One Year of GDPR: Its Impact & What’s Next for the United States
The General Data Protection Regulation (GDPR) has been in effect in the European Union for over a year, and it has significantly impacted businesses and people across the continent.1 Before GDPR was implemented, many were skeptical of its ability to initiate change or fearful of the adverse effects it would have on businesses.2
One year in, GDPR has proven many of its critics wrong by sparking global awareness around data privacy and levying fines at some of the world’s largest tech companies.3
Here’s the impact of GDPR one year in and what it means for the United States.
The Impact of GDPR in Year 1
Within eight months of GDPR going into effect, nearly 60,000 data breaches were reported across Europe4 – a significant increase from the previous annual rate of 18,000 to 20,000.5 This more than 200% year-over-year increase attests to the public’s perception of GDPR as an urgent necessity.6
“The only reason we see so much follow-through on GDPR is because people simply want — and need — to be protected in what is a fundamental human right,” said Bart Willemsen, a senior director analyst for Gartner, a research and advisory firm.
“Without a regulation like the GDPR, [consumers] would still want it. Once we accept that, and the fact that our most valuable asset often is not our data, but our customer, [we will earn] their trust.”7
Many European regulatory committees agree that data protection is a fundamental human right,8 but the financial penalties to businesses have been insignificant in comparison to the number of reported data breaches.
For example, the European Data Protection Board published a report that showed the penalties imposed under GDPR equaled €55,955,871 (or nearly $63 million USD).9 While this sum is significant, €50 million can be attributed to a single fine levied at Google in January 2019 because it lacked a clear and transparent privacy notice—that single fine accounts for 90% of the total penalties. The remainder is mostly comprised of small thousand-euro penalties that were levied at companies in Poland, Portugal, and Spain.10
Ultimately, GDPR did not initiate a large number or volume of fines in Year 1, but there are numerous ongoing investigations that could lead to significantly higher figures in Year 2.11
By January 2019, there were over 255 ongoing GDPR investigations and this number is expected to grow throughout the year.12 Facebook alone accounts for 11 of the 19 investigations that Ireland is currently leading, and other countries may follow suit.13
Additionally, the Data Protection Commission recently announced an investigation into Google’s advertising system, claiming that it broadcasts information about users to companies on each of the 8.4 million websites that operate its ad exchange.14
Based on the public awareness GDPR has created in its first year and the growing number of outstanding investigations, the upcoming 12 months look destined to be marked by more, and larger, fines as investigators build complex cases.15
“One year on, GDPR is not hype,” said Odia Kagan, a partner and chair of GDPR compliance and international privacy at Fox Rothschild LLP in Philadelphia.
“The enforcement is coming, and the changes are being taken seriously. The fact that it looks like nothing has happened is not really true. Things are bubbling under the surface.”16
GDPR in The United States
The implementation of GDPR has also raised awareness about data privacy in the United States, but there are no sweeping national regulations planned as of publication.17 In May 2019, the U.S. Senate Judiciary Committee unanimously agreed that the U.S. needs a federal privacy regulation, but there is no indication of what this will look like or when it will be implemented.18
Despite the uncertain future, many experts believe that regulation is inevitable and that federal authority would enhance consumer protection while providing flexibility to U.S. companies.19
“Federal law must also include strong enforcement provisions. As I saw first-hand when I served on the Federal Trade Commission, laws currently on the books are simply not strong enough to enable the FTC to protect privacy effectively in today’s complex digital economy,” said Julie Brill, a former commissioner of the U.S. Federal Trade Commission.
“For American businesses, interoperability between U.S. law and GDPR will reduce the cost and complexity of compliance by ensuring that companies don’t have to build separate systems to meet differing – and even conflicting – requirements for privacy protection in the countries where they do business.”20
However, many believe that the United States’ version of GDPR will not match its European counterpart. This is largely due to differing national views on data privacy.21
“Privacy and data protection are fundamental rights from the EU perspective but not in the U.S.,” said Eduardo Ustaran, co-director of the privacy practice at law firm Hogan Lovells.
