In the five years since the General Data Protection Regulation (GDPR) took effect, privacy laws have continued to be enacted locally, nationally, and regionally. Similarly, regulatory actions enforcing these laws are developing and likely to increase in frequency and severity. The international web of privacy laws will become more complex as new laws are promulgated and enforcement bodies look into the privacy practices of organizations.
More regulations in the U.S. and globally
In the U.S., comprehensive privacy regulations, often inspired by the GDPR, are in effect or will soon take effect in nine states, led by California. Comprehensive privacy laws are currently under consideration by several other state legislatures.
Meanwhile, in the U.S., there has been some discussion of federal privacy legislation beyond the patchwork of laws and regulations that already exist. Some examples of the already existing laws include, but are not limited to the Children’s Online Privacy Protection Act, the Fair and Accurate Credit Transactions Act, the Video Privacy Protection Act, the Securities and Exchange Commission’s Regulation S-P and various federal wiretapping laws.
In July 2022, the American Data Privacy and Protection Act (ADPPA) was approved by House Energy and Commerce Committee with bipartisan support. The ADPPA, which included a private right of action for consumers, would have set limits on how organizations could collect, process and transfer personal data without express consent, but was not voted on by the full House of Representatives. In 2023, U.S. federal legislators expressed interest in establishing new federal privacy standards. No specific legislation, however, has been introduced to date.
GDPR-like laws have also popped up in various other countries, including Brazil and China. Australia, which already had a robust privacy law in place long before the GDPR, may see some amendments to its law in the near future. In early 2023, Australia’s attorney general indicated that he would seek to reform the currently law, including adding a right to be forgotten modeled on the GDPR.
While the GDPR’s impact on other privacy regulations is undeniable, it cannot be overlooked that there are many regions — notably, developing and transition economies — that do not have consumer protections in place yet. The United Nations Conference on Trade and Development reports (opens a new window) that in as many as 52 countries, data was not available regarding their privacy protections “suggesting that online consumer protection is not being fully addressed.”
As technology continually advances, with many businesses looking into artificial intelligence (AI) and other opportunities to generate revenue and improve operations, regulators will need to adapt. New and enhanced laws will likely be promulgated to regulate such emerging risks associated with the digital era. Look for more from Lockton in the near future on AI and its implications for cyber risk.
Increased enforcement actions
Over the last five years, E.U. member states have imposed billions of Euros worth of penalties for violations of the GDPR. Enforcement by individual member states has varied. Among the most active has been Ireland, which in May 2023 announced the largest GDPR fine on record — €1.2 billion against a technology company.
Under the Data Protection Act 2018 (DPA), the U.K.’s Information Commission’s Office (ICO) has similarly imposed sometimes hefty penalties against companies for violations of the law. Generally, these fines have been large, but the office’s overall enforcement level has not been as intrusive for businesses as once believed.
While the ICO’s activity has increased over time, one of its largest fines was reduced after its initial announcement. In 2019, the office announced a fine of £183 million against a global airline; in 2020, however, the penalty was reduced to £20 million after the airline highlighted its efforts to mitigate the impact of the data breach in question.
GDPR fines by other countries’ data regulators have also been reduced, sometimes after intervention by courts. In 2021, for example, the Regional Court of Bonn reduced a penalty by the German Federal Commissioner for Data Protection and Freedom of Information against a German telecom provider from €9.6 million to €900,000.
In enforcing the GDPR and DPA, regulators across the E.U. and U.K. have targeted a range of industries. While technology companies have frequently drawn their attention, regulators have also fined organizations in the retail, telecom, energy, healthcare and professional services industries, among others.
What to expect going forward
Fines and penalties for violations of various laws generally increase in size over time. Organizations subject to the GDPR may see more aggressive fines and penalties issued by the U.K. ICO and various E.U. member states in the coming years, although specific enforcement activity will vary by country.
Organizations should also expect regulators to continue to enforce the law across a range of industries. While regulators may remain open to reducing fines if the organizations involved can demonstrate steps they are taking to mitigate the harmful effects of data breaches, it is unclear how forgiving regulators will be in the coming years.
Best practices for organizations
As more privacy regulations are enacted globally and as regulators step up enforcement of the GDPR and other existing laws, it’s vital that organizations continue to make privacy a priority. This includes ensuring corporate governance supports privacy protection.
The regulatory frameworks presented by the GDPR and other laws makes clear that directors must play an active role in managing data privacy rather than delegating responsibility to IT and IS teams. Organizations, working with trusted advisors and experts in information security and regulatory compliance, should consider taking the following actions:
Conducting data mapping exercises to determine how information and data flow through organizations, both digitally and physically.
Implementing classification policies, including determinations of business impacts related to the most critical data and information.
Preparing regulatory maps to assess applicable local, state, federal and international requirements.
Drafting, implementing, and periodically reviewing and updating policies regarding the collection, storage, retention and destruction of data and information.
Implementing appropriate security controls over critical and classified data and information.
Reviewing and evaluating third-party vendor management programs, including conducting vendor risk assessments, requiring vendors to implement best-in-class data protection policies, periodically auditing them, and reviewing indemnification language in contracts.
Planning and budgeting for security improvements and cyber insurance.
Ensuring that data and information security is a central component of organizational culture.