GDPR Five Years on: How Regulation Has Defined Innovation

It has been five years since the EU’s General Data Protect Regulation (GDPR) went into application, but the law still remains a regulatory benchmark for the global digital landscape. 

The GDPR set a new, global standard for data protection, establishing the first-ever comprehensive framework of rules for the processing of personal data. 

In the years since its passage, over 100 regional privacy standards significantly close to the GDPR have been adopted outside of the EU. 

This is in addition to the 14 countries that have obtained adequacy decisions from the European Commission because they provide a level of protection for personal data that is equivalent to the level of protection in the EU.

Meanwhile, a total of 1446 fines have been dished out totalling €3 billion, with each fine varying in size and addressing different violations. 

It was just this week that the Irish Data Protection Commission (DPC) slapped Facebook owner Meta with a whopping €1.2 billion GDPR fine due to its transfer of EU user data to the US. 

Meanwhile, earlier in May, the Mobile World Congress (MWG) was slammed with a €200,000 fine by GDPR after they had collected biometric data from show attendees. 

According to Spain’s data protection watchdog, organisers failed to demonstrate due diligence before collecting biometric data, infringing Article 35 of GDPR which deals with requirements for carrying out a data protection impact assessment.

Transforming the regulatory landscape

While it’s easy to think that the companies who have received fines have maliciously mishandled data, the reality is that GDPR compliance is challenging and complex.

Today, privacy professionals are experiencing a new era for the law, with more consequential enforcement, court rulings and privacy legislative initiatives than ever before. 

As Michael Covington, VP of Strategy at Jamf notes: “The threat of substantial fines – including the almost €3 billion that has been levied since the regulation went into effect – has forced companies to take privacy and security more seriously.”

To read more about GDPR, visit our dedicated Business Continuity Page. 

“[Meanwhile] for individuals, GDPR is making a difference in how their personal data is safeguarded. And for CISOs and data protection officers, the work continues to ensure organisations achieve regulatory compliance in a way that minimises disruption to the core business while ensuring employees, customers, and partners have confidence in how their personal data is being managed.”

The Future of Innovation depends on compliance 

GDPR is also applicable to new technologies and disciplines, such as artificial intelligence governance efforts envisaged by the draft EU AI Act.

This has had a tremendous impact on how organisations develop new technologies such as biometrics and AI and is set to define the future of innovation. 

In the EU, scraping data points from sites can be a breach of GDPR laws, as well as the ePrivacy directive, and the EU Charter of fundamental rights. 

The method that generative AI developers like OpenAI use to collect the data their chatbots are based on is yet to be publicly disclosed, but experts warn the practice of simply trawling the internet for training data alone goes against legal regulations.

With the rise of biometrics and AI, the focus on data protection and privacy has never been more important.

Eduardo Azanza, CEO at Veridas

A recent example of this was Clearview AI, which used images scraped from the web to build its facial recognition software and was subsequently slapped with enforcement notices by data protection regulators at the end of last year. 

Other new technologies such as biometrics have also been challenged by GDPR laws on multiple occasions. As Eduardo Azanza, CEO at Veridas notes: “GDPR has revolutionised data privacy and protection and now, with the introduction of biometrics, the regulation takes on even more significance as it celebrated its 5th anniversary.”

 “As defined by Article 4 of GDPR, biometric data is a form of personal data – therefore, businesses must carefully and securely manage it.

“Trust in biometric solutions must be based on transparency and compliance with legal, technical, and ethical standards. Only by doing this, can we successfully transition to a world of biometrics that protects our fundamental right to data privacy.”