GDPR turns five: the EU laws were hailed as a turning point for privacy rights. Have they lived up to billing?

Published date25 May 2023
AuthorCiara O'Brien
Publication titleIrish Times: Web Edition Articles (Dublin, Ireland)
The new laws, which came into force on May 25th, 2018, enforced strict data management and privacy protection requirements for organisations processing the data of EU citizens, regardless of their location, and data processed in the EU as a whole

The headline fines for breaching the rules seemed enormous: up to 4 per cent of global turnover, rather than profit, for the serious offenders. And as companies scrambled to make sure their businesses were compliant ahead of the deadline, there was general optimism that this would, finally, get companies in line when it came to processing private data.

Five years on, how has that gone? While GDPR has certainly focused the attention of companies and entities processing data, the work has been slow. If you were to borrow an overused political slogan to sum things up, the consensus would be: a lot done, a lot more to do.

At first, it was a trickle. One fine a month, maybe two, as the new regulations bedded in and companies began to come to the attention of authorities under GDPR.

The fines are coming faster these days. On one hand, you could look at the growing number and argue that as a deterrent, the financial penalties aren't really working. On the other though, you could say it indicates a growing awareness of rights and responsibilities under the data protection rules.

There is a concern that the DPC [Data Protection Commissioner] has been quite slow. It has been quite cautious and has been quite risk averse in the approach that it's taking. And I think that is a fair criticism

TJ McIntyre, chairman of Digital Rights Ireland

To date, more than 1,600 fines have been imposed by data protection watchdogs across the EU. Spain is top of the list in terms of sheer numbers, with almost 650 fines to date. At fewer than 30 fines, Ireland doesn't even crack the top 10.

That may be seen as unusual, given the number of big tech companies that call Ireland home, and therefore fall under the one-stop shop mechanism, but the size and scale of the investigations are also a factor.

"There is a concern that the DPC [Data Protection Commissioner] has been quite slow. It has been quite cautious and has been quite risk averse in the approach that it's taking. And I think that is a fair criticism," says TJ McIntyre, chairman of Digital Rights Ireland.

The five-year anniversary of the regulations also coincided this week with the news of the largest fine levied under GDPR: a €1.2 billion penalty against Meta Ireland over Facebook...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT