Happy Anniversary, GDPR!

The European General Data Protection Regulation (GDPR) this week celebrates its second anniversary. For many organisations, it may seem that the GDPR has become business as usual; one of many elements of their global compliance strategy. For many others, it remains a continuous struggle. 

The two year anniversary is an important milestone for the GDPR, since this is the moment the European Commission was supposed to present the first evaluation of the application of the Regulation. Unfortunately, the report has been delayed until the start of the summer. Some of the lessons learned are nevertheless crystal clear.

Overall, the GDPR has been a success

In preparatory analysis for the European Commission’s review, the EU Member States, the European Data Protection Board (EDPB – the assembly of all EU supervisory authorities) and even industry groups, like the Centre for Information Policy Leadership, all agree: overall, the GDPR has been a success. Especially in the private sector, the Regulation has seen a big increase of awareness for privacy and data protection issues. Many organisations have implemented far-reaching privacy programs, to ensure the personal data of their employees, business partners and customers is well protected. And if something goes wrong, they are much more forthcoming to report a breach than was the case in the past, if you look at the total number of data breaches reported thus far.

Also the ‘extraterritorial’ influence of the GDPR is noticeable. Countries around the world have adopted legislation to bring their own privacy laws more in line with GDPR, or are in the process of doing so. Think for example of Japan, where additional legal provisions and guidelines were adopted to ensure their privacy law could be declared adequate. A similar process is ongoing in South Korea. And in Brazil, the new omnibus privacy law LGPD is clearly inspired by the GDPR, as is the draft Indian privacy bill currently before Congress. That doesn’t mean these laws are exact copies of the GDPR: all countries have chosen to embed their laws in their own national legal traditions, but many of the newer concepts and compliance approaches introduced by GDPR have been copied.

The GDPR has not achieved one of its main goals: full harmonisation

One of the main points of criticism of the GDPR, is that it is a Regulation-in-name-only. That requires a bit of explanation. Under EU law, there are two main legal instruments: Regulations, which have direct legal effect in all EU Member States and in principle do not require national implementing laws, and Directives, which are only binding as to the goal they aim to achieve. Directives always require implementing laws in all EU Member States. The GDPR officially is a Regulation, and many of the provisions indeed have direct effect, and can be relied upon by organisations and individuals throughout Europe. However, on many details, like the use of special categories of personal data (including health data), additional national rules can be imposed, to either allow the processing of such data or to make it more difficult. The same goes for data used in an employment relationship and for research and statistical data. Also, the age at which minors can provide consent for online services varies from country to country, between 13 and 16 years. This means the original goal to have “one single privacy rule for the whole of the European Union” has not been completely achieved. The core of the Regulation has been harmonised, but many important details have not.

What also hasn’t been fully harmonised, is the approach supervisory authorities should take when enforcing the law. The GDPR provides the main elements of what an investigation should look like and how authorities should consult each other, but the process itself is run on the basis of national administrative law. These laws fall outside the scope of EU legislation, and thus are not harmonised. 

Supervision and enforcement of the GDPR remains a struggle

Also more in general, the supervision and enforcement of the GDPR is not an unequivocal success. Many had expected – and sometimes hoped – that data protection authorities would start imposing multimillion euro fines from the moment the GDPR went into application. That seems not to have been the case. Especially some high profile complaints brought by civil society groups like NOYB (none of your business, led by the Austrian Max Schrems) and Privacy International, are still awaiting a decision by the competent authorities. But that doesn’t mean the GDPR has not been enforced at all. 

At the start of 2020, well over €115 million had been imposed in fines by the various data protection authorities. In addition, many authorities have taken other types of enforcement decisions, as allowed by the GDPR, from (public) warnings of non-compliance, to the suspension of processing operations. Many data protection authorities also make clear it sometimes suffices to have a phone call with a non-compliant organisation, to explain the correct interpretation and/or application of the GDPR. This may not be the most visible way of enforcement, but it is a really effective one.

The main hurdle for data protection authorities is a lack of resourcing and funding. Two-thirds confirm they do not have sufficient resources to deal with all the complaints received from individuals, as well as with the requests from companies for guidance and approval of certifications and international transfer instruments. Also the Council and CIPL conclude in their GDPR evaluation reports that underfunding of data protection authorities is a risk for the effective implementation of GDPR. 

