One year after the GDPR became enforceable, it is clear that it has had impressive repercussions around the globe. It is difficult to identify any other E.U. regulation that has generated so much concern and attention outside E.U. borders. Multinational organizations and their boards, whether located within the E.U., the U.S. or in Asia, have all taken the GDPR requirements very seriously and invested time and resources to comply with them. GDPR compliance may affect how Europe can compete in the global AI race, however, and clearer regulatory guidelines are needed.
See " Regulating AI: U.S., E.U. and Industry Laws and Guidance" (Oct. 17, 2018).
GDPR's Positive Impact
There is no doubt that the extraterritoriality of the GDPR has been an incredible and unexpected success. This is illustrated by the fact that many organizations operating from outside of the E.U. have realized and acknowledged that the provisions of the GDPR are applicable to them if they satisfy one of the conditions set out in its Article 3 (i.e., if they process personal data related to the offering of goods or services to individuals in the E.U. or if they monitor individuals' behavior in the E.U.).
The other factor that contributed to the GDPR's exposure abroad was undoubtedly the level of potential sanctions to which organizations were exposed. Indeed, the risk of being sanctioned up to 20 million euros or 4 percent of the worldwide annual turnover, whichever is higher, has constituted a real game-changer. This change needs to be confirmed with GDPR enforcement actions, although the French data protection authority seems to have already set the tone by imposing the highest administrative fine under the GDPR to date against Google LLC, with a sanction amounting to 50 million euros on January 21, 2019. This amount is still far from the 4 percent of the worldwide annual turnover but represents an increase of almost 5,000 percent of the previous fines in the E.U. under the former privacy legal framework (Directive EC 95/46). This also demonstrates that the E.U. can adopt the same strategy as the U.S. when applying and enforcing its regulations against overseas companies.
Most importantly, the GDPR has become a global inspiration for lawmakers that have adopted or are considering drawing up similar privacy laws in Brazil, India, China, California, etc. Equally key, the GDPR has led companies to agree to new terms with their clients, wherein they commit to protecting their clients' personal data and acting in a more transparent manner.
Another success to add to the GDPR's credit is the rights newly granted to individuals, which has generated greater interest in the consumer and privacy rights sphere. The increasing number of complaints and legal actions that were prompted by the regulation illustrates that trend.
See CSLR's three-part series analyzing early GDPR enforcement: " Portugal and Germany" (Jan. 23, 2019); " U.K. and Austria" (Jan. 30, 2019), " France " (Feb. 6, 2019).
To view the full article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
