Dispatch from Brussels: GDPR enforcement, guidance to come in 2019

 Nov 28, 2018 1:00 PM
by Derek Lackey

Now that six months have passed since the EU General Data Protection Regulation went into effect, gauging the potential for enforcement action is top of mind here in Brussels. Threaded throughout this opening day of the IAPP Europe Data Protection Congress has been insights from some of the EU's top data protection regulators — from European Data Protection Board Chairwoman Andrea Jelinek and newly renamed Data Protection Commissioner for Ireland Helen Dixon to representatives from French data protection authority, the CNIL, the EDPB and the data protection wing of the European Commission. 

The big takeaway? Get ready for some enforcement action in 2019. 

During her interview with IAPP Chief Knowledge Officer Omer Tene, Dixon said major GDPR-related fines will not come down the pike in 2018, but it's safe to expect some fines in 2019. This notion was foreshadowed earlier in the day by the EDPB's Jelinek during her keynote address. She said the board is already working on a number of cross-border enforcement cases — Dixon separately noted there are 14 — but those cases are complicated and resolutions will come in "a few months from now." 

Notably, both Jelinek and Dixon said no cross-border cases have been escalated to the EDPB. Jelinek explained that national regulators thus far have been able to collaborate without triggering any EDPB resolutions or mediation. 

But that doesn't mean enforcement is far away. During a panel session on GDPR enforcement, CNIL Director of Rights Protection and Sanctions Directorate Mathias Moulin did not mince words, warning that the time for the GDPR's transition "is coming to an end," and that it's "time for action" and there will be "teeth." 

Romain Robert, legal advisor to the EDPB, fleshed out what the board has been up to in the last six months. He said the EDPB is currently communicating about 350 cases on the IMI system — a network built for the supervisory authorities to exchange information. Robert also said there are 280 mutual assistance requests under Article 61 and 22 local case requests under Article 56. 

No doubt, DPAs across the EU have been busy. Complaints are up, as are breach notifications. Jelinek noted that complaints are more than doubled, and notifications tripled, at the Austrian DPA. It's clear, however, that the EDPB has been focused on building its one-stop shop mechanism and seeking to set groundwork for harmonization, consistency and proportionality. Karolina Mojzesowicz, the deputy head of data protection at the European Commission, said proportionate fines and sanctions is often discussed among the regulators and that harmonization is important so there is not a difference in fining levels among national authorities.

Jelinek said "the GDPR has substantially changed the way national DPAs" work together. She also pointed out that DPAs now wear two hats: one as their national regulators and the other as members of the EDPB. This "high frequency of meetings, which requires resources," helps to ensure a harmonized approach, which, in turn, she argued, will increase legal certainty for businesses. 

Not everything, however, will be about enforcement in 2019. Jelinek said the EDPB knows there's a demand for more guidance. "We will continue to work with stakeholders in a more structured manner next year. ... We do not believe in an ivory-tower approach" to regulating. 

"The rubber hasn't hit the road with one-stop shop, yet," Ireland's Dixon said. "We haven't had a case that requires the consensus of all 28 DPAs. It really is a case in progress ... and there are clear challenges that are involved and complex." 

In addition to publishing more case studies and best practices, Ireland's Dixon said supervisory authorities need to start exploring certifications and seals under the GDPR. She also suggested that it will be helpful for DPAs to highlight good examples of GDPR compliance as well as bad ones to help the business community. 

Dixon also praised some of the GDPR's near-term effects on industry: "We're seeing demonstrable efforts at accountability." And though the 72-hour breach notification requirement "has some issues," the fact there is now mandatory breach reporting "has opened our eyes to breach trends we wouldn't have been aware of" previously. For example, in the more than 3,000 data breaches it's been notified of, the DPCI has found that a large amount of breach notifications are related to coding errors. 

In her keynote address, Jelinek reflected on where the EDPB might be a few years from now: "It will be a well-established body" that will be transparent and efficient, concluding, "I'm convinced, as data protection continues to go mainstream, the IAPP members will be the ambassadors."

Read The Article on IAPP Site