It is now over six weeks since the EU General Data Protection Regulation went into effect on May 25, 2018. We are aware of various reports to confirm that GDPR has already had the wide-ranging global impact it was expected to have. Multiple U.S.-based news sites, such as the Los Angeles Times, continue to restrict access to EU users with the message that its “website is currently unavailable in most European countries.” Furthermore, we are aware of the high profile complaints already filed by a French NGO regarding the practices of big tech companies.
But what about complaints? Are consumers rushing to raise data protection complaints with their local data protection authorities (“DPAs”)? Data obtained by IAPP (the International Association of Privacy Professionals) suggests a variance of results, with some DPAs failing to respond. For those who did, the reports varied significantly with Sweden reporting as few as 2 complaints in the month since GDPR came into effect, and the highest numbers of complaints being reported in the Republic of Ireland, France, and the Czech Republic. The UK and Germany did not provide responses to the information request.
The next question to consider is when the first enforcement actions under GDPR are to be expected. As we know, the DPAs have a statutory duty to investigate complaints made under the previous EU legislation. Many DPAs are therefore necessarily working through the back log of existing complaints. Whilst there are no official reports on when the first enforcement action under GDPR will take place, it is estimated, based on previous data on the DPAs response time to incidents, that it will take until the end of this year or the beginning of 2019 before GDPR enforcement action is being reported.
We will continue to keep you informed about developments in the law, practice and actions under GDPR.