With only two years experience in working with the GDPR in practice, almost everyone agrees that it is too soon to start discussing any possible changes to the text of the Regulation. For now, Member States, supervisory authorities and industry seem content with more (detailed) guidance from the EDPB. At the same time, they note the reform of the data protection legislation in Europe is still not completed. The ePrivacy Regulation, which shall provide the specific rules for online data protection in line with the standards and principles of the GDPR, is still in the legislative process, with no agreement on a final text of the Regulation in sight. The hope is the German presidency of the Council from July onwards will be able to make some progress in this file.

Serious Privacy Podcast – Wildly Successful: An Unexpected Career in Privacy

Describe your perfect privacy career. Do the words “vibrant,” “brilliant,” and “high energy” come to mind?  Back when we still had privacy conferences and trade shows, you could sometimes meet someone that was so vibrant, so enthusiastic and so interesting, they would make the whole event. Emerald de Leeuw, Privacy Lead in EMEA for Logitech is that kind of person. She is a fellow Dutchie to Paul and calls Ireland her home. She is an entrepreneur with a brilliant privacy mind, but allegedly also serves up a mean cocktail.

We speak about building out a career in privacy, being underestimated and staying sane while working hard. We also talk about the challenges that a woman in privacy and tech faces, whether at the beginning of her career, or even when she is established and successful. Being underestimated is just one of those challenges. Emerald also opens up about her career champions and the importance of being authentic as a professional. Listen to this week’s episode on our website or stream the episode below.

The California Privacy Rights Act of 2020



Alastair Mactaggart, the driver behind the current California Consumer Privacy Act (CCPA) in 2018 (CCPA, published a new version of a consumer privacy act in September 2019). Since then, it has been modified and is being submitted to California county governments for inclusion on the California ballot for voting. In California Elections Code, Article 3, Section 9035 requires that initiative measures for statutes be presented to the Secretary of State with a minimum number of signatures, at least 5 percent of the total numbers of registered voters in the most recent gubernatorial election, in this case, no less than 623,212. 

The Office of the Attorney General released the title and summary of the initiative back in December 2019 as one of the first steps in a ballot initiative. On May 4, 2020, the Californians for Consumer Privacy announced that it was submitting over 900,000 signatures for qualification of the California Privacy Rights Act of 2020 (CPRA) as a ballot initiative and is now submitting the petitions to all counties for inclusion on the ballots in November.  If passed, the CPRA would take effect January 2023 with a one-year look back to January 2022. Some provisions, however, are presented for 2021, such as a new state privacy agency responsible for implementing and enforcing the CCPA.

Previously, this same group sponsored CCPA to be on the November 2018 ballot. However, the California Legislature passed its version of the CCPA in June 2018, which was signed into law – and has been amended twice since then. To date, the regulations to implement the CCPA have not been issued, yet enforcement is slated to begin July 1, 2020.

About the CPRA

The CPRA’s intent is to amend the CCPA by adding new definitions, new individual rights, and broadening the enforcement elements of the CCPA. Key provisions include:

  • Enhanced obligations on third parties, including service providers and contractors
    • Providing notice where data is collected (businesses acting as third parties) 1798.100(b)
    • Contractual obligations to comply with the law and to provide certain levels of privacy protection Section 1798.100(d) 
    • Cooperate on consumer requests, including deletion and flowdown obligations 1798.105(c)(3)
  • Explicit security provisions (reasonable as appropriate to nature of information) 1798.100(e)
  • New right of correction 1798.106
  • New right to limit use and disclosure of sensitive personal information 1798.121
  • Addition of definitions of “consent,” “contractor,” “sensitive personal information,” and “share” (as proposed §1798.145(h), (j), (ae), and (ah) respectively). Each of which carries new or enhanced obligations. A summary of these new definitions are listed here, with the exception of “sensitive personal information” which is provided in full below.
    • “Consent” must be freely given, specific, informed and unambiguous, with a clear affirmative action or statement and includes what does not indicate consent, such as acceptance of general terms or muting or closing a piece of content. (h)
    • “Contractor” is very similar to a service provider.(j)
    •  “Sensitive personal Information” means: (1) personal Information that reveals (A) a consumer’s social security, driver’s license, state Identification card, or passport number; {B) a consumer’s account log-In, financial account, debit .card, or credit card number In combination with any required security or access code, password, or credentials allowing access to an account; (C) a consumer’s precise geolocat/on; (D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer’s mall, email and text messages, unless the business Is the Intended recipient of the communication; (F) a consumer’s genetic data; and (2}(A) the processing of biometric Information for the purpose of uniquely identifying a consumer; (B) personal Information collected and analyzed concerning a consumer’s health; or {C) personal Information collected and analyzed concerning a consumer’s sex life or sexual orientation. Sensitive personal Information that Is “publicly available” pursuant to paragraph {2) of subdivision (v) of Section 1798.140 shall not be considered sensitive personal Information or personal information. (ae)
    • “Share,” “shared,” or “sharing” is very much like selling, but in regards to cross-context behavioral advertising. (ah)
  • Additional element of data sharing to the definition of “business” for those who share control and branding with a business subject to the CCPA, Section 1798.140(d)(2) 
  • Creation of a California Consumer Protection Agency. Section 1798.199
  • Requiring an annual cybersecurity audit for businesses whose processing of personal information presents a significant risk to consumers – and submitting risk assessments to the new Consumer Privacy Protection Agency. Section 1798.185(a)(15)
  • Subjecting violations involving the personal information of individuals known to be under the age of 16 to the increased penalty level of $7,500 each violation. Section 1798.155(a)

