Happy Birthday to the GDPR, the thing that made us want to unsubscribe from all email lists last year…

Background: The General Data Protection Regulation (GDPR) came into force on 25 May 2018, introducing a consistent framework for privacy and data protection of European citizens. For the first time, the rules applied to any companies serving European customers, including those established abroad; and strengthened users’ ability to provide consent to the processing of their own data. The rules were met with concern by the tech industry, which saw limitations to its advertising business model, and to the practice of customer profiling.

How it played out so far: Last week, the European Data Protection Board (EDPB) released figures on the number of cases handled by data protection authorities (DPAs). At the national level, more than 144,000 queries and complaints were moved, and more than 89,000 data breaches were communicated to DPAs (63% of these cases have been closed). The EDPB notes this is a remarkable increase compared to 2017, which confirms the rise in awareness about data protection rights among citizens. 446 cases were cross-border cases, and 205 of those led to so called ‘one-stop-shop’ procedures. Remarkably, a new Eurobarometer survey finds that 57% of respondents know about their DPA – a 20% increase compared to 2015.

Few very fines have actually been levied so far: This could be due to regulators’ willingness to allow companies to adjust to the new regime. Only one fine was significantly large (€50m issued in France against Google), whereas most other fines were €20k or less, even for relatively large companies.

What happens next: The Commission will take stock of one year of application of the GDPR in an event to be held on 13 June. As provided in the Regulation itself, the EC will publish a review on the application of the rules in 2020.