“That is a major philosophical difference between the two jurisdictions, and that will be reflected in the law.” 22
While the United States’ data protection regulations would likely not directly copy Europe’s GDPR, some states have already begun implementing their own laws—for example, the California Consumer Privacy Act of 2018 was signed into law last June,23 giving people the right to understand which of their personal data belongs to various companies, where it comes from, and where it’s going. 24
Additionally, the Texas House Committee moved its privacy bill to the House floor in April 2019, showing that other states might follow California’s lead in the coming months and years.25
Indeed, the concept of differing data privacy laws by state has caught the attention of tech companies that maintain significant volumes of user data.26 To avoid these complexities, both Microsoft and Apple have called upon federal regulators to implement sweeping national regulations before additional state-led rules take effect.27
With states starting to mimic GDPR and tech giants calling for sweeping federal regulation, it’s clear that U.S. companies likely need to prepare for data privacy laws before GDPR’s second year ends.28
1. Wolff, Josephine. “How Is the EU’s Data Privacy Regulation Doing So Far?” Slate Magazine, Slate, 20 Mar. 2019.
2. Report, GDPR. “8 GDPR Myths: Busted.” PrivSec Report, 15 Mar. 2018.
3. Neidig, Harper. “One Year Later, EU Privacy Law Faces Tough Questions.” TheHill, 29 May 2019.
4. “DLA Piper GDPR Data Breach Survey: February 2019 | Insights | DLA Piper Global Law Firm.” DLA Piper, 2019.
5. Wolff, Josephine. “How Is the EU’s Data Privacy Regulation Doing So Far?” Slate Magazine, Slate, 20 Mar. 2019.
6. IBID
7. Linder, Courtney. “A Year Later, Has the EU’s GDPR Privacy Law Really Changed Tech Company Behavior?” Gazette, Pittsburgh Post-Gazette, 7 May 2019.
8. Smith, John. “Data Protection.” European Data Protection Supervisor – European Data Protection Supervisor, 11 Nov. 2016.
9. “First Overview on the Implementation of the GDPR and the Roles and Means of the National Supervisory Authorities.” EuroParl, 2019.
10. Fogg, Simon. “€50 Million Google GDPR Fine & Other GDPR Losers.” Termly, 3 June 2019.
11. “The Status of the GDPR As the One-Year Mark Gets Closer.” Workplace Privacy, Data Management & Security Report, 19 Feb. 2019.
12. IBID
13. Lovejoy, Ben. “GDPR Fines Total €56M in First Year as Facebook under Scrutiny.” 9to5Mac, 29 May 2019.
14. Neidig, Harper. “One Year Later, EU Privacy Law Faces Tough Questions.” TheHill, 29 May 2019.
15. Janofsky, Adam. “Large GDPR Fines Are Imminent, EU Privacy Regulators Say.” The Wall Street Journal, Dow Jones & Company, 3 May 2019.
16. Linder, Courtney. “A Year Later, Has the EU’s GDPR Privacy Law Really Changed Tech Company Behavior?” Gazette, Pittsburgh Post-Gazette, 7 May 2019.
17. Khalil, Fouad. “GDPR Anniversary: Where Are We on Privacy a Year Later?” MarTechSeries, 29 May 2019.
18. IBID
19. Tung, Liam. “GDPR, USA? Microsoft Says US Should Match the EU’s Digital Privacy Law.” ZDNet, ZDNet, 22 May 2019.
20. IBID
21. “In the Wake of GDPR, Will the U.S. Embrace Data Privacy?” Fortune, 2018.
22. IBID
23. Nicastro, Dom. “What Is the California Consumer Privacy Act of 2018 and How Does It Affect Marketers?” CMSWire.com, CMSWire.com, 28 Aug. 2018.
24. IBID
25. Khalil, Fouad. “GDPR Anniversary: Where Are We on Privacy a Year Later?” MarTechSeries, 29 May 2019.
26. Lovejoy, Ben. “First Anniversary of GDPR Sees Microsoft Back Apple’s Proposal.” 9to5Mac, 21 May 2019.
27. IBID
28. Khalil, Fouad. “GDPR Anniversary: Where Are We on Privacy a Year Later?” MarTechSeries, 29 May 2019.