These are certainly not all of the changes proposed by the CPRA and one should read the complete text to understand the potential impact.

Next steps

Under the previous initiative, which became the CCPA, negotiations were held to enact state law in lieu of the ballot initiative proceeding. It is unknown whether similar discussions are being held about the CPRA. As permitted under California Constitutional Law, the CPRA will be listed on the ballot in November as long as the remaining requirements are met.\


Serious Privacy Podcast: Returning to Work


What do you get when a European and an American discuss concerns about returning to work after the recent quarantines? This week on the Serious Privacy podcast, co-hosts Paul Breitbarth and K Royal give listeners an inside view on what privacy professionals are thinking about. After two months, the worst of the Corona Crisis in many countries seems to be behind us. Slowly, countries and states are opening up, releasing roadmaps on relaxing their quarantine measures and taking steps to allow people to go back to work. Nevertheless, for the time being, it seems “continue to work from home where possible” will remain the best practice around the world. But whenever employees return to the office on a regular basis, it is already clear companies will need to prepare. The new normal of the six-feet-society and social distancing will cause a challenge in itself to be accommodated in offices, but there is also a lot to consider from a privacy and data protection perspective.  Listen to this week’s episode on your favorite podcast platform or stream the episode below.

Serious Privacy Podcast – A Walkin’, Talkin’ EU Rep: An Open Conversation


What is a representative under GDPR?  Why do I need one? What do they actually do? Are these questions familiar to you? Does it sound like we are reading your mind? Then join us for this exciting unscripted conversation with Tim Bell, Managing Director of the DPR group – a walking, talking, EU representative.

If a data controller or processor does not have an establishment in any of the member states of the European Union, they have to appoint a representative. This is stipulated by article 27 GDPR. But does this really happen? The EU Member States seem to have concerns. In their evaluation report of the GDPR, they say it is uncertain to what extent controllers and processors from third countries have complied with the Representation obligation. 

Apparently, there are cases where a representative has not been designated. Reason enough to dive a bit deeper into this topic and discuss the role of the representative and how to appoint one.  In this podcast, we address a variety of topics such as the complexities of current EU representatives established in the United Kingdom and what that means for companies who will need a UK representative in the EU or vice versa. Listen on your favorite podcast platform or stream the episode below. 

TrustArc’s 2020 Global Privacy Benchmarks Survey


TrustArc has launched our annual Global Privacy Benchmarks Survey, a new initiative to assess the impact of privacy requirements, and the challenges and opportunities companies face worldwide. We invite you to complete the survey so we can better understand privacy practices, challenges and opportunities across sectors and countries. Note that this survey is not assessing your privacy competency nor that of the company you work for. Rather, the survey gives you an opportunity to inform the future of privacy protection initiatives.

Our Global Privacy Benchmark survey is run by a third-party firm in order to ensure your responses remain anonymous and confidential, and to ensure that the results are unbiased. Any answers given to the survey will be provided back to us in aggregate form only. Individual responses will not be shared. 

The survey only takes 10-15 minutes to complete. Take TrustArc’s 2020 Global Privacy Benchmarks Survey here

We are looking forward to delivering impactful insights to the public to enhance privacy globally. 

Any questions regarding this survey and how the results will be used can be directed to Bruce Warren at bwarren@trustarc.com.