Servus from Munich!
“GDPR: strong on paper, weak on enforcement?” These were the opening words from Undine von Diemar of Jones Day back in September while speaking at the IAPP Data Protection Intensive: Deutschland conference in Munich.
Looking back, the first year of the GDPR might not have been as drastic as people might have expected, but still, fines in the EU amounted to roughly 56 million euro. This seems to follow a “one-year grace period” after the 25 May 2018 implementation date, which has seen data protection authorities drowning in work.
Speaking with different regulators in Germany, they will focus even more on enforcement and cut back on advising companies in the near future.
German DPAs in different states, for example, have internally announced they will start broader audits not only with larger international organizations but with small- and mid-sized entities. They are likely to focus on “minimum standards,” like implementing a proper privacy management system and focusing on the aspects of records of processing activities, as well as IT security and vendor management. The new accountability requirement seems to be underestimated quite often — so companies should make sure they do not only meet the requirements but also are able to demonstrate them. From my perspective, this is something that only can be effectively addressed by using privacy management software.
The “enforcement tracker,” operated by law firm CMS Hasche Sigle GmbH, provides a detailed overview of fines and penalties in the EU under the GDPR.
Also, Helen Dixon, Ireland's privacy commissioner, recently announced at the IAPP conference in Washington that her office will take legal steps against a variety of big tech companies soon.
The German DPAs also took a progressive position on website tracking, basically requiring explicit opt-in for all types of individualized tracking, even when based on pseudonymized data. Should this become an EU-wide standard (and the European Data Protection Board is likely to have a say on this, as well), it might become close to irrelevant for most companies whether we see an additional ePrivacy Regulation at the end of the day. We expect this decision to be challenged in courts.
The Austrian DPA, in addition, decided that a news company would be allowed to have its users decide between a tracking-free subscription-based model or alternatively access the website by accepting intensive user tracking. If this should make it to the EDPB, we might see similar offerings by other consumer-facing companies relying on similar website tracking.
This year is also likely to bring news on international data transfers, including the EU-U.S. Privacy Shield and, even more importantly, EU model contracts. With a traditional focus on data transfers to the U.S., the EU will also have to decide whether it can and will apply the same standards to China with its increasingly important IT sector.
So, clearly, there will be a lot of topics to cover at the next bilingual IAPP DPI: Deutschland conference 18 to 19 Sept. in Munich. Hope to see you there!
If you want to comment on this post, you need to login.