The enforcement tsunami

With all the attention on AI regulation and digital governance right now, one could be forgiven for thinking that good old privacy and data protection compliance belongs to a bygone era. Some may even think that after the initial efforts to meet GDPR standards, it is now time to move on and focus on bigger, shinier endeavours. But that would be unwise. Potentially, business-threatening unwise. Our world is never static and in case you have not noticed, the direction of travel is pointing towards greater instability and conflict. This reality is also affecting the data protection world and regulatory enforcement is sharply on the rise. That may be a good or a bad thing depending on what side of a given argument you may be, but irrespective of your own stance, it is a reality that should be acknowledged and appropriately managed. This means, among other things, understanding the key pressure points for privacy regulators and pre-empting the effect these may have on your current and future data processing activities.

One of the most visible areas of regulatory scrutiny at present is cybersecurity. An often sidelined area of data protection compliance – until a serious data breach hits, that is – data security tends to be viewed as an infosec responsibility, aside from the contractual responsibilities placed on vendors. But as the recent barrage of enforcement activity shows – from the proposed fine of ￡750,000 to the Police Service of Northern Ireland for their failure to protect staff personal information to the whopping €91 million fine imposed by the Irish DPC on Meta for storing user passwords in plaintext – regulators are keen to remind us that this is a top priority for them. And it is not just in Europe. Regulators in countries like Korea and Turkey are currently devoting significant resources to investigating potential weaknesses in data security practices, as they see this as an indication of lax data protection across the board.

Another issue that has certainly not fallen off the radar for regulators is cross-border data transfers. Due to geopolitical tensions, the resulting increase in surveillance and the populist appeal of data localisation, the legal restrictions on international data transfers are currently attracting rather hardline stances. This is far from ideal when, at the same time, there is widespread confusion about which set of standard contractual clauses is appropriate when an importer is already subject to the requirements of the GDPR, as highlighted by the €290 million fine imposed on Uber by the Dutch Data Protection Authority. Perhaps the greatest concern in this area is that there seems to be no room for a balanced assessment of the risk in practice, as the mere possibility of access to data by law enforcement or intelligence agencies is leading regulators to conclude that such transfers are unlawful. The danger here is that if a pragmatic, risk-based approach to legitimising global data flows is not acceptable, there may not be a single international transfer of personal data that passes regulatory scrutiny.

Interestingly, the most effective form of enforcement at the moment is not actually relying on headline grabbing fines, but on the suspension of data processing activities. This is indeed the case in respect of the multiple suspensions of processing activities linked to the processing of personal data for AI model training. As the race to develop and deploy awe-inspiring AI heats up, even a temporary suspension of such a time critical activity can have devastating consequences. So requiring to pause data processing activities until essential requirements are met, gives regulators the upper hand in ensuring that appropriate accountability and transparency measures – such as doing a DPIA and providing notice and choice – are undertaken as a matter of priority.

The truth is that privacy and data protection are not responsibilities that must be met merely to avoid negative consequences. They exist to enable the use of data in a way that is respectful of individual rights and beneficial to all. Regulators in this space have an extremely important job to do and they are currently approaching it with rigour and a firm sense of purpose. Investigations and enforcement are visibly intensifying and this surge in regulatory activity is not a passing trend. It would be foolish to think that these efforts are concentrating on a few big players, as sophisticated data uses are present everywhere. As the data economy grows and with it, the stakes of getting it wrong, we should be prepared for an ever growing and increasingly powerful wave of enforcement.

This article was first published in Data Protection Leader in September 2024.