From fines to changes in privacy culture and behaviour

A month ago, the speakers at PL&B’s 32nd Annual International Conference confirmed the accuracy of the metaphor that the GDPR’s influence ripples around the world.

Several articles in this August edition of PL&B International Report record some of the highlights including: EU adequacy decisions (p.6); European Data Protection Board Opinions (p.9); Navigating e-Privacy (p.20); and AdTech (p.22).

In June, I attended the European Commission’s Taking Stock conference in Brussels (p.10) which revealed the wide-ranging impact of the GDPR, not only in Europe but also around the world. The full scale of the European Union’s impact is shown in the European Commission’s Communication (titled Data Protection rules as a trust-enabler in the EU and beyond – taking stock) published on 24th July.

Fines: Facebook and Google attract most attention. But in Europe, the GDPR is having an impact across the Member States reflected in Data Protection Authority fines on organisations which are not huge US tech companies, such as:

  • €5,000 on a sport betting café in Austria, for unlawful video surveillance;
  • €220,000 on a data broker company in Poland for failure to inform individuals that their data was being processed;
  • €250,000 imposed on the Spanish football league LaLiga, for lack of transparency in the design of its smartphone application.

But it is not all about fines. Fines may be considered by some companies as a cost of doing business. Of even greater importance are “changes in the culture and behaviour of all actors involved.” The new chairman of Belgium’s DPA makes this point in our interview with him (p.1). This is also the position developed in relation to the Facebook case by Andreas Mundt, Chairman of Germany’s Federal Cartel Office. In his speech to the EDPS/German Federal DP Commissioner’s conference, which I attended on 9 July in Brussels, he explained his rationale for the finding of Facebook’s exploitative abuse of its dominant position (PL&B International Report April 2019 p.1). The FTC’s $5 billion fine for Facebook in the US (p.32) is a hybrid decision as there are also many other requirements for the company to alter its behaviour.

Novel approaches: The European Commission’s Communication also refers to some DPAs’ novel approaches citing the example of the UK ICO’s regulatory sandbox. The ICO published on 29 July the names of 10 organisations which have now entered the sandbox. Elizabeth Denham, Information Commissioner, explains: “The sandbox will help companies and public bodies deliver new products and services of real benefit to the public, with assurance that they have tackled built-in data protection at the outset.” Winners include:

  • Heathrow Airport exploring the use of facial recognition to streamline passengers’ journey through the airport, and
  • Novartis Pharmaceuticals UK Limited exploring the use of voice technology within healthcare.

The GDPR’s catalytic effect is seen in every continent and many sectors

The Communication reflects what PL&B International Report monitors all the time. The Communication explains that countries around the world “are equipping themselves with new data protection rules or modernising existing ones. These laws often have a number of common features that are shared by the EU data protection regime, such as an overarching legislation rather than sectoral rules, enforceable individual rights and an independent supervisory authority. This trend is truly global, running from South Korea to Brazil, from Chile to Thailand, from India to Indonesia.”

To encourage a more powerful ripple effect, the European Commission intends to “step up its dialogue with regional organisations and networks, such as the Association of Southeast Asian Nations (ASEAN), the African Union, the Asia Pacific Privacy Authorities forum (APPA) or the Ibero-American Data Protection Network,….[and] work with the Organization for Economic Cooperation and Development and the Asian-Pacific Economic Cooperation Organisation to build convergence towards a high level of data protection.”

The Communication also addresses how data protection rules fit with many EU policies: multilateral trade negotiations, law enforcement cooperation, telecommunications and electronic communications services, health and research, Artificial Intelligence, transport, energy, competition, and elections.

Asian Data Privacy Laws and their impact on business

I invite you to Asian Data Privacy Laws and their impact on business, in association with Linklaters in London on 30 October. There will be a focus on China, Japan, South Korea and Singapore with an update on India and some other countries in the region of interest to business. The programme is now available and the early bird discount registration fee runs until 30 August. An additional feature this year is an afternoon roundtable to deal with your practical operational issues and how you should address them. The speakers are Professor Graham Greenleaf, PL&B’s Asia-Pacific Editor, and Adrian Fisher, Partner & Head of Privacy Practice, Linklaters, Singapore. Everyone who registers will also receive a 30 page update to Professor Greenleaf’s 2014 book, Asian Data Privacy Laws, which covers developments in all these countries to mid-2019.

The summer glow from Cambridge radiates with the help of hundreds of photos which will be followed in the coming weeks with many video clips. As a P&B International Report subscriber, by logging in, you can gain access to slides and papers. Several people have already offered sessions for next year’s PL&B 33rd Annual International Conference (29 June to 1 July 2020). You can also offer a session.

As always, I greatly appreciate the work of Laura Linkomies, Editor, and her team (p.2). In September, we will announce further events and, as always, we look forward to meeting you.


Stewart Dresner, Publisher


International Report 160

Lead story:

Belgium’s DPA aims at mediation rather than fines

Previously the DPO for Nielsen, the new Belgian DPA brings both academic insight and a business experience to his regulatory role. Stewart Dresner and Laura Linkomies report.

Contents also include:

  • Comment: Data protection is taken seriously
  • National approaches to ‘legitimate interest’ trouble EU 6 - EU reviews adequacy decisions
  • Processor SCCs, video guidelines
  • The GDPR after one year
  • ‘Data Free Flow With Trust’ at G20
  • Zuboff’s surveillance capitalism
  • GDPR implementation in Croatia
  • Latvia’s GDPR-implementing law
  • Dubai IFC consults on DP law
  • South Africa’s POPIA expected to enter into force in 2020
  • California’s privacy law
  • DPO Networks and associations
  • Navigating e-Privacy
  • AdTech: Consent, legitimate interest and joint controllership
  • EU Council reviews the GDPR
  • Sweden defines areas of priority
  • Spain and Greece face EU action
  • Egypt moves towards DP law
  • APPA meets in Japan
  • Germany amends DP law
  • EU work on DP ethics
  • Sri Lanka considers DP law
  • DPAs act on AdTech complaints
  • US FTC fines Facebook $5 billion
  • US FTC action: Equifax settles
  • Privacy Shield Ombudsperson
  • Portugal adopts new DP law
  • CJEU Opinion on validity of SCCs not until December