December 2018 marks almost seven months since the European Union’s GDPR (General Data Protection Regulation) was enacted, resulting in a shake-up of privacy practices  in Europe and around the world. Since then, what has been the effect of the GDPR? What actions have been taken so far, and what is on the horizon for data privacy? Have any fines been enforced? Let’s take a look at what has happened over the past few months.

GDPR: Day 1

May 25, 2018: The GDPR was brought into force. This day marked what should have been a culmination of efforts by both public and private sector organizations to bring their privacy practices into compliance with the new regulation. An immediate effect, felt even before the official enforcement date, was an abundance of work being done by many organizations to bring their practices into line with the regulation. This is a result of the wide scope of the regulation – the fact that it applies to any organization that handles the data of European citizens, including those physically outside of Europe – and the sizeable fines for non-compliance, in the range of tens of millions of Euros. This is a regulation that’s not easy to ignore, and so most organizations worked diligently to understand the regulation, and follow it as closely as possible. May 25, 2018 marked the first day that regulatory authorities could begin to investigate and challenge the privacy practices of organizations, and of course, issue fines. This day was not really an end to GDPR preparations as much as the beginning of living with the GDPR on an ongoing basis.

Operating Day-to-day with the GDPR

Summer 2018: In the months that followed, organizations would need to continue to use new privacy procedures, and address any privacy concerns that were raised from customers or employees. Effective organizations would also use this time to continue to evaluate the effectiveness of their privacy practices, and decide what is working, and what could be improved. Many people were also waiting to see the first actions taken by regulatory authorities regarding the GDPR, as this would set the tone for enforcement actions overall, and help with interpreting the regulation…

Related Laws Brought into Force

June 28, 2018: The California Consumer Privacy Act of 2018 was signed by the governor of California. Only a month after the start of the GDPR, the state of California in the United States signed its own privacy law, set to go into effect as of January 2020. Privacy analysts have drawn many similarities between this law and the GDPR in the way  data privacy is approached. Though perhaps not entirely because of the GDPR, the way it brought data privacy into the news/forefront made it a political issue to deal with. Similarly, technology companies have been meeting with the United States federal government to discuss bringing in a federal law regarding data privacy, as data privacy is currently handled at the state level. Many major technology companies are saying that consumer trust regarding data handling is an important issue today. They also see the benefit of having some of the principles they use for European customers extend to their American customers as well. In these ways, the GDPR is helping to encourage other countries to introduce similar privacy legislation.

First Action Taken

September 20, 2018: The first formal enforcement action of the GDPR regulation was served. A notice was issued by the Information Commissioner’s Office of the United Kingdom against Canadian technology and political consultancy company AggregateIQ (or AIQ). In the wake of uncovering a widespread misuse of Facebook profile data, most notably by America data firm Cambridge Analytica in March 2018, AggregateIQ was investigated for possible ties to the firm, specifically the use and retention of similar Facebook data for its own political marketing. While the Facebook-related scandals played out early in 2018, the current GDPR notice was issued over concerns that the company continues to retain and process illegal Facebook data, far after the time it was initially collected. This first enforcement notice is an important development and will help set the tone for what sorts of breaches will be subject to major fines in the future.

Major Developments

November 2018: Google is accused of not following the GDPR. A more current and developing story regards accusations made by seven different European countries against Google. The problem stems from Google’s location tracking, and the complaints come as a result of what the European Consumer Organisation (BEUC) calls “deceptive practices” around informing consumers about the nature of location tracking, and not giving proper choice regarding its use. As one of the world’s largest technology companies, a formal GDPR complaint against Google (and its parent company Alphabet Inc.) is a big deal. Though it may be some time before this particular situation is resolved, it will be interesting and educational to see how Google handles this complaint, and how regulatory authorities choose to act on it.

Luke Henderson is privacy officer at Velsoft Training Materials.