arguing that transfers are prohibited if the mere possibility of foreign governmental access gives rise to any risk of harm (however trivial and however unlikely).

Commenting on the survey, Ewa Kurowska-Tober, Global Co-Chair Data Protection and Cybersecurity at DLA Piper, said: “A proportionate, risk based approach to the interpretation of GDPR’s restrictions on international transfers of personal data is not just permitted but, in our view, legally required. Adopting an ‘absolutist’ approach to transfer restrictions and effectively outlawing any transfer of personal data, however trivial the risk of harm, risks real lasting harm to consumers. Transfers have many benefits for consumers and for society, by ensuring the rapid development and rollout of vaccines, by enabling effective oversight and regulation of business and by providing access to online services enjoyed by billions of people. We hope that supervisory authorities reconsider the absolutist approach adopted in these early enforcement decisions.”  

Ross McKean, Chair of the UK Data Protection and Cybersecurity Group, added: The spate of Irish Data Protection Commissioner fines targeting the behavioural advertising practices of social media platforms this year have the potential to be every bit as profound for the future of the ‘grand bargain’ at the heart of today’s ‘free’ Internet, as Schrems II has been for international data transfers. Given what’s at stake, we can expect years of appeals and litigation. The law is very far from settled on these issues.”

Click below to share this article

Browse our latest issue

Intelligent CIO Europe

View Magazine Archive