Regulation (EU) 2016/679, also called “General Data Protection Regulation” (the “GDPR”), turns three.
The GDPR indeed came into force on 25 May 2018, becoming the global benchmark for personal data protection as well as a convergence factor in the development of standards. With the adoption of the GDPR, the European Union took a leading role in the international data protection landscape, prompting several third countries to align their data protection regulations with the GDPR. New solutions remain to be found that reconcile the protection of personal data with its circulation, for example with regard to relations and trade with the United States after the Schrems II judgment of the European Court of Justice, which invalidated the Privacy Shield.
The GDPR has certainly revolutionised the approach of businesses and citizens to privacy, which has gone from being the Cinderella of law to a priority subject, and there are many reasons for this.
First on the list of reasons is, certainly, the introduction of a wide range of administrative sanctions. The main change is the duration, scope and severity of some of such fines, which can range (i) from up to 10 million Euros or, alternatively, up to 2% total global turnover in certain cases, or (ii) up to Euro 20 million Euros or up to 4% total global turnover in the most serious cases. In some cases, (the most serious) breaches may even amount to a criminal offence.
This has led to an exponential increase in the number of companies adapting to the rules introduced by the GDPR and to a greater level of attention to privacy risk also on the part of top management.
Another important novelty was the creation of a new job figure: the Data Protection Officer, also known as the DPO, a new "actor" in the "privacy system" that has contributed significantly to the success of the GDPR. Indeed, the presence of numerous DPOs (there are now thousands of DPOs), apart from the work done within the structure of the controller who made the appointment, has given rise to a peculiar phenomenon: seeking compliance, or any elements of the compliance requirement, from other owners with whom the owner interacts to establish, continue, maintain commercial or other relationships. This caused an unforeseen domino effect, which has triggered a need for compliance that in past years was primarily linked to fearing control by the Authority for the protection of personal data (the "Data Protection Authority").
Furthermore, reference must be made to the principles of privacy by design & by default, accountability and the many rights of data subjects, including the right to be forgotten.
In Italy, the Data Protection Authority Protection Authority has announced that, from the entry into force of the GDPR to 31 March 2021,
Three years after its entry into application, the GDPR can be considered to be an overall success, though there is still a long challenge ahead: the focus must continue to be on the improvement of implementation and on actions to strengthen the enforcement of data protection laws, and there is a need for strict and effective enforcement of the GDPR and increased awareness of the management of personal data and its fundamental importance in the information society, as well as for increased "digital maturity" on the part of data subjects and increased accountability on the part of owners of large digital platforms, integrated companies, and other digital services, particularly in the areas of online advertising, micro-targeting, algorithmic profiling, science and genomics, and the ranking, dissemination and amplification of content.
In conclusion, the GDPR has garnered considerable interest and attention in light of the digital marketplace and big data boom. The EU Institutions have foresightedly overcome the – to say the least – jagged legal system governing data protection among Member States. The GDPR certainly represents a revolution in European data protection law.
This article is for information purposes only and neither is nor can be considered as a professional opinion on the topics covered. For further information, please contact Marco Cappa and Claudia Colamonaco.