The fifth anniversary of the implementation of the European Union’s General Data Protection Regulation (GDPR) is approaching in May. The European Data Protection Board (EDPB) and many national regulatory bodies quietly agreed to “go easy” on businesses and institutions while they became acquainted with the laws and learned how to follow the new mandates during their operations. However, the latest report by DLA Piper’s cybersecurity and data protection team shows that the monetary total of fines increased by 50% in 2022 compared to the previous year. The report also includes contributions regarding the Baltics from our Sorainen GDPR specialists.
Top corporate offenders for GDPR violations included ad-tech and social media companies. However, when it comes to the total value of GDPR fines imposed in each country since the date of implementation the Baltics ranked in the bottom half. Estonia and Lithuania make up the bottom four, while Finland ranked just above Latvia. Average daily breach notifications in the EU went down in 2022 to 300 per day, while in 2021 the number was 328. While the declining number could reflect more sophisticated cybersecurity procedures, it could also signal a decrease in self-reporting to avoid investigations and fines. Despite the troubling statistics on fines, there are many precautionary steps EU companies and institutions can take to promote GDPR compliance.
Invest in education and training
The legal principle “ignorantia legis neminem excusat”, or “ignorance of law excuses no one”, is truly relevant when it comes to GDPR regulations. This goes for everyone – from the head of an organisation to the very bottom of the structure. Getting legal advice from a GDPR and cybersecurity expert is always a better route than interpreting regulatory grey areas yourself and hoping for the best. We recommend forming a good relationship with your national data protection regulatory body. In 2022, cases referred to and decided by the EDPB resulted in an average 630% increase compared to the fines originally proposed by the lead supervisory authority.
Avoid accidental AI expenses
Personal data is becoming an increasingly valuable commodity, and artificial intelligence is a means frequently used to monetise this data. It’s common for new technologies to find themselves in legal grey areas when they are first developed, but over the last year GDPR regulators have been catching up. In 2022 the EDPB issued guidance on specific areas of AI processing, and several data protection supervisory authorities have issued detailed toolkits and opinions on the lawful use of AI systems for processing personal data.
While facial recognition AI has been the main target of activists and regulators, any organisation using AI technology must stay on top of proposed legal changes and updates. New AI-related laws and legislation proposed by the European Commission as part of its digitalisation strategy could even put organisations at risk of investigation and enforcement actions from multiple supervisory authorities.
Assess risks from EEA to USA
Even for experienced legal minds, it can be extremely difficult to assess the laws and practices of third countries and determine the risk when exporting data outside the EEA. Following activist complaints and investigations by state data protection supervisory authorities, European data protection supervisory authorities have adopted an absolutist interpretation of the GDPR in the context of data transfers. These authorities therefore concluded that various transfers made based on Standard Contractual Clauses (“SCCs”) were unlawful, and that a risk-based approach was not permitted.
In 2022 US President Biden issued the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (“the EO”). This order was aimed at addressing the legal uncertainty that has prevailed with respect to transatlantic data transfers. As a response, at the end of last year the EC published a draft adequacy decision, but it still must make its way through the EDPB and European Parliament.
What to expect
The study authors don’t expect to see a slowdown in GDPR fines in the coming year, especially not when it comes to the tech sector. They also predict that the influence of the EDPB will continue its upward trend across all EU member states. The main enforcement priorities will continue to relate to breaches of the core data protection principles in Article 5 of the GDPR. These notably cover failures to comply with the lawfulness, fairness and transparency principle, or the integrity and confidentiality principle. The main criticism of last year’s regulatory centred around the rulings regarding the international transfer of personal data.
“Adopting an “absolutist” approach to transfer restrictions and effectively outlawing any transfer of personal data, however trivial the risk of harm, risks causing real lasting harm to consumers by restricting transfers which underpin many of the progressive technologies and services which benefit our digital society,” says Ewa Kurowska-Tober, Global Co-chair of Data Protection and Cybersecurity at DLA Piper.
Click here to download the full report.
About the authors
“DLA Piper GDPR fines and data breach survey: January 2023” was prepared by DLA Piper UK LLP. Contributions to the cybersecurity and data protection team were provided by Sorainen international law firm associates and counsellors in relation to data for Estonia, Latvia and Lithuania. This includes Estonian associate and GDPR compliance expert Liisa Maria Kuuskmaa, Latvian associate and certified data protection officer Jūlija Terjuhana, and Lithuanian counsellor and GDPR implementation expert Irma Kirklytė. Sorainen continues to support Baltic businesses and institutions in achieving and maintaining GDPR compliance through education, training and legal advocacy.