Two months after the General Data Protection Regulation (GDPR) came into effect, companies within and beyond the European Economic Area (EEA) are still grappling with how to comply with literal interpretations of the regulation’s stringent data privacy requirements. Since 2016, consultancies and regulatory bodies alike have bombarded companies with a catalogue of data privacy “best practices,” but, as it stands, GDPR’s legal language remains opaque. Without a body of precedent-setting cases, it is unclear how companies can achieve functional GDPR compliance, and to what degree and under what circumstances the regulation’s outlined penalties will actually be prescribed.
The written guidelines for GDPR fines are listed in the appendix.
Conditions for GDPR compliance, comprehensive as they may be, do not definitively denote how EU officials will impose penalties in practice. To the contrary, the regulation states that a host of other qualitative considerations (including intentionality, degree of severity, and company cooperativeness) will also weigh into deliberations. In other words, context matters, and future fines and sanctions will not be distributed uniformly. Therefore, firms with lagging data privacy and security frameworks should not interpret the current state of ‘enforcement limbo’ as the norm, because regulatory uncertainty will not last indefinitely.
To better understand the current state of enforcement under GDPR, Malk conducted research on current data privacy and security trends to determine a timeline for enforcement decisions and an assessment of the stringency of enforcement that companies should expect.
Through Malk’s assessment of the contemporary data privacy and security landscape, it is possible to approximate when the first GDPR enforcement decisions will be made. Activist organizations levied the first GDPR claims against tech giants Google and Facebook on May 25th, GDPR’s implementation day, and in the ensuing months, member-state Data Protection Agencies (DPA) received thousands of data privacy complaints. A 2012 internal audit of the Information Commissioner’s Office (the ICO is the UK’s DPA)—conducted roughly one year after the organization was endowed with the power to impose monetary sanctions—determined that its investigations lasted anywhere between 119-357 calendar days, an admittedly broad range. While the ICO’s capacity undoubtedly differs vis-à-vis other member-state DPAs, the entity’s reputation as an active and generally-efficient regulator renders it an adequate predictor of ongoing GDPR investigation lengths. Times will vary based on each case’s severity and relative complexity, but pursuant to the aforementioned ICO range, Malk tentatively predicts that the first GDPR judgements will be released anywhere between September 2018 and May 2019.
Malk expects that GDPR will be enforced to its fullest extent, especially in high-profile cases with repeat offenders, given the turbulent, contemporary political climate surrounding data privacy and security. To substantiate this claim, Malk points to the evolution of Foreign Corrupt Practices Act (FCPA) enforcement. The FCPA was passed in 1977, but the DOJ and SEC did not enforce the act to its maximum capacity until political and public opinion forced them to. Between 2007 and 2009, the federal agencies raised almost twice as many cases as they did previously in the first 28 years following the statute’s passing. This increase can be attributed to several factors. US v. Kay (2004)—a circuit court deliberation over payments made to Haitian officials—provided a legal basis for stricter FCPA enforcement, the 2008 financial crisis galvanized public awareness of private sector corruption, and a series of international multilateral agreements only further validated the act’s principles. Data privacy and security is a controversial topic today just as corruption was in the late 2000s, which will further pressure DPAs to crack down on GDPR offenders. Recent events, including the Facebook-Cambridge Analytica scandal during the 2016 US presidential election, have resulted in heightened public awareness surrounding data privacy rights, protections, and abuses. As a result, advocacy groups, industry watchdogs, and private citizens alike have rushed to file GDPR complaints; Max Schrems, an Austrian activist, has filed four serious complaints against Facebook alone.
Additionally, regulatory bodies have not held any punches when issuing monetary sanctions. The ICO stated that it intends to impose the maximum possible penalties on Facebook and have brought criminal charges against SCL Elections, Cambridge Analytica’s parent company. These monetary sanctions were constrained by penalty cap limitations under the Data Privacy Act (maximum penalty: $500,000), however the ceiling for penalties under GDPR is at least 40 times higher. If an EU citizen’s data was collected and processed in the alleged events of the Facebook-Cambridge Analytica scandal, Facebook could have been found in violation of Articles 5 and 6 of GDPR, which would have warranted the maximum penalty of up to 4% of the company’s annual revenue—a massive $1.1 billion sum.
Malk’s Facebook case study demonstrates that, for companies subject to GDPR, data privacy and security pose a greater material risk than ever before. Malk predicts that precedent-setting cases will close by Q3 2019 and believes that penalties will likely be strictly enforced due to pressure on regulatory bodies to protect data subject rights—especially in the wake of negative public responses to recent data privacy scandals. Until then, private equity GPs should ensure that portfolio company management teams implement best practices developed by industry experts. Sound data privacy and security practices make for resilient companies who proactively mitigate risk and are well equipped to handle unforeseen negative circumstances. Such practices indicate management competency, which signals to both customers and prospective business partners that a company is trustworthy, both as a data steward and as a prospective investment, respectively. Malk believes that, although GDPR compliance is difficult to digest and navigate in its entirety, it also functions as a value creation opportunity. Minimizing exposure to GDPR-related risk can prevent monetary penalties, generate positive PR, and ultimately establish portfolio companies as influencers within their industries.
This article originally appeared in Malk’s ESG in Private Equity Newsletter, sent out on September 20th, 2018. You can sign up for the quarterly newsletter here.
Appendix: GDPR Articles