Five years have passed since the enactment of the General Data Protection Regulation by the European Union. What has changed so far? Get to know the impact of the EU’s data protection law in this article.
The General Data Protection Regulation (GDPR) is one of the world’s most advanced and stringent data privacy laws. Ever since the law came into force on May 25, 2018, it has significantly impacted the data privacy paradigm in the digital space.
The law has changed the perception of people and made them aware of their right to privacy. Many big companies were fined for not complying with the regulation. Some nations have introduced their own versions of GDPR and become more aware of protecting the data privacy of their citizens.
The GDPR has brought about significant changes in how businesses handle personal information. It requires businesses to be transparent and accountable for collecting and processing the personal data of their customers. Users now have more control over their personal information and how it is being used by the websites.
When we look back after five years, it’s clear that GDPR has empowered individuals to have their right to privacy and made organizations responsible for handling personal data.
Also Read: UK GDPR – United Kindom’s Data Protection Law After Brexit
Big Fines and Penalties
The early years of GDPR were nightmares to big corporates like Meta and Amazon. They both have the highest record of GDPR fines. It makes sense because both eCommerce and Social Media websites heavily rely on user data for their functionality, and these are the two big names of those industries, respectively.
Meta got fined €1.2 billion for not complying with GDPR principles and transferring data outside the EU. Meanwhile, Amazon was fined €746 million by the Luxembourg National Commission for Data Protection for processing personal data without obtaining clear consent from users.
The fines sent a clear message to other companies about the importance of following the GDPR guidelines, or they could face serious financial consequences too. As the GDPR continues to shape data protection, companies need to focus on respecting user privacy and being careful when handling personal data to avoid such hefty fines.
See the complete list of GDPR fines till now.
Increased Data Privacy Awareness
Before GDPR, people weren’t much concerned about their privacy in the digital space. This is the reason why big corporates have been selling our data for years. The GDPR has awakened a sense of privacy among netizens and emphasized that digital privacy should not be a myth but rather a right of every individual using the internet.
The law heightened privacy concerns and made people choose to opt out of giving consent to process personal data. This has created a global need to provide users the control over their personal data.
We knew GDPR hadn’t been so welcoming to many companies like Facebook and Amazon. But that’s not the case for every big corporate. In 2018, Apple introduced a new website to show its customers exactly what personal data it holds on them. It also provided users with the ability to request a copy, transfer, or temporarily or permanently delete their personal data (as required by GDPR). This was a welcoming gesture from Apple towards the EU’s GDPR and was well-received in the tech world.
GDPR Outside EU
Even though GDPR was enforced to protect the rights of the data subjects residing in the EU region, it had its influence on other countries as well. Many nations took inspiration from GDPR and introduced their own versions of the data privacy law.
Now let’s have a look at some of the biggest data protection regulations other than GDPR.
UK’s GDPR
After Brexit, the United Kingdom was not part of the European Union, so citizens residing in the UK were not domestically protected by the EU’s GDPR. To protect the rights of their citizens, the United Kingdom made a carbon copy of GDPR, which came to be known as the UK’s GDPR and was enforced on January 1, 2021. So companies doing business within the EU and UK may have to consider two legal contexts, which are essentially the same law.
California’s CCPA
California Consumer Privacy Act (CCPA) was the second biggest name in the digital privacy world after GDPR. The law was introduced in 2018 and is now the biggest data privacy law in the United States. On January 1, 2023, California Privacy Rights Act (CPRA) came into effect as an amendment to CCPA.
We have detailed articles on both CCPA and CPRA, and it might be beneficial for you to give them a read.
Brazil’s LGPD
Brazil passed its national data protection regulation, Lei Geral de Proteção de Dados (LGPD), on September 2020. LGPD takes inspiration from GDPR and provides a thorough framework for governing the use and handling of personal data. It mentions the responsibilities of businesses that handle the personal data of Brazilian citizens and is one of the most publicized data privacy laws in South America.
France’s CNIL
Commission Nationale Informatique & Libertés (CNIL) is a national data protection authority of France. It is a regulatory body that has the power to enforce data protection laws in France. They can receive complaints and issue fines for violations of these laws.
