From Facebook Scandals to Prince Harry vs. Paparazzi: GDPR’s First Year
All this commotion was the result of the General Data Protection Regulation (GDPR) coming into force.
Tomorrow, May 25th, the GDPR turns one year old. But despite its young age, it has already made a significant impact on not just Europe, but the entire world.There has been a sharp increase in the demand for “data privacy” and “data protection” jobs, with Facebook alone having at least 40 “privacy” related job vacancies at one point. In January 2019, there were at least 95 thousand complaints made to Data Protection Authorities (DPAs) under the GDPR and by March, there were over 11 thousand data breach notifications issued in just the UK. Even the USA felt the impact, as both individuals and companies began to put pressure on the federal government to introduce GDPR like regulations.
Many articles have already been published on the all of GDPR's accomplishments and related statistics. So instead, we decided to commerate the day by putting together a list of some of the most memorable and bizzare GDPR related moments from the past year.
1. Google being fined by France’s DPA
In January, France made history in issuing a hefty 50 million euro fine to Google for its violations of the GDPR. More interesting, however, are the reasons for this fine. CNIL (the French authority) found that the information about how users’ data is processed, stored and used was confusing and difficult to find. Moreover, it concluded that users were not fully informed in how their data was being used in ad personalization and therefore, their consent could not be considered as validly obtained. This was a huge step in the ongoing fight for personal data protection.
2. Ireland deciding that correct spelling of names is not an absolute right
Although it was a much less publicized case than that of Google, the Irish DPA’s decision that individuals did not have an absolute right to demand that all their records reflect their correct name (with all accents included) was an interesting example of how the GDPR intersects with other rights. Producer Ciarán Ó Cofaigh had filed a complaint with the authority after discovering that a hospital and bank had his name spelled in their system without the fadas. In response, he was told that the companies’ systems were unable to support accents. The Irish DPA investigated and decided that companies and organizations would only have to make changes in certain circumstances. Perhaps, in the future, other countries will also look into the relationship between the GDPR and language.
3. Dutch surgeon winning the right to have his malpractice history removed
Most of us have found things online about ourselves that we did not particularly like. Some of us have even exercised our GDPR rights by asking that websites remove some of this information. A Dutch surgeon took it even further and went to court to remove negative information about her online. The surgeon had her name added to a blacklist after being suspended as result of medical negligence. After an appeal, she was once again allowed to practice. However, a search for her name online continued to bring up the blacklist as a top result. Eventually, a judge ruled in her favor because the harsh name of the blacklist implied she was unfit to practice, which contradicted the findings of the disciplinary panel. In other words, the court decided that doctors shouldn’t be judged by Google results on their ability to practice.
4.The Royal Family using the GDPR against paparazzi
Surprisingly, even the Royal Family has found use in the GDPR. After Splash News published various pictures of the home Prince Harry and his family were renting, Prince Harry accused them of violating his and his family’s privacy rights. Part of his argument appears to have been that publishing these photos (that included the house's address) violated their rights under the GDPR. The case was settled out of court, but this may still affect the way celebrities handle problems with the paparazzi in the future.
And then there is Facebook. Facebook has experienced privacy related scandals continuously throughout the year. For example, in March, Facebook revealed that they discovered 600 million users’ passwords were being stored in plaintext and available for employees to view since 2012. Less than a week later, 540 million additional user records were found to be publicly visible online.
The UK data regulator even managed to issue a £500,000 fine to Facebook for their involvement in the Cambridge Analytica scandal. However, due to the timing of events, this fine was issued under old regulations. But that doesn’t mean that Facebook is off the hook. There are 10 GDPR investigations involving Facebook in Ireland alone. Most likely, the company will soon face other investigations and fines.
Of course, there are many other interesting GDPR related cases and moments that happened in the past year. Since the legislation is still rather new, there are many nuances for DPA’s and courts to explore. Thus, this next year should bring us even more unique and impressive rulings and investigations.
Happy Birthday GDPR! Here’s to another year of fighting to regain control over our personal data and privacy rights.