The importance of the GDPR is not going away as we witness continuous regulatory enforcement through significant fines four years after the start of its application.
Since the GDPR’s inception in 2016 and its implementation in 2018, there have been concerns about its status and applicability. The General Data Protection Regulation or GDPR is a key piece of European legislation that ensures that companies and individuals who process personal data do not violate individuals’ right to data privacy. The GDPR’s overarching goal was to ensure that organisations that collect and process individuals’ data could ensure appropriate compliance methods of handling the data so as not to infringe on individuals’ data privacy rights. While the United Kingdom did leave the EU, allowing it to modify certain EU laws, the GDPR is still in effect in its original form, albeit as the UK GDPR.
GDPR compliance remains imperfect, even among large corporations with the resources to ensure compliance, but enforcement can impact smaller businesses, particularly those in technology.
There have been several instances of GDPR enforcement affecting large corporations and smaller businesses alike. Meta Platforms is a prime example of a major corporation which has dealt with regulatory enforcement. Meta’s businesses have been fined multiple times for failing to comply with the GDPR. Previously, Whatsapp was fined 225 million for failing to inform users about how it shared data with Facebook. More recently, the Irish Data Protection Authority (DPC) fined Instagram 405 million euros for various GDPR violations involving the processing of children’s data. This primarily concerned Instagram’s user registration process, which resulted in children’s data being shared with the public, whether through the general or business settings. The decision records findings of several GDPR violations, including those of GDPR Articles 5(1)(a), 5(1)(c), 6(1), 12(1), 24, 25(1), 25(2), and 35(1). It is critical to consider that a significant company like Meta, which has a significant amount of assets and knowledge to protect privacy rights, has faced the consequences of the GDPR’s applicability to its platform. This demonstrates the GDPR’s broad scope, and it is an important example that companies can still follow today.
It is important that businesses of all sizes ensure that when new forms of processing take place, they are both documented and risk-assessed to ensure compliance. Because data protection law is constantly evolving in response to trends such as the use of AI algorithms, businesses who rely on such algorithms and processes, such as social networks or online sales platforms, should perform data protection impact assessment of their platforms’ features to ensure that they do not infringe on data privacy rights.
Companies and organisations should ensure adequacy before undertaking international data transfers.
Another aspect of regulatory enforcement is the investigation of data transfers between corporations and their subsidiaries. Notably, the Schrems II decision invalidated the US-EU Privacy Shield, which was frequently used by American companies with European subsidiaries to comply with data protection laws. Recently, the Irish Data Protection Commission announced an investigation into TikTok for two reasons: the alleged transfer of user information/personal data to China through the company’s chain of ownership, and how children’s data is processed.
Companies sometimes have parent companies or subsidiaries that can share personal information with one another, which might be legitimate for administrative or similar purposes. The issue at hand is that such data transfers must comply with certain GDPR rules. In practice, data transfers should not occur unless there is adequacy, standard contractual clauses, binding corporate rules, or one of the narrow GDPR exceptions such as performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.