On 25 May 2018, the former Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data was replaced by the General Data Protection Regulation (GDPR) and the additional Danish Data Protection Act entailing a renewed focus on the protection of personal data - in particular due to the introduction of great penalties of up to EUR 20 million or 4% of the company's global turnover, whichever is greater.
Therefore - and not surprisingly - in 2018 the 10th most frequently asked question on Google was: "What is GDPR?" GDPR is, if anything, a word that has been on everyone's lips – not only in Denmark and the other EU/EEA countries, but throughout the entire world. For instance, in June, California adopted similar legislation, and so did Brazil in August, and in July, India presented a draft bill with clear parallels to the GDPR, which, however, has not yet been adopted.
Hence, protection of personal data has gained momentum in 2018. A momentum that without any doubt has become stronger in the light of the enormous personal data breaches, which the world saw i.a. from Facebook in connection with the Cambridge Analytica data scandal, at which 87 million people’s data was affected in a data breach, Starwood Hotels and Resorts (now a part of Marriott International) where up to 500 million people's data was breached, and the Indian identity database Aadhar, where 1.1 billion individuals' data was breached.
The Danish Data Protection Agency has not yet issued any fines pertaining to the new Regulation, however, the Agency has filed a police report against the Danish therapy portal GoMentor after a user had obtained access to reading other clients' confidential communication with their therapists. Whether this leads to a fine remains to be seen. In 2018, Austria, Portugal and Germany were the only countries to impose fines of EUR 4,800, EUR 400,000 and EUR 20,000, respectively; amounts which all are far less than the aforementioned maximum penalties.
There is no doubt that the GDPR has had influence in 2018. The situation is quite different regarding the ePrivacy Regulation which is to replace the ePrivacy Directive, and which will replace elements from among others the act governing electronic communications data and the cookie order. The final version is still being negotiated, despite the fact that it was originally supposed to enter into force simultaneously with the GDPR. Last week, the EU Council of Ministers released a progress report acknowledging the lack of consensus, however, there is still no news about when to expect the Regulation will come into force – perhaps in 2019?
We look forward to the year 2019; a year that will very likely present more practice on the GDPR, and where personal data protection hopefully will be improved even more all around the world.
Holst, provides advice to clients on all matters pertaining to data protection and assists in the preparation or review of current data protection policies, data processing agreements, etc. in order to ensure compliance with applicable legislation.