Happy Birthday, GDPR!

Author:Ms Catherine Muyl and Marion Cavalier
Profession:Foley Hoag LLP

Dear GDPR,

Before you were born, you already attracted a lot of attention, after all, not everyone is born over two years after they are conceived and has 28 parents! And your parents had to ?resist an enormous pressure from people who predicted that once you were born, you would be a nightmare. Well, now that you have been in this world for one year, your aunts and uncles in California, who called you a "monster," are about to give birth to someone who looks a bit like you and they already have a name picked out, CCPA.

?Why did you scare so many people? Because you could cost their companies a lot of money. Because of you, the EU's national Supervisory Authorities (the "SAs") now have the possibility to issue substantial fines, up to a maximum of 4% of the annual worldwide turnover or 20 million euros, whichever is higher.

Moreover, you came more than 20 years after your older sister (the EU's 1995 Directive), so people forgot what it was like to have a baby around. But you already are bigger traveler than her: you have a broader territorial scope, since you apply to businesses that are not established in the EU but offer goods or services to data subjects in the EU or monitor the behavior of data subjects in the EU.

Your broad scope and your potential fines resulted in a lot of stress for companies doing business in Europe, especially companies that are based in countries like the US, which traditionally have not protected personal data in the same way as in Europe.

An increased awareness as to security A French novelist once said that he had understood the meaning of the word "fear" after the birth of his first child. Fear is not always constructive, unless it increases awareness and attention to problems. And you have raised awareness in relation to data breaches and data security.

You introduced an obligation to report data breaches to SAs and, in some circumstances, to the individuals affected (your US cousins were way ahead of you and your sister in that regard). Eight months after your birth, the European Commission stated that approximately 41.000 data breaches had been notified to European SAs.

Many national SAs also published information about the number of data breach reports they received; it appears that the highest numbers of breaches were reported in the Netherlands, Germany and the UK.

What kind of breaches have been reported? A great variety, some were malicious, others were negligent. Some breaches affected several...

To continue reading