The following are the laws enforced by CNIL:
- French Data Protection Act
- GDPR
- ePrivacy Directive
Read for more information: What is CNIL and How to Comply with It?
Saudi Arabia’s PDPL
The Personal Data Protection Law (PDPL) of Saudi Arabia was a recent addition to the list, which came into effect on March 17, 2023. There is, however, a grace period till September 14, 2024, for organizations to ensure compliance with the law. The law aims to safeguard the rights of people residing in the Kingdom of Saudi Arabia (KSA).
For more information: Saudi Arabia Personal Data Protection Law (PDPL): An Overview
There are even more laws and regulations inspired by the GDPR, and many nations are yet to introduce their data protection regulations. These developments align with Gartner’s prediction that by the end of 2024, around 75% of the global population will have their personal data protected under modern privacy regulations.
Also Read: A Complete Guide to Cookie Law for Businesses
Major Data Breach Reporting
GDPR clearly states how to respond when there is a data breach has occurred. Organizations must report to the concerned authorities and to the users if their sensitive personal information is compromised. The breach reporting must be done within 72 hours.
A study report from DLA Piper says that there have been 130,000 data breach reporting has occurred since January 28, 2021. Since this is a report from two years before, we expect the number of breaches till now to cross 200,000.
Among the data breaches reported, the biggest one was the data breaches that occurred in British Airways, Boots, and the BBC. These companies were attacked by hackers and caused their employees’ personal information to be exposed. AT&T also had a breach that affected 9 million customers. The hackers got hold of customers’ first names, wireless account numbers, phone numbers, and email addresses.
EU’s Data Protection Authorities
Each member state in the European Union has established its own Data Protection Authorities (DPA), which are responsible for enforcing GDPR. These DPAs are like watchdogs that keep an eye on data privacy within the EU and deal with any complaints related to GDPR.
Also Read: Who is a DPO?
If a business operates in multiple member states, it might need to deal with multiple DPAs. Many countries have similar regulatory bodies to protect data privacy, but the EU’s DPAs have the most influence when it comes to enforcing privacy laws.
So these are some major changes that happened after GDPR. Above all these changes, there was an increase in global awareness and privacy concerns. Businesses were made accountable for handling customers’ personal information. The law implemented responsible data handling practices and gave more control to individuals over their personal data.
Now comes the big question:
The changes that happened after five years of GDPR suggest that we can expect more strict regulations in the future. There is a rise in national data protection regulations across the world, and many Asian countries are yet to introduce their privacy laws. All these will contribute to a much bigger picture of making the internet a safer space for everyone.
But obviously, there will be challenges in the future, too, especially when Artificial Intelligence is so common and continues to evolve. With the bulk amount of data transfer that is happening around the world, current data protection laws may not suffice the potential threat to individual privacy.
Even a well-rounded data protection law like GDPR has its flaws when it comes to the regulation of AI data processing. Law enforcement should be proactive instead of reactive. There is no point in discussing data privacy when it is already lost. We must stay ahead of potential threats and take measures to safeguard data privacy before it’s too late.
Conclusion
The General Data Protection Regulation was a stringent law that significantly influenced data privacy in the digital world. After five years of its implementation, the law continues to be one of the strict privacy laws in the world. Many nations took inspiration from the EU’s GDPR and implemented their own national data protection regulations.
In such a data-driven world, it’s great to have laws like GDPR that give individuals more control over their personal data. But legislation can’t always keep pace with technology and scientific developments.
With the rapid developments in the field of Artificial Intelligence, can data protection laws like GDPR make a significant impact in the coming future? Well, we have to wait and see. Nevertheless, there is hope in the proposed AI Act, which aims to address concerns related to automated data processing by AI.
What’s your say on this? Do you believe data privacy laws can protect us from potential threats caused by Artificial Intelligence? Share your thoughts in the comments.
Disclaimer: This article was intended for informational purposes only and does not represent legal advice. We have no intention of obtaining any kind of attorney-client relationship. If you are looking for legal advice, we recommend you contact a professional.
