The implementation of the General Data Protection Regulation (GDPR) across European countries has been far from homogeneous – and it would be no surprise if large multinationals factored nations’ different stances on GDPR into their decisions on where to set up headquarters.
What is more, the European Union (EU) has done almost nothing to prepare for the impending tsunami of technology coming from China, a country whose privacy culture is worlds apart from that of the EU.
By 25 May 2019, the first anniversary of the implementation of GDPR, €56m of fines had been issued – and €50m of that was a single fine imposed on Google by France.
In terms of sanctions, France has taken by far the hardest stance. Not only did CNIL, the French data protection authority (DPA), fine Google €50m, but it also fined Bouygues Telecom €250,000, Uber €400,000, Dailymotion €50,000 and Optical Center €250,000.
European countries have clearly demonstrated different strategies on penalties. Also, they have set up different structures for implementing the regulations. In Germany, for example, DPAs are organised on a German state level – but there is also a separate DPA at federal level, with jurisdiction over telecom and postal service companies. The result is that Germany has 17 data protection authorities, instead of just one.
Another area where European countries disagree is in their interpretations of some of the finer points of GDPR. For example, Austria’s DPA ruled that all a data controller has to do in response to a request for data deletion is to remove individual references to that data.
Nations have also demonstrated differences of opinion on how to calculate fines. For example, some local legal authorities in Germany have argued that the GDPR fines imposed in that country should be calculated according to German law, which would result in much lower fines than those imposed at the European level.
Perhaps the most important difference in interpretation by the different countries lies in determining who imposes – and, ultimately, collects – the fine. When France’s CNIL issued its €50m fine on Google, it danced around the GDPR’s one-stop-shop rule that says a company will be fined in the country that hosts its headquarters – in Google’s case, Ireland.
The CNIL argued that Google had no main base in the EU in relation to the fine in question, because all decisions concerning the processing of data related to Android and Google accounts were made at the company’s headquarters in the US.
In stark contrast to France, many other EU countries have taken softer approach, investing most of their efforts into educating companies and issuing warnings, rather than imposing fines right away. Such differences in communication strategies lead to different perceptions of risk among data controllers from one country to another. These differences in perception may partially explain the differences in the number of data breaches reported.
A report by DLA Piper on the number of breaches notified during the first eight months of GDPR indicates that the top three countries in terms of number of data breaches – the Netherlands, Germany and the UK – had almost twice as many breaches reported than in all the other EU countries combined. DLA Piper reported that many organisations had notified authorities largely because they knew they could suffer heavy sanctions for not notifying.
“If there is a breach, we will notify the authorities and cooperate very closely with them to understand what really happened and for them to judge how far to go with a fine,” said Hanah Hennig, CIO of German-based manufacturer Osram. “If you do not meet the obligations, you have to pay the fine.”
However, many companies are left hanging after they report a breach. According to DLA Piper, the large number of notifications has created a backlog and many organisations have to wait a long time to hear back from regulators whether action will be taken against them for the breaches they reported.
Given the disparate interpretation of GDPR across the EU countries, it is no wonder that data controllers are befuddled – but they are not the only ones. Citizens are, too. All the, often confusing, data privacy messages that started to appear after May 2018 have certainly made browsing the internet a little more arduous.
“We need to simplify the message of GDPR,” said Giovanni Buttarelli, European data supervisor. “We need to invest more on training. Many citizens in the EU are not well informed about their rights.”
One of the other big issues to be addressed is how to handle technology coming in from outside the EU. Big data and artificial intelligence (AI) will pose the biggest problems, especially as China plays a growing role in those two technologies.
The EU has already invested a lot of effort in getting around the fact that the country where most of the data is stored – the US – has different views on data privacy than the EU. Thanks to bilateral agreements – (Safe Harbor, then Privacy Shield – EU-based data controllers feel safe in storing data on servers from certified US companies.
“We use Microsoft Azure as well as IBM private cloud,” said Osram’s Hennig. “They all have their datacentres in Europe. My understanding is that if they have the Privacy Shield framework, then you are protected to some degree. Also, we apply standard model clauses in contracts with US suppliers. Of course, a company can never protect itself against criminal minds, but you can look to make sure the cloud provider has the right behaviour for security.”
While the EU has done a good job of harmonising with the US, it may have to take a different approach for China. “In China, if you say you need privacy, it is interpreted to mean you have something to hide,” said Buttarelli. “The country has an entirely different approach to privacy, and that will clash with our views on privacy in the future.”
He added: “Today we are in a dialogue with Silicon Valley, and we have worked out a way to do business together in a way that ensures the protection of privacy in accordance with EU regulation. But by 2021 and 2022, the globalised Chinese systems will be prevalent. If they want to be operational in the EU, they need to have a dialogue with us.”