The Irish data protection regulator has unveiled a progress report on GDPR on the first anniversary of the rules, perhaps defending itself from a perception of inaction.
As Europe’s lead regulator for GDPR, the Data Protection Commission (DPC) is in an incredibly important position. It is supposed to lead the bloc into an era of increased privacy and data protection, though considering its economy is largely dependent on the very firms GDPR has been designed to punish, it is a tricky position.
Despite some suggesting GDPR is failing to live up to the promise of holding the technology giants accountable, the DPC has defending its positions, actions and ambitions.
“The GDPR is a strong new platform from which we can all demand and drive higher standards of protection of our personal information,” said Commissioner for Data Protection, Helen Dixon.
“As the national supervisory authority, the Data Protection Commission (DPC) is firmly committed to its role in public enforcement of the new law, while also working hard to provide guidance to sectors as they seek to comply with the new requirements.
“The DPC is grateful for the positive and energetic engagement with the GDPR that we have seen from all quarters, particularly from consumers and concerned persons who have raised queries about the processing of their personal data with the office.”
Looking at the numbers, 6,624 complaints have been received since the introduction of GDPR, while 5,818 valid data security breaches were notified. 54 investigations have been opened, 19 of which are cross-border investigations into multinational technology companies and their compliance with the GDPR. Last week, the DPC announced its most recent investigation into Google.
Interestingly enough, more than half of these investigations will see either Facebook, WhatsApp and Instagram as the focal point. The question which remains is whether the rules are having a material impact on data protection and privacy across the world?
According to the International Association of Privacy Professionals, more than 500,000 data protection officers have been appointed at firms across the world, while more than 200,000 instances of data breaches have been reported. However, the largest fine which has been levied at one of the internet giants is €50 million.
Back in January, French data watchdog CNIL fined Google €50 million for various different violations of GDPR. These violations included a lack of transparency, overly complicated wording and inaccessible information on how a user’s data is being collected, stored and processed. This might serve as a wake-up call for the ‘normal’ companies across the world, but it is might not be considered a deterrent for the worst offenders, the tech giants who collect billions in profit each year by monetizing data.
As mentioned previously, the DPC is in a slightly precarious position. Ireland will want to protect the interests of the technology giants due to the role the industry plays in the country. The technology sector has largely been credited with saving Ireland from economic recession a decade ago, and now employees a significant number of individuals. The industry has also fuelled a rise in entrepreneurship, creating bright prospects as the world strides towards the digital economy.
Reading between the lines, this is perhaps the rationale behind today’s announcement from the DPC. It is working to uphold the promise of GDPR.
What is worth noting is one year is not a lot of time. Investigations into complaints will take months on months, due to the number of companies involved, collections of statements and all the relevant information, and the complex nature of data processing business models. The big data machine is incredibly complicated and understanding whether there have been any violations of rules is even more so; some clauses and sections made grey areas to be exploited.
One year one, GDPR has clearly had an impact on the world, but whether this is enough of an impact to create a privacy-orientated digital society still remains to be seen.