GDPR: A Year in Review and the Need for Clarity

As the first year of GDPR’s governance comes to a close, the hysteria has subsided, but the reality of the reach of GDPR is all the more real. Since its May 25, 2018 effective date European State Data Protection Authorities (“DPA”) have received more than 64,000 data breach notifications. Those 64,000 notifications have resulted in more than €56,000,000 ($62,500,000) in fines issued under enforcement actions.

A portion of these fines are a result of the privacy law’s vague provisions. For example, Poland’s DPO issued a fine of over €220,000 ($245,600) to a digital marketing company, Bisnode, for not adequately notifying data subjects that their personal data was being processed. Bisnode collected and processed personal data from sources of public record of 6 million data subjects and thus was under an obligation to notify the data subjects of the processing. Bisnode notified a group of the data subjects via email, but it did not have email addresses for 5.7 million of the data subjects. The postage cost alone (not including administrative costs) to notify those 5.7 million data subjects via mail would have been €8 million. Instead, Bisnode posted a statement on its website to notify the remaining data subjects.Since its May 25, 2018 effective date European State Data Protection Authorities (“DPA”) have received more than 64,000 data breach notifications. Those 64,000 notifications have resulted in more than €56,000,000 ($62,500,000) in fines issued under enforcement actions.

GDPR Article 14 provides that notification to data subjects of the processing of their personal data is not required when it is “impossible or would involve a disproportionate effort.” Bisnode took the stance that the substantial cost associated with the notification involved a disproportionate effort. Poland’s DPA did not agree. Poland’s DPA noted that there were other means of communication that could have been utilized to notify the data subjects, such as SMS messaging for those data subjects whose telephone numbers it possessed.

While this fine is relatively small, it sets a dangerous precedent. It could require companies of all sizes to undertake the immense burden of locating data subjects around the globe. Further, it will force companies to weigh the costs and benefits of taking the risk of being fined versus the cost of notification. The latter is not in the spirit of protecting data subjects’ personal data as GDPR policymakers set out to do.

There is a need for European policymakers to provide more GDPR guidance, and quickly. Companies big and small subject to GDPR cannot be left to roll the dice to escape risk large fines at the risk of data subject’s personal data.