What enforcement tells us about compliance priorities

Those who have worked in privacy and data protection for a while will remember the time when the fear of regulatory enforcement was not the primary motivation for compliance. In the “old days”, data protection authorities were dedicated regulators that simply had to make do with limited resources and even more limited powers to ensure the observance of data protection law. For many organisations, getting data protection right was largely due to the persuasive efforts of privacy professionals, who were exceptionally skilful at emphasising the business benefits of doing the right thing, even if the consequences of not doing it were negligible. Then the GDPR came along, and while those business benefits became more obvious than ever, the powers of the supervisory authorities in Europe and beyond increased exponentially, changing forever the approach to compliance with new and not-so-new obligations.

A bit like with the climate crisis, 2023 has broken all sorts of previous data protection enforcement records. Barely a few days into the year, the Irish Data Protection Commission (DPC) announced a €390 million fine against Meta, which followed binding determinations by the European Data Protection Board (EDPB) and highlighted the EDPB’s powerful enforcement role in practice. But regulatory powers aside, what makes this enforcement action particularly striking is that it focused on possibly the two most basic (although not for that reason easy to deal with) obligations of the whole GDPR framework: transparency and lawfulness. And while there had already been other ground breaking enforcement actions dealing with transparency, the core legal battle of this particular one centred on what the appropriate legal basis was for the uses of personal data that make both Facebook and Instagram possible. Above anything else, this decision proves that determining and justifying the applicable legal basis is probably the most business-critical decision to be made from a European data protection law perspective.

Before the dust of this decision could even start settling, the Irish DPC found itself imposing the mother of all GDPR fines by a considerable margin, as Meta was again the recipient of an enforcement action that included a €1.2 billion fine alongside two orders: one to suspend future transfers of personal data to the US and another to bring its processing operations into compliance with the GDPR’s international data transfers regime. Global data flows have been the subject of much debate, scrutiny, and indeed work over the years, but never before had an enforcement action focused on this issue with such devastating consequences. The severity of the action shows not only how important it is to ensure that international data transfers are thoroughly addressed but also how much of a concern this issue is for regulators.

Without abandoning Ireland, the most recent regulatory attention from the point of view of high-profile enforcement has centred on what is perhaps an obvious target: the processing of children’s data. Although the GDPR does not expressly regulate this type of processing in a stricter way than the processing of adults’ personal data, it does highlight its sensitivity and it is understandable for regulators to pay special attention to it. So when the Irish authority took enforcement action against TikTok for infringing the GDPR in respect of their processing of children’s data and imposed another stratospheric fine of €340 million, it may have been perceived as ‘business as usual’ by some. However, what makes this action particularly unique from a legal perspective is that much of its rationale rests on the lack of compliance with the data protection by design and by default principles as well as the overall responsibility of controllers to implement compliance measures, which happen to be some of the most novel legal provisions introduced by the GDPR.

The emerging landscape from the past few months of big-ticket GDPR regulatory enforcement is somewhat challenging to define because of the diverse legal issues triggering these actions. But at the same time, there is much consistency in the rigorousness with which the EDPB has intervened, and crucially, its ability to apply the full spectrum of provisions under the law – from old but always evolving principles to newer and in some cases, largely unexplored requirements. The message from a compliance perspective is clear. Get the basics right, pay attention to what regulators are spending their time on, and do not neglect unfamiliar legal obligations because they exist for a reason.

This article was first published in Data Protection Leader in September 2023.