Data privacy and GDPR at one year, a U.S. perspective. Part One - report card

NEW YORK (Thomson Reuters Regulatory Intelligence) - Risks associated with data, data privacy, and the changing global regulatory landscape for such issues are some of the most complex challenges facing financial-services legal and compliance departments today.

A NASA image released on February 24, 2014 shows a photo taken by the Expedition 38 crew aboard the International Space Station (ISS) on January 30, 2014 of the night view of the Korean Peninsula, and North Korea in the middle is almost completely dark compared to neighboring South Korea (bottom right) and China (top left). The photograph was cropped and enhanced to improve contrast, and lens artifacts have been removed at source. REUTERS/NASA-JSC/Handout

The approaching May 25 first anniversary of the effective date of the European Union's General Data Protection Regulation{here} provides occasion for a look back at the rush to prepare, enforcement and penalties thus far, and the new challenges ahead for U.S. firms.

In this two-part overview of the complex challenges associated with data privacy regulations, Part One below offers a report card and review what has transpired in the year since GDPR took effect.

Part Two will address the challenges ahead in the area of data privacy with a particular emphasis on what’s being dubbed “GDPR-lite” or “California GDPR,” the California Consumer Privacy Act, and other new data privacy regulations on the horizon.


U.S. financial services firms trying to manage regulations and guidance on data protection and cyber security from multiple jurisdictions faced an enormous challenge last year when the strict new EU rules governing the use of personal information took effect.

GDPR is designed to protect the privacy rights of EU individuals but applies to all companies processing or controlling the personal information of EU residents, regardless of where those firms are located. The regulation was adopted in April 2016, and took effect May 25, 2018.

The regulation was created with a deliberate global reach and set a new level of obligations and expectations regarding data protection, security, and management. It was also more restrictive that its predecessor -- the EU’s 1995 Data Protection Directive -- and any U.S. or state laws.

GDPR applies to all online interactions with EU citizens no matter where in the world the business is taking place. It includes enhanced requirements regarding consent to use, and includes a “right to be forgotten” – or removed from the record -- which is one of the more problematic challenges from a U.S. perspective.

Preparing for GDPR came with myriad implications for U.S. firms. A key principle of the regulation is that the ownership of personal data is deemed to remain with the individual and not with the data controllers or processors. This is a distinctly different legal view and approach from the U.S. perspective.

Although breach notifications are a big part of GDPR, and the U.S. focus on cybersecurity and data protection has historically been centered on breaches, in the United States there are countless businesses whose commercial models are based on the use and sale of data. This presents unique challenges for U.S. companies and U.S. regulators or lawmakers.

Last year we pointed out that many of the larger U.S. firms were working to prepare for the regulations and were at varying degrees of preparedness; smaller firms were the least prepared. The picture has changed little. Larger firms and have worked hard to prepare, and continue to do so, while smaller firms are still nowhere near where they should be.

According to Cynthia Cole{here}, special counsel in the Palo Alto technology practice at law firm Baker Botts, "GDPR was pretty well written, and mapping, segregation, and planning efforts in preparation by firms was largely successful and beneficial." However, "even now a year later, most companies are still nowhere near compliant," Cole told Regulatory Intelligence.

The enforcement powers associated with GDPR are significant. Fines for violations can reach up to 20 million Euros or 4% of a firm’s global annual revenue, per violation, whichever is larger.


With the potential for such stiff penalties, there was great concern of heavy-handed enforcement from data protection authorities in the EU. However, according to a report{here} published by the European Data Protection Board, which is composed of representatives of the national data protection authorities and the European Data Protection Supervisor, violation penalties imposed for the first nine months since GDPR was in effect totaled approximately 56 million Euros.

The report also provided the total number of cases reported by supervisory authorities from 31 countries: 206,326. This consisted of 94,622 complaints, 64,684 breach notifications, and 47,020 unspecified other cases. The report noted that 52% of all the cases had already been closed and only 1% were challenged before a national court.

A report published in late February by DLA Piper{here} cited data from the first eight months of GDPR enforcement, during which 91 fines were imposed. "We expect that 2019 will see more fines for tens and potentially even hundreds of millions of euros, as regulators deal with the backlog of GDPR data breach notifications," the report said.

The biggest penalty — 50 million euros — was issued by the French Data Protection Authority (CNIL) in January against Google. The fine was related to a “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”

The investigation stemmed from complaints received by the French authority over Google’s handling of personal data. The authority found that the structure of Google’s privacy policy and terms and conditions were too complicated for users, and the use of pre-ticked boxes as a consent mechanism did not establish a legal basis for data processing to deliver targeting advertising.

The French regulator cited Google’s failure to centralize essential information on one page, and its process requiring users to go through “up to five or six actions.”

Google’s penalty accounts for nearly 90% of the total value of fines levied to date. But it had the potential to be much larger.

In 2018 Google reported nearly $136.2 billion in revenues. Therefore, the 50 million euro penalty — equal to roughly $56 million — represented approximately .04% of revenue, far from the 4% potential penalty.

So far, the EU seems less interested in levying fines based on breach notifications, Cole said. “A lost laptop on a train in Dublin doesn’t appear to matter,” she said. However, “the French coming out first with the Google case was not a surprise, and it sends a message that they are trying to address the extremely complicated landscape of procurement and use, or misuse of data.”

Compared to the Google fine, other fines levied by European national data protection authorities (DPAs) have been considerably smaller. For example, in March 2019 the Polish DPA announced that it had fined a company approximately 219,000 euros for failure to inform six million individuals that their personal data were being processed. Also, in March 2019, the Danish DPA fined a company approximately 161,000 euros for holding on to personal data longer than allowed under GDPR.


Outside of the Google fine, the penalties thus far have been so small that many are anxiously awaiting the next whopper of a fine. Irish and UK authorities have hinted that a large fine is coming.

Perhaps a greater concern is risk of private litigation. According to William Long and Wim Nauwelaerts{here} of the law firm Sidlley Austin, under the GDPR individuals are able to file claims for "material or non-material damage" as a result of a breach of the GDPR. In addition, not-for-profit organizations have the right to lodge a complaint on behalf of an individual. They cited as an example, an airline has been threatened with a £500 million class action lawsuit in a UK court for non-material damage caused by a security breach.

“The airline has already pledged to cover any losses suffered by its customers, but a law firm acting for some of the affected individuals has taken the position that under the GDPR, the individuals have a right to further compensation of £1,250 each,” Long and Nauwelaerts said.

This increase in consumers exercising their privacy rights and a growth in privacy litigation is likely a result of GDPR and is therefore expected in the future.

The efforts to comply with GDPR, and the penalties thus far are likely only the tip of an enormous iceberg of data privacy regulations and litigation in the future.

Although firms are getting a handle on the risks, and are better equipped for compliance, the risks are significant and the challenges are complex.

In Part Two of this article, we will focus on the U.S. landscape, private litigation risks, the patchwork of state regulations that are rapidly popping up, particularly the California Consumer Privacy Act (CCPA) which is now in the works and establishing itself as the U.S. version of GDPR.

*To read more by the Thomson Reuters Regulatory Intelligence team click here: http//

(Todd Ehret is a Senior Regulatory Intelligence Expert for Thomson Reuters Regulatory Intelligence based in New York.)

This article was produced by Thomson Reuters Regulatory Intelligence - - and initially posted on May 16. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters