Post-GDPR landscape: observations four years after implementation
25 May 2022 marks the lapse of four years from the EU General Data Protection Regulations (commonly referred to as “GDPR”) going into effect. During this time we saw panic among entrepreneurs, “consentmania” (manic collection of consents for data processing), “PESELmania”, pseudonyms (such as Gargamel) in place of numbers assigned by outpatient clinics, and the hope for putting an end to unwanted emails or phone calls, and eventually accepting the fact that “talking” with a bot about photovoltaics is unavoidable. But has the Regulation changed anything at all? If so, what has been changed?
Fines, which is what everyone feared most
10 or 20 million EUR or even 4% of the entire global turnover of the preceding fiscal year – these were the values that raised concern in 2017 or 2018. High potential fines kept management boards awake at night, made accountants and financial directors sweat and triggered spiteful smirk among ordinary EU citizens who just ended their fifth unwelcome telemarketing call. Widespread promises of penalties proved true for the chosen ones only – really high fines were in fact imposed only upon the Internet giants, but it is hard to say whether they found them painful. Not many fines were imposed in Poland, and their value was not particularly frightening.
According to the statistics describing the activity of the President of the Personal Data Protection Authority (DPA), in the period between 25 May 2018, when the GDPR entered in force, until 31 March 2022, the DPA President issued 41 administrative decisions imposing fines for infringements of the GDPR. Additionally, according to publicly available statistics, it can be estimated that during this time as many as 40 thousand breaches were reported to the DPA President. One fine per one thousand of violations is not much. Additionally, a number of the penalties were cancelled by administrative courts, so the number of final and actually paid fines is considerably lower.
Is this bad? Absolutely not.
Reprimands in lieu of penalties, which is how the DPA President actually operates
In addition to imposing fines, the GDPR also offers other, less imagination-capturing powers to supervisory authorities, which may, however, be equally effective. These include in particular decisions which order/ban certain actions, as well as reprimands. Said decisions may concern, without limitation, exercising the rights of data subjects, orders to notify about a breach, or adaptation of data processing operations to the GDPR (the DPA President may even set a deadline and define the manner of adaptation). Reprimands, in turn, indicate that a breach was made, but the scale and nature thereof, or the data controller’s or processor’s activity are indicative that a reprimand is sufficient.
The data regarding the activities of the DPA President indicate that, e.g. in 2020, the President exercised his corrective powers more than 520 times, of which 140 times an order was issued and 380 times – a reprimand. As regards 2021, the DPA President exercised his rights over 780 times, and issued about 250 orders and 530 reprimands. Importantly, the tendency for the DPA President to exercise his powers by issuance of orders and reprimands seems to be getting stronger: the first quarter of 2022 saw 60 orders and more than 180 reprimands issued by the President.
The above statistical data indicate that the fines imposed by the DPA President apply largely to the most serious cases, i.e. primarily to situations where the rights and freedoms of individuals were violated as a result of personal data breach.
Such measures taken by the DPA President (orders and reprimands) are praiseworthy, because they are of enormous educational value and they demonstrate that the GDPR is not just a mechanism for penalizing entrepreneurs. However, since we are practicians, we would like more such decisions to be publicized and discussed on the DPA’s website.
Everyone can see what the GDPR is, a few bitter remarks
The GDPR was advertised as a “smart” act, i.e. an act which, due to the language it uses, is to adapt to the changing technological reality. The situation may not be bad in this respect, but the “smartness” is lacking is some other aspects, such as certain formal obligations being similar for huge Internet or technological corporations and for one-person hairdressing salons (such as the obligation to inform). Should it work this way? Rather not.
The threshold for understanding the GDPR, recognizing the issue of personal data protection and privacy-by-design requirements is quite high, and not all data controllers were able to meet the core requirements imposed by the GDPR on their own. Can we, however, require that a small online store is capable of managing all those requirements on its own, considering that, until this date, the website of the Polish social insurance institution (ZUS), which has an enormous budget, contains a requirement of utterly redundant consent, while not so long ago the consent was based on the Data Protection Act of 1997 (repealed in 2018)?
The greatest disadvantage of the GDPR is its relatively small scalability. We are of the opinion that micro and small entrepreneurs should be (depending on the scale and context of processing) exempt from some of the obligations set out in the GDPR. Alternatively, the supervisory authority (in Poland: the President of the Personal Data Protection Authority) could develop tools supporting implementation and applicability of the GDPR for micro and small entrepreneurs operating in certain sectors (e.g. the sector of production, shops or online stores). This would offer them a solution which they could adapt to their own conditions and processing activities, instead of spending tedious hours reading the GDPR and GDPR-dedicated articles. This was supposed to be the role of codes of conduct to be approved by the national supervisory authorities, but not a single code has been approved in Poland by now, and just seven codes were submitted for approval (https://uodo.gov.pl/pl/426/1109).
Awareness: advantages and disadvantages of the GDPR
Awareness of how important personal data protection is in an information society should be perceived as the highest value added by the GDPR. Obviously, the awareness is not ideal and calls for further education, but the GDPR certainly contributed to popularizing the aspects of personal data protection: the word “data (GDPR)” came second as the Word of the Year for 2018 (Poland). Well-aware society will be more willing to read the data processing notice, think why specific personal data is to be provided, and take preventive measures if a breach is reported.
This awareness must be maintained and developed continuously among all generations. It is also necessary to get through to the mainstream with the message that consent is not the only legal basis for data processing, and a complaint filed with the DPA is not necessarily a tool for blackmailing the employer.
Awareness of the importance of personal data issues should also reach the legislator, who is quite stubborn in disregarding or erroneously interpreting personal data-related solutions in new acts of law. As an example: the act of 11 August 2021 on savings and loans schemes (Journal of Laws of 2021, item 1666) indicates consent of the scheme participant as the basis for data processing (Art. 43(1) of the Act). Despite broad criticism, the act has not been corrected.
GDPR-mania, i.e. the entrepreneur does not live by the GDPR alone
Despite our fondness for the GDPR and personal data protection, we must point out that for a great majority of entrepreneurs the processing of personal data is an incidental process, a means to accomplish the goal, which is the operation of business. The Internet giants are a different story – for them personal data are the value per se, and it’s hard to enlist all creative ways to use them. However, data protection cannot “devour” too many resources of “average” entrepreneurs, and they are the ones that need assistance by preparation of ready, dedicated solutions, which they can easily apply.
At the end of the day, we must remember that according to recital 4 of the GDPR “The processing of personal data should be designed to serve mankind”. And this is exactly what we would like to wish ourselves and you all on the 4th anniversary of the GDPR.