By now, the EU General Data Protection Regulation hysteria has hit a fevered pitch. You're either ready for it, or you're sweating. The focus has shifted from "What does the GDPR mean?" toward "What will happen to me on May 26?" At the Privacy Bar Forum's event at the Global Privacy Summit last week, Irish Data Protection Commissioner Helen Dixon and Covington & Burling's Henriette Tielemans were on hand to give lawyers in the room a heads-up on what to expect.
At a session called, "GDPR Enforcement: What happens on May 26, 2018?" Dixon and Tielemans, who advises a number of clients on GDPR compliance, aimed to alleviate some of the fear of the unknown surrounding regulators' expectations and priorities.
While Tielemans acknowledged most of the questions she fields from clients are on what kind of fines to expect, Dixon was quick to remind the audience that the fines, up to 4 percent of a company's global turnover, are the worst-case scenario.
"There's of uncertainty and lots of angst," Dixon acknowledged. "There will be fines, and they will be significant. But a lot of the conferences I go to, I like to twist it back around to remind everyone what the GDPR is, which is about accountability backed up by ex-post enforcement under Article 83. I think it is quite clear that when we do identify an infringement that's of the gravity, duration and scope that is serious, then we are obliged considerably to administer an administrative fine."
The fines will go to the larger entity at fault in cases of subsidiaries and parent companies, just like in competition law, and there are different fining mechanisms for companies and individuals, Dixon assured. But, she added, that's only at "the end of a very long path that has demonstrated a lack of accountability and an infringement."
Despite an eagerness stemming from those who will be captured by the GDPR's scope, Dixon isn't overly concerned with listing, now, enforcement priorities, because she's quite sure data subjects will lead regulators to the most pervasive problems.
"Our first priority will be to be responsive to the risks and trends we identify in relation to complaints lodged," she said.
"Our first priority will be to be responsive to the risks and trends we identify in relation to complaints lodged." — Helen Dixon, Irish DPA
However, she did offer up that she anticipates the GDPR's 72-hour breach notification provision "may open up floodgates" as it will make visible to DPAs a "whole range of abuses and failure to secure personal data" that the DPAs would have been unaware of prior. "This is going to set up reactive priorities."
As for proactive priorities, DPAs — who will come together under the GDPR's newly formed European Data Protection Board at the dissolution of the Article 29 Working Party — Dixon said, "To the extent we have any resources left, we already publicly announced transparency is going to be a key enforcement priority. We're starting with transparency because we think it's key. The exercise of rights simply can't happen if there hasn't been transparency." She added that despite the GDPR's requirements that consent be well informed and freely given, the emphasis there is really about being well informed.
And that's a focus-area Dixon has been dissatisfied with to date.
"Privacy notices as they've evolved in legalese are far too opaque to data subjects," she said, noting she sees language in policies like "we may use your data" for X, Y, and Z. "In other contexts, what does it mean? Looking at what I've been purchasing with my credit card? We think those phrases should be avoided where possible. Examples of how personal data in the past was used to improve products should be given to the users, so they understand the limits."
Yet to be ironed out for Dixon and her peers are the logistics on how the EDPB will communicate amongst itself. Right now, they're basically sending massive emails, which obviously isn't sustainable. DPA staff members are looking into various messaging platforms and training on them. But even so, it's unclear what kind of volume each data protection authority, and the board in general, will face come May 26.
Another hurdle is waiting for member states to catch up: Each state must pass a national law to bring its framework up to speed with the GDPR's requirements, but no more than 50 percent will have done so by May. That's important because in many cases, arbitration decisions will be made according to the law of the third-party member state, depending on where the infraction occurred. Part of the complication for states to date has been deciding on the appropriate age threshold on children's access to information services, for example. While the majority have gone toward the age 13 threshold, some member states have opted for age 14, 15 or even 16.
For now, both Tielemans and Dixon recommend setting up a main establishment so as to take advantage of the one-stop-shop mechanism when the GDPR comes into play. And the main establishment should be selected based on where the decision-making about data processing happens.
"For a lead regulator for the one-stop shop, you need a mean establishment. You lose a lot of the benefits of the GDPR if you're unable to come up with what your main establishment is," Tielemans said.
Dixon added, "The bottom line advantage of the one-stop shop is [companies] are subject to one decision, one appeal and one fine, they're not subject to the jurisdiction of lots of supervisory authorities and therefore fines in the member states." If you don't set up that main establishment, you're opening yourself up to "a much more complex array of enforcement actions."
For now, privacy pros had better get moving, or face an EDPB looking to center its priorities on those who didn't heed warning like Dixon's.