GDPR: why are we waiting?
12 October 2018 | 0
In the days leading up to the deadline for the General Data Protection Regulation (GDPR) on 25 May 2018, one would have been forgiven for thinking the day after would see letters falling through letterboxes throughout Europe with fines of €20 million or up to 4% of global turnover.
Many organisations, in attempts both to encourage compliance but also to encourage compliance spending, made much of these unprecedented levels of fines now at the disposal of regulators.
And while fines of that magnitude are well within the confines of the regulation, we have not as yet, seen such sanctions being applied. This has led many to question why not, and to speculate that the pre-deadline noise and fuss was akin to the oft-cited Millennium Bug that never was. Now this is a bad analogy because if you ask any of the ancient language programmers who came out of retirement to work on it, it was not just a significant issue, but a thorny one at that. But what controversial issue in the digital world is not beset by bad analogies?
“Overall, in a well-defined, clear-cut case, a fine within six months would be doing very well”
Anyway, I digress.
The fact remains that since the May deadline we have had the Google tracking scandal, as well as the Facebook privacy case and now the hack affecting potentially 90 million users.
Added to all the above are the Veeam breach of some 4.5m personal account details from a marketing database exposure; eir’s 37,000 PIDs lost on an unencrypted stolen laptop; Ticketmaster malware harvester breach; and, of course, the BA.com incident.
It would appear the regulators have no end of ammunition and can potentially pick and choose their cases.
So what is happening?
Well, it is complicated.
First of all, there are issues of whether the incidents are actually covered under GDPR, and its jurisdiction.
When it emerged that Google was using user tracking, even when in some cases users thought such tracking had been turned off, many jumped immediately to GDPR conclusions and looked to the Data Protection Commissioner (DPC) here for reaction and indication of what was going to happen.
The response was less than inspiring.
The DPC responded by saying that Google had not yet officially incorporated its data protection residency in Ireland, and as such, there was little could be done bar monitoring. That was of course, unless someone made a specific complaint.
I’d say that one might run a bit yet.
But surely some of the other cases are more clear cut and should produce something sooner?
They might, but a good bit of reporting from David Meyer at the International Association of Privacy Professionals web site looks at why GDPR fines might be a lot slower in coming than we might have at first expected.
Speaking to Marit Hansen of the Unabhängiges Landeszentrum für Datenschutz (ULD), Schleswig-Holstein, the equivalent of our DPC for the German state, Meyer asks about the fact that ULD has already issued desist orders for some organisations processing of EU citizen data, one of the first such authorities to do so.
Hansen admits the cases were against webcam operators and were mostly in train before the GDPR deadline. However, Hansen gives some indication of the timelines involved in prosecution and the issuing of fines, even in what are referred to as open and shut cases.
Initial exchanges after a breach notification or coming to light, for acknowledgements and submission of accounts would take a couple of months. The regulator would write to the affected organisation and give them a month or so to respond. This could go through a few rounds until enough information is gathered to make an assessment. Hansen said that even if this initial process yielded enough to make an assessment, there would still be a facility for the breached organisation to react and comment. This could take another month per move each side.
Overall, in a well-defined, clear-cut case, Hansen reckoned a fine within six months would be doing very well.
Where there was an ongoing investigation of a breach, contested evidence or a lack of speed in response, then it could easily drag things out for a year or more.
So, will Facebook face a $1.63 billion fine for its latest incident, as many are speculating? Well, yes, possibly, but for all the reasons outlined above, not any time soon.
It is highly unlikely that any such large scale incident would be as cut and dried as to produce an assessment resulting in a fine that would go uncontested by organisations with deep pockets, if just to maintain a principle.
To apply this back to GDPR and the May deadline, anything that happened post-deadline, even if under investigation, is probably still only in early stages of case processing by regulatory authorities.
This means that even the highest profile cases, from July, August and onwards are only likely to result in assessments that might indicate whether fines are appropriate by December at the earliest, with the likelihood being that the thornier cases might take up to a year.
While there was a certain fervour around May of 2018 as the deadline approached, there may be an even greater flap around May of 2019 as early cases complete their investigation and consultation phases and move toward issuance of fines.
There is no arguing with due process and it is only right and proper that all due diligence is applied as breaches are breaches and everyone involved is entitled to justice. However, it does not do much for public confidence to have such regulation trumpeted widely, demonstrated with every cookie confirmation and data gathering permission form, and yet a yawning emptiness as regards implementation.
I’m not advocating for pitchfork mobs storming the offices of egregious flouters, nor for the same to turn up outside a certain upstairs premises in Tullamore, but a more visible indication of the efforts of the DPC and its sister agencies throughout Europe might go a long way to ensuring that public support is maintained while the fit and proper investigations are underway before outcomes are obvious.
As the regulations are there to protect citizenry, perhaps they deserve some indication of what is going on in their interests to prevent apathy and fatigue that might disengage them from defending their right to privacy.