As of Tuesday 25 May, it was 5 years of General Data Protection Regulations (GDPR). 3 years since its enforcement and its impact on the world can be felt. The Regulations have elevated the awareness of privacy and data protection from boardrooms to living rooms and set a standard for countries all around the world. To date, more than 630 enforcement actions have been taken and GDPR fines which have been issued to global brands such as Google, Marriott International and British Airways have totaled €292 million.
Among the largest fines in 2020 were the $57 million fine France’s data protection authority, the Commission nationale de l’informatique et des libertés, issued against Google and the $41 million fine Hamburg, Germany’s DPA, the Commissioner for Data Protection and Freedom of Information, issued against clothing retailer H&M.
The GDPR was pretty much, “first comprehensive privacy law that had real teeth in it,” as it highlighted to companies the importance of privacy and data protection in the global legal landscape. The law had individuals and businesses rely on the same rights and data protection standards throughout the European Union while enabling fines up to 4% of annual global turnover for violations.
Global effect of the GDPR
The GDPR also inspired legislations around the world such as Brazil’s General Law for the Protection of Personal Data to China’s proposed Personal Data Protection Law and India’s proposed Personal Data Protection Bill. In the United States of America, a federal privacy law has yet to be enacted, although 69 different state privacy laws have been introduced since the GDPR entered into effect while California and Virginia have approved GPDR inspired legislation.
In the same breath, there are over 32 African countries with data protection laws. Out of these countries is Kenya and its neighbor Uganda who both got Data Protection Acts in 2019.
The Kenyan data protection law is quite similar to the GDPR from the principles of data protection to rights of data subjects and the quasi-judicial nature of the Office of the Data Protection Commissioner and its enforcement powers. It is important to note that the Office of the Data Protection Commissioner is still being set up and is in the process of enacting Regulations which will assist it to execute its mandate.
Challenges with the GDPR
The GDPR was hailed as the silver bullet intended to fix the patchwork of privacy laws across Europe. However, its implementation has not been short of challenges.
A major challenge of the GDPR in the European Union is the divergent interpretations by member states which are still able to develop their own rules. Since the many supervisory authorities differ in their interpretations of the regulation, many multinational companies are reportedly struggling with compliance. Many were hoping that they will be dealing with just a single data protection authority, instead of 27.
The other challenge is the regulation’s “broad” definition of personal data breach and 72-hour notification deadline has been difficult for some companies. This has resulted to companies notifying very early while data protection authorities in Europe have been complaining that they get too many notifications where it’s not really necessary.
With the requirements of adequacy on third countries imposed by the GDPR, it would be ideal if existing principles of international law applied to it. To date no African nation has received adequacy despite numerous attempts. Some have even ratified the Convention 108 and 108+. Thankfully, there are other ways in which data may be transferred outside the Europe such as the use of standard contractual clauses known as “binding corporate rules”. These are codes of conduct, which have been declared by the European Commission as being generally applicable, or by certification of the data processing